From 136ed05521fa7a2c11f39ba49e2e4a4f116dfe12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Thu, 22 Dec 2016 11:01:15 +0100 Subject: [PATCH 1/3] Add microsoft-activity-group cluster --- clusters/microsoft-activity-group.json | 84 ++++++++++++++++++++++++++ galaxies/microsoft-activity-group.json | 7 +++ 2 files changed, 91 insertions(+) create mode 100644 clusters/microsoft-activity-group.json create mode 100644 galaxies/microsoft-activity-group.json diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json new file mode 100644 index 0000000..49423e5 --- /dev/null +++ b/clusters/microsoft-activity-group.json @@ -0,0 +1,84 @@ +{ + "values": [ + { + "value": "PROMETHIUM", + "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", + "meta": { + "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"] + } + }, + { + "value": "NEODYMIUM", + "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", + "meta": { + "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"] + } + }, + { + "value": "TERBIUM", + "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", + "meta" : { + "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"] + } + }, + { + "value": "STRONTIUM", + "description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. ", + "meta": { + "synonyms": [ + "APT 28", + "APT28", + "Pawn Storm", + "Fancy Bear", + "Sednit", + "TsarTeam", + "TG-4127", + "Group-4127", + "Sofacy", + "Grey-Cloud" + ], + "country": "RU", + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/", + "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf", + "https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/" + ] + } + }, + { + "meta": { + "synonyms": [ + "darkhotel" + ], + "refs": [ + "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", + "https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/", + "https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" + ] + }, + "value": "DUBNIUM", + "description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features." + }, + { + "meta": { + "refs": [ + "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/", + "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + ] + }, + "value": "PLATINUM", + "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat." + }, + ], + "name": "Microsoft Activity Group actor", + "type": "microsoft-activity-group", + "source": "MISP Project", + "authors": [ + "Various" + ], + "description": "Activity groups as described by Microsoft", + "uuid": "28b5e55d-acba-4748-a79d-0afa3512689a", + "version": 1 +} + diff --git a/galaxies/microsoft-activity-group.json b/galaxies/microsoft-activity-group.json new file mode 100644 index 0000000..6ddcfb0 --- /dev/null +++ b/galaxies/microsoft-activity-group.json @@ -0,0 +1,7 @@ +{ + "name": "Microsoft Activity Group actor", + "type": "microsoft-activity-group", + "description": "Activity groups as described by Microsoft", + "version": 1, + "uuid": "74c869e8-0b8e-4e5f-96e6-cd992e07a505" +} From f03252a555f53868d96d5347cc4e95da3f40611d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Thu, 22 Dec 2016 14:13:46 +0100 Subject: [PATCH 2/3] ##comma## --- clusters/microsoft-activity-group.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 49423e5..319fe97 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -69,7 +69,7 @@ }, "value": "PLATINUM", "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat." - }, + } ], "name": "Microsoft Activity Group actor", "type": "microsoft-activity-group", From b595c5ba49ff1cc02a13d7230fe46d952d1a869c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?D=C3=A9borah=20Servili?= Date: Thu, 22 Dec 2016 14:24:23 +0100 Subject: [PATCH 3/3] update readme --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index b8ff24f..106039f 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,11 @@ to localized information (which is not shared) or additional information (that c # Available clusters +- [clusters/microsoft-activity-group.json](clusters/microsoft-activity-group.json) - Activity groups as described by Microsoft - [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP - [clusters/tool.json](clusters/tool.json) - tool is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. MISP + # Available Vocabularies ## Common