From f3fe0d59d37d6b28f92792b82dd49fc28ee5bfcd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 01/17] [threat-actors] Add CL-STA-0043 aliases --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5db66b1..bf2dfe8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13773,7 +13773,11 @@ "meta": { "refs": [ "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/", - "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/" + "https://www.paloaltonetworks.com/blog/security-operations/through-the-cortex-xdr-lens-uncovering-a-new-activity-group-targeting-governments-in-the-middle-east-and-africa/", + "https://unit42.paloaltonetworks.com/operation-diplomatic-specter/" + ], + "synonyms": [ + "TGR-STA-0043" ] }, "uuid": "5d0aee14-f18a-44da-a44d-28d950f06b9c", From d935c1e62ac41c60e95dba56293d72520f001b0c Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 02/17] [threat-actors] Add UNC4540 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bf2dfe8..c7aa533 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16515,6 +16515,17 @@ }, "uuid": "34f2d3ad-e367-4058-a10b-1f7a4274c418", "value": "Hive0137" + }, + { + "description": "UNC4540 is a suspected Chinese threat actor targeting unpatched SonicWall Secure Mobile Access appliances to deploy custom malware that establishes long-term persistence for cyber espionage. The malware is designed to steal hashed credentials, provide shell access, and persist through firmware upgrades, utilizing a variant of the TinyShell backdoor. Mandiant has tracked UNC4540's activities back to 2021, noting their focus on maintaining access to compromised devices. The group's tactics are consistent with patterns observed in other Chinese threat actor campaigns targeting network devices for zero-day exploits.", + "meta": { + "country": "CN", + "refs": [ + "https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall" + ] + }, + "uuid": "e6b27374-5055-4c2c-950b-06b4fc75a210", + "value": "UNC4540" } ], "version": 313 From 164222d3c6adfeb150dd9e79d857b0d533cdd416 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 03/17] [threat-actors] Add TIDRONE --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c7aa533..22f0111 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16526,6 +16526,17 @@ }, "uuid": "e6b27374-5055-4c2c-950b-06b4fc75a210", "value": "UNC4540" + }, + { + "description": "TIDRONE is an unidentified threat actor linked to Chinese-speaking groups, with a focus on military-related industry chains, particularly drone manufacturers in Taiwan. The actor employs advanced malware variants such as CXCLNT and CLNTEND, which are distributed through ERP software or remote desktops. The consistency in file compilation times and operational patterns aligns with other Chinese espionage activities, indicating a likely espionage motive.", + "meta": { + "country": "CN", + "refs": [ + "https://www.trendmicro.com/en_us/research/24/i/tidrone-targets-military-and-satellite-industries-in-taiwan.html" + ] + }, + "uuid": "020d512f-0636-482b-8033-2bd404e0321f", + "value": "TIDRONE" } ], "version": 313 From 63566220afecaf9eaf8aaec5e9ac3962cd6c778e Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 04/17] [threat-actors] Add Actor240524 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 22f0111..13a886a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16537,6 +16537,16 @@ }, "uuid": "020d512f-0636-482b-8033-2bd404e0321f", "value": "TIDRONE" + }, + { + "description": "Actor240524 is a newly identified APT group that targeted Azerbaijani and Israeli diplomats through spear-phishing emails to steal sensitive data. The group employs a Trojan program known as ABCloader and ABCsync, demonstrating capabilities to steal secrets and modify file data. Their operations appear to focus on undermining the cooperative relationship between Azerbaijan and Israel. Actor240524 utilizes various countermeasures to obscure their attack tactics and techniques.", + "meta": { + "refs": [ + "https://nsfocusglobal.com/new-apt-group-actor240524-a-closer-look-at-its-cyber-tactics-against-azerbaijan-and-israel/" + ] + }, + "uuid": "6f394add-1703-41e7-be27-d79613f9929c", + "value": "Actor240524" } ], "version": 313 From 5dcf22e4eff59d02dc7aa3ebc8d8d137bc7ebcf6 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 05/17] [threat-actors] Add ZeroSevenGroup --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 13a886a..1b42415 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16547,6 +16547,17 @@ }, "uuid": "6f394add-1703-41e7-be27-d79613f9929c", "value": "Actor240524" + }, + { + "description": "ZeroSevenGroup is a threat actor that claims to have breached a U.S. branch of Toyota, stealing 240GB of sensitive data, including employee and customer information, contracts, and financial details. They have also allegedly gained full network access to critical Israeli infrastructure, with access to 80TB of sensitive data across various sectors. The group has threatened to use the stolen data for malicious activities, including ransomware attacks. Their operations involve exploiting vulnerabilities, as indicated by their reference to manipulating memory through buffer overflow techniques.", + "meta": { + "refs": [ + "https://siliconangle.com/2024/08/20/toyota-alleges-stolen-customer-data-published-hacking-site-came-outside-supplier/", + "https://www.oodaloop.com/briefs/2024/08/21/toyota-customer-employee-data-leaked-in-confirmed-data-breach/" + ] + }, + "uuid": "c54b9a98-1436-4e29-b194-e5bde003dd4d", + "value": "ZeroSevenGroup" } ], "version": 313 From 0d8e535b88235b982d411af685cd8be0870ed7cd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 06/17] [threat-actors] Add UNC2970 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1b42415..7842eb3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16558,6 +16558,17 @@ }, "uuid": "c54b9a98-1436-4e29-b194-e5bde003dd4d", "value": "ZeroSevenGroup" + }, + { + "description": "UNC2970 is a North Korean threat actor that primarily targets organizations through spear-phishing emails with job recruitment themes, often utilizing fake LinkedIn accounts to engage victims. The group employs the PLANKWALK backdoor and other malware families, leveraging compromised WordPress sites for command and control. They have been observed using BYOVD techniques to exploit vulnerable drivers for evading detection. Mandiant has noted a shift in UNC2970's targeting strategy, including a focus on security researchers and advancements in their operational capabilities against EDR tools.", + "meta": { + "country": "KP", + "refs": [ + "https://www.mandiant.com/resources/blog/lightshow-north-korea-unc2970" + ] + }, + "uuid": "e40cf515-f155-46d4-b174-88b38383f9bb", + "value": "UNC2970" } ], "version": 313 From d8ee3beada0c81477ac3c7368425fac331c0c08a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:22 -0700 Subject: [PATCH 07/17] [threat-actors] Add SILKFIN AGENCY --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7842eb3..e43c795 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16569,6 +16569,18 @@ }, "uuid": "e40cf515-f155-46d4-b174-88b38383f9bb", "value": "UNC2970" + }, + { + "description": "SILKFIN AGENCY has claimed responsibility for multiple significant data breaches, including the compromise of DimeCuba.com, which exposed over 1 million SMS records and more than 100,000 email records. They also targeted the Sri Lankan Department of Agrarian Development, allegedly compromising the personal and agricultural data of over 1.45 million farmers. Additionally, they claimed a breach of the Siam Cement Group's database. The breaches involved sensitive data such as NIC numbers and transaction details.", + "meta": { + "refs": [ + "https://dailydarkweb.net/threat-actor-claims-breach-of-siam-cement-group-database/", + "https://dailydarkweb.net/threat-actor-claimed-to-breach-database-of-dimecuba/", + "https://dailydarkweb.net/a-threat-actor-alleged-breach-of-sri-lankan-farmers-community-database/" + ] + }, + "uuid": "b1fd5c1a-f0e9-42b1-b386-9925c02ba508", + "value": "SILKFIN AGENCY" } ], "version": 313 From 47983fed2063883b445c535515cb5a34db03afdd Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 08/17] [threat-actors] Add UNC4536 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e43c795..cb174a8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16581,6 +16581,16 @@ }, "uuid": "b1fd5c1a-f0e9-42b1-b386-9925c02ba508", "value": "SILKFIN AGENCY" + }, + { + "description": "UNC4536 is a threat actor that distributes malware, including ICEDID, REDLINESTEALER, and CARBANAK, primarily through malvertising and trojanized MSIX installers masquerading as popular software. They utilize SEO poisoning tactics to direct victims to malicious sites that mimic legitimate software hosting platforms, facilitating the download of compromised installers. The actor employs a PowerShell script known as NUMOZYLOD to deliver tailored payloads, such as the CARBANAK backdoor, to their partners. Additionally, UNC4536 has been linked to campaigns that distribute NetSupport RAT, targeting IT administrators through fake sites promoted via Google Ads.", + "meta": { + "refs": [ + "https://www.googlecloudcommunity.com/gc/Community-Blog/Finding-Malware-Unveiling-NUMOZYLOD-with-Google-Security/ba-p/789551" + ] + }, + "uuid": "5a00ccdb-7987-4563-af4f-e368af8406df", + "value": "UNC4536" } ], "version": 313 From 4fc5c37d088a22251cd9d3297839cc60ecfe7be8 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 09/17] [threat-actors] Add UAC-0154 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cb174a8..a3b2b9f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16591,6 +16591,16 @@ }, "uuid": "5a00ccdb-7987-4563-af4f-e368af8406df", "value": "UNC4536" + }, + { + "description": "UAC-0154 is a threat actor orchestrating the STARK#VORTEX phishing campaign, specifically targeting Ukraine’s military. They employ a Microsoft Help file containing obfuscated JavaScript as a lure, disguised as a manual for Pilot-in-Command Drones, to deliver the MerlinAgent malware. This PowerShell-based RAT is heavily obfuscated and downloads a payload from a remote server, enabling full control over compromised systems. The group initially targeted Ukrainian entities using military-themed documents sent via email to @ukr.net addresses.", + "meta": { + "refs": [ + "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-september-2023/" + ] + }, + "uuid": "8356805a-5612-449c-9fdc-cbe536c1f392", + "value": "UAC-0154" } ], "version": 313 From af9d1833716be487f9512275399c6c0b6dc18b4a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 10/17] [threat-actors] Add IRLeaks --- clusters/threat-actor.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a3b2b9f..9ec4fae 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16601,6 +16601,20 @@ }, "uuid": "8356805a-5612-449c-9fdc-cbe536c1f392", "value": "UAC-0154" + }, + { + "description": "IRLeaks is a threat actor known for significant cyberattacks targeting Iranian organizations, including a major breach of SnappFood, where they exfiltrated 3TB of sensitive data from 20 million user profiles. They have also compromised data from 23 leading Iranian insurance companies, offering over 160 million records for sale. Their operations involve extortion tactics, as seen in the ransom negotiations with Tosan, and they utilize malware such as StealC for data extraction. IRLeaks communicates primarily in Persian and has been active in selling stolen data on cybercriminal marketplaces.", + "meta": { + "refs": [ + "https://www.hackread.com/iranian-food-delivery-snappfood-cyber-attack/", + "https://cisoseries.com/cyber-security-headlines-google-5b-suit-settled-orbit-chain-loses-80m-fda-cyber-agreement/", + "https://www.oodaloop.com/briefs/2024/01/04/pilfered-data-from-iranian-insurance-and-food-delivery-firms-leaked-online/", + "https://cybershafarat.com/2024/09/04/major-ir-leaks/", + "https://www.scmagazine.com/brief/significant-ransom-payment-by-major-iranian-it-firm-underway" + ] + }, + "uuid": "f0a50fa0-25ca-4346-a666-390923f2c5a1", + "value": "IRLeaks" } ], "version": 313 From 40dc998b9b961bbd5c8a7329b7071bd39a5c24ec Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 11/17] [threat-actors] Add RaHDit --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9ec4fae..3065294 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16615,6 +16615,21 @@ }, "uuid": "f0a50fa0-25ca-4346-a666-390923f2c5a1", "value": "IRLeaks" + }, + { + "description": "RaHDit is a pro-Kremlin hacktivist group known for orchestrating hack-and-leak operations, including the publication of personal information about Ukrainian military intelligence personnel and their associates. The group has been linked to Russian intelligence and has claimed to provide actionable intelligence to the Russian army. RaHDit operates a website called NemeZida, where they disclose sensitive data, and has been involved in disinformation campaigns supporting Russian narratives. Their activities include collaboration with other hacktivist groups and targeting Ukrainian cyberdefense efforts.", + "meta": { + "country": "RU", + "refs": [ + "https://flashpoint.io/blog/pro-kremlin-hacktivist-groups/", + "https://news.risky.biz/risky-biz-news-doppelganger-gets-a-kick-in-the-butt-from-uncle-sam/" + ], + "synonyms": [ + "Russian Angry Hackers Did It" + ] + }, + "uuid": "1e3efe43-9006-4ac8-b9ee-f1fbb9794cd9", + "value": "RaHDit" } ], "version": 313 From c68dd137720c26f7fb4797b0948d9a4b141dd2f5 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 12/17] [threat-actors] Add UAT-5394 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3065294..7308e94 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16630,6 +16630,17 @@ }, "uuid": "1e3efe43-9006-4ac8-b9ee-f1fbb9794cd9", "value": "RaHDit" + }, + { + "description": "UAT-5394 is a state-sponsored North Korean threat actor known for developing the MoonPeak RAT, which is based on XenoRAT. They have transitioned from using QuasarRAT to MoonPeak and have established command and control infrastructure. UAT-5394 employs tactics such as using RDP for remote access and has implemented State Machines in their malware to complicate analysis. Their activity indicates a focus on rapidly evolving their malware and infrastructure to enhance operational capabilities.", + "meta": { + "country": "KP", + "refs": [ + "https://blog.talosintelligence.com/moonpeak-malware-infrastructure-north-korea/" + ] + }, + "uuid": "6038ceaf-4c1b-470d-af36-c62948488786", + "value": "UAT-5394" } ], "version": 313 From 6cb21d39a7fbcb602a0796f4511bed03abd55784 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 13/17] [threat-actors] Add Storm-1679 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7308e94..574c4b2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16641,6 +16641,17 @@ }, "uuid": "6038ceaf-4c1b-470d-af36-c62948488786", "value": "UAT-5394" + }, + { + "description": "Storm-1679 is a Russian disinformation group believed to be a spinoff of the Internet Research Agency, actively engaged in influence operations targeting the International Olympic Committee and the 2024 Olympic Games. The group has employed AI-generated content, including deepfake videos and fabricated narratives about violence, to discredit the IOC and instill fear among potential attendees. Their campaigns have been identified across multiple languages and platforms, utilizing techniques such as impersonation of media outlets and the creation of disinformation websites. Microsoft attributes significant disinformation activities related to the Olympics to Storm-1679, highlighting their focus on spreading falsehoods and promoting anti-Olympics messaging.", + "meta": { + "country": "RU", + "refs": [ + "https://blogs.microsoft.com/on-the-issues/2024/06/02/russia-cyber-bots-disinformation-2024-paris-olympics/" + ] + }, + "uuid": "10582c97-90de-4f2b-8e4d-21513c3971fc", + "value": "Storm-1679" } ], "version": 313 From 63bcac4ed9fb9e86f792234c0efde88c2f0ff577 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 14/17] [threat-actors] Add Fail0verflow --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 574c4b2..dc53ae0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16652,6 +16652,21 @@ }, "uuid": "10582c97-90de-4f2b-8e4d-21513c3971fc", "value": "Storm-1679" + }, + { + "description": "Fail0verflow is a hacking group known for exploiting vulnerabilities in gaming consoles, notably the Nintendo Wii and PlayStation 3. They utilized techniques such as RAM shorting, buffer overflow, and a signing bug to achieve code execution and develop the Homebrew Channel for the Wii. In 2010, they compromised an ECDSA key for the PS3, and later announced the retrieval of PS5 symmetric root keys, enabling the potential for custom firmware and homebrew software. Their exploits often involve kernel access and have raised concerns about the implications for piracy and litigation in the gaming community.", + "meta": { + "refs": [ + "https://blog.0x7d0.dev/history/how-the-nintendo-wii-security-was-defeated/", + "https://arstechnica.com/gaming/2021/11/uncovered-ps5-encryption-keys-are-the-first-step-to-unlocking-the-console/", + "https://malware.news/t/playstation-5-hacked-twice/54441/1" + ], + "synonyms": [ + "Team Twiizer" + ] + }, + "uuid": "096c57c1-263f-463e-8089-e553872db149", + "value": "Fail0verflow" } ], "version": 313 From 1725fd3b1b85a36d463e0e052491193aa6748f82 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 15/17] [threat-actors] Add UTG-Q-010 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dc53ae0..1c35d92 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16667,6 +16667,16 @@ }, "uuid": "096c57c1-263f-463e-8089-e553872db149", "value": "Fail0verflow" + }, + { + "description": "UTG-Q-010 is a financially motivated APT group from East Asia that has been active since late 2022, primarily targeting the pharmaceutical industry and cryptocurrency enthusiasts. They exploit legitimate Windows processes, such as \"WerFault.exe,\" to sideload malicious DLLs like \"faultrep.dll\" and employ sophisticated phishing campaigns to deliver malware disguised as enticing content. Their recent campaigns have involved the use of the Pupy RAT and advanced defense evasion techniques, including in-memory execution and reflective DLL loading. UTG-Q-010's strategic focus on HR departments and the cryptocurrency sector highlights their understanding of target vulnerabilities and their ability to evade detection.", + "meta": { + "refs": [ + "https://cyble.com/blog/analysing-the-utg-q-010-campaign/" + ] + }, + "uuid": "279ca8a7-1d04-4d95-aa8c-32c758c2de2b", + "value": "UTG-Q-010" } ], "version": 313 From 0d3143ab2a1e42138229cc3c254d6a4d9eef1ba3 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:23 -0700 Subject: [PATCH 16/17] [threat-actors] Add HikkI-Chan --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1c35d92..5dfa613 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16677,6 +16677,17 @@ }, "uuid": "279ca8a7-1d04-4d95-aa8c-32c758c2de2b", "value": "UTG-Q-010" + }, + { + "description": "Hikki-Chan has claimed responsibility for multiple significant data breaches, including the theft of data from 390.4 million users of VKontakte, which included sensitive personal information. The actor has also targeted Strong Current Enterprises and disclosed a breach involving the Israeli Ministry of Welfare and Social Affairs, leaking over 457,000 records. Additionally, Hikki-Chan is attributed with a breach of the Florida Office of Financial Regulation, exposing tens of thousands of records across various industries.", + "meta": { + "refs": [ + "https://hackread.com/hacker-leaks-data-of-vk-users-russian-social-network/", + "https://dailydarkweb.net/sensitive-israeli-ministry-data-allegedly-leaked-on-dark-web/" + ] + }, + "uuid": "071d271a-313f-442d-9bf0-10e6eeba0a8e", + "value": "HikkI-Chan" } ], "version": 313 From ce0d77f87d4090c545808fed524f252bfaccd314 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 9 Sep 2024 08:18:25 -0700 Subject: [PATCH 17/17] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2c7f9d2..025c1f8 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *721* elements +Category: *actor* - source: *MISP Project* - total: *736* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]