From 8c51ef98b3c633a9eb38f88534e6fe8e71caf05e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 29 Jun 2018 16:36:58 +0200 Subject: [PATCH] add cfr related informations -still in progress- --- clusters/threat-actor.json | 471 ++++++++++++++++++++++++++++++++++--- 1 file changed, 435 insertions(+), 36 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8bc24f4..6422d34 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12,12 +12,37 @@ "Group 3", "TG-8223", "Comment Group", - "Brown Fox" + "Brown Fox", + "GIF89a" ], "country": "CN", "refs": [ "https://en.wikipedia.org/wiki/PLA_Unit_61398", - "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" + "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf", + "https://www.cfr.org/interactive/cyber-operations/pla-unit-61398" + ], + "cfr-suspected-victims": [ + "United States", + "Taiwan", + "Israel", + "Norway", + "United Arab Emirates", + "United Kingdom", + "Singapore", + "India", + "Belgium", + "South Africa", + "Switzerland", + "Canada", + "France", + "Luxembourg", + "Japan" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", @@ -183,7 +208,17 @@ ], "country": "CN", "refs": [ - "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" + "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", + "https://www.cfr.org/interactive/cyber-operations/putter-panda" + ], + "cfr-suspected-victims": [ + "U.S. satellite and aerospace sector" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", @@ -199,12 +234,24 @@ "Group 6", "UPS Team", "APT3", - "Buckeye" + "Buckeye", + "Boyusec" ], "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://www.cfr.org/interactive/cyber-operations/apt-3" + ], + "cfr-suspected-victims": [ + "United States", + "United Kingdom", + "Hong Kong" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector" ] }, "value": "UPS", @@ -249,7 +296,18 @@ ], "country": "CN", "refs": [ - "http://www.crowdstrike.com/blog/whois-numbered-panda/" + "http://www.crowdstrike.com/blog/whois-numbered-panda/", + "https://www.cfr.org/interactive/cyber-operations/apt-12" + ], + "cfr-suspected-victims": [ + "Taiwan", + "Japan" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "China", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", @@ -260,7 +318,17 @@ "meta": { "country": "CN", "refs": [ - "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" + "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", + "https://www.cfr.org/interactive/cyber-operations/apt-16" + ], + "cfr-suspected-victims": [ + "Japan", + "Taiwan" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector" ] }, "value": "APT 16", @@ -279,7 +347,18 @@ "country": "CN", "refs": [ "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf", + "https://www.cfr.org/interactive/cyber-operations/apt-17" + ], + "cfr-suspected-victims": [ + "United States" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector", + "Civil society" ] }, "value": "Aurora Panda", @@ -375,7 +454,17 @@ "country": "CN", "refs": [ "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf", + "https://www.cfr.org/interactive/cyber-operations/deep-panda" + ], + "cfr-suspected-victims": [ + "United States" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Military" ] }, "description": "Adversary group targeting financial, technology, non-profit organisations.", @@ -390,12 +479,36 @@ "APT30", "Override Panda", "Camerashy", - "APT.Naikon" + "APT.Naikon", + "Lotus Panda" ], "country": "CN", "refs": [ "https://securelist.com/analysis/publications/69953/the-naikon-apt/", - "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" + "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html", + "https://www.cfr.org/interactive/cyber-operations/apt-30" + ], + "cfr-suspected-victims": [ + "India", + "Saudi Arabia", + "Vietnam", + "Myanmar", + "Singapore", + "Thailand", + "Malaysia", + "Cambodia", + "China", + "Phillipines", + "South Korea", + "United States", + "Indonesia", + "Laos" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Naikon", @@ -406,12 +519,28 @@ "meta": { "synonyms": [ "Spring Dragon", - "ST Group" + "ST Group", + "Eslie" ], "country": "CN", "refs": [ "https://securelist.com/blog/research/70726/the-spring-dragon-apt/", - "https://securelist.com/spring-dragon-updated-activity/79067/" + "https://securelist.com/spring-dragon-updated-activity/79067/", + "https://www.cfr.org/interactive/cyber-operations/lotus-blossom" + ], + "cfr-suspected-victims": [ + "Japan", + "Philippines", + "Hong Kong", + "Indonesia", + "Taiwan", + "Vietnam" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Military", + "Government" ] }, "value": "Lotus Blossom", @@ -496,17 +625,43 @@ "synonyms": [ "APT10", "APT 10", - "menuPass", + "MenuPass", "happyyongzi", "POTASSIUM", "DustStorm", "Red Apollo", "CVNX", - "HOGFISH" + "HOGFISH", + "Cloud Hopper", + "Stone Panda" ], "country": "CN", "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" + "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://www.cfr.org/interactive/cyber-operations/apt-10" + ], + "cfr-suspected-victims": [ + "Japan", + "India", + "South Africa", + "South Korea", + "Sweden", + "United States", + "Canada", + "Australia", + "France", + "Finland", + "United Kingdom", + "Brazil", + "Thailand", + "Switzerland", + "Norway" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "value": "Stone Panda", @@ -586,9 +741,23 @@ "ALUMINUM" ], "refs": [ - "http://www.crowdstrike.com/blog/whois-anchor-panda/" + "http://www.crowdstrike.com/blog/whois-anchor-panda/", + "https://www.cfr.org/interactive/cyber-operations/anchor-panda" ], - "motive": "Espionage" + "motive": "Espionage", + "cfr-suspected-victims": [ + "United States", + "United Kingdom", + "Germany", + "Australia", + "Sweden" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" + ] }, "value": "Anchor Panda", "description": "PLA Navy", @@ -652,6 +821,27 @@ "country": "CN", "synonyms": [ "Sneaky Panda" + ], + "cfr-suspected-victims": [ + "United States", + "Canada", + "United Kingdom", + "Switzerland", + "Hong Kong", + "Australia", + "India", + "Taiwan", + "China", + "Denmark" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Civil society" + ], + "refs": [ + "https://www.cfr.org/interactive/cyber-operations/sneaky-panda" ] }, "value": "Beijing Group", @@ -869,7 +1059,31 @@ "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", - "https://en.wikipedia.org/wiki/Rocket_Kitten" + "https://en.wikipedia.org/wiki/Rocket_Kitten", + "https://www.cfr.org/interactive/cyber-operations/rocket-kitten" + ], + "cfr-suspected-victims": [ + "Saudi Arabia", + "Venezuela", + "Afghanistan", + "United Arab Emirates", + "Iran", + "Israel", + "Iraq", + "Kuwait", + "Turkey", + "Canada", + "Yemen", + "United Kingdom", + "Egypt", + "Syria", + "Jordan" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Military" ] }, "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", @@ -1073,7 +1287,26 @@ "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", - "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/" + "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", + "https://www.cfr.org/interactive/cyber-operations/crouching-yeti" + ], + "cfr-suspected-victims": [ + "United States", + "Germany", + "Turkey", + "China", + "Spain", + "France", + "Ireland", + "Japan", + "Italy", + "Poland" + ], + "cfr-suspected-state-sponsor": "Russian Federation", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector", + "Government" ] }, "description": "A Russian group that collects intelligence on the energy industry.", @@ -1149,7 +1382,18 @@ ], "country": "RU", "refs": [ - "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" + "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/", + "https://www.cfr.org/interactive/cyber-operations/team-spy-crew" + ], + "cfr-suspected-victims": [ + "Hungary", + "Belarus" + ], + "cfr-suspected-state-sponsor": "Russian Federation", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "TeamSpy Crew", @@ -1251,7 +1495,20 @@ "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://www.us-cert.gov/ncas/alerts/TA17-318A", "https://www.us-cert.gov/ncas/alerts/TA17-318B", - "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" + "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/", + "https://www.cfr.org/interactive/cyber-operations/lazarus-group" + ], + "cfr-suspected-victims": [ + "South Korea", + "Bangladesh Bank", + "Sony Pictures Entertainment", + "United States" + ], + "cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + " Government", + "Private sector" ] }, "value": "Lazarus Group", @@ -1477,9 +1734,21 @@ ], "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "https://attack.mitre.org" + "https://attack.mitre.org", + "https://www.cfr.org/interactive/cyber-operations/emissary-panda" ], - "country": "CN" + "country": "CN", + "cfr-suspected-victims": [ + "United States", + "United Kingdom", + "France" + ], + "cfr-suspected-state-sponsor": " China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" + ] }, "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", "value": "Threat Group-3390", @@ -1503,12 +1772,35 @@ "meta": { "refs": [ "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://attack.mitre.org/wiki/Group/G0013" + "https://attack.mitre.org/wiki/Group/G0013", + "https://www.cfr.org/interactive/cyber-operations/apt-30" ], "synonyms": [ "APT30" ], - "country": "CN" + "country": "CN", + "cfr-suspected-victims": [ + "India", + "Saudi Arabia", + "Vietnam", + "Myanmar", + "Singapore", + "Thailand", + "Malaysia", + "Cambodia", + "China", + "Phillipines", + "South Korea", + "United States", + "Indonesia", + "Laos" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" + ] }, "value": "APT 30", "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", @@ -1911,7 +2203,23 @@ "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", "https://www.brighttalk.com/webcast/10703/261205", - "https://github.com/eset/malware-research/tree/master/oceanlotus" + "https://github.com/eset/malware-research/tree/master/oceanlotus", + "https://www.cfr.org/interactive/cyber-operations/ocean-lotus" + ], + "cfr-suspected-victims": [ + "China", + "Germany", + "United States", + "Vietnam", + "Philippines", + "Association of Southeast Asian Nations" + ], + "cfr-suspected-state-sponsor": "Vietnam", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector", + "Civil society" ] }, "value": "APT32", @@ -2165,7 +2473,23 @@ "country": "CN", "refs": [ "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", - "https://www.threatconnect.com/china-superman-apt/" + "https://www.threatconnect.com/china-superman-apt/", + "https://www.cfr.org/interactive/cyber-operations/mofang" + ], + "cfr-suspected-victims": [ + "Myanmar", + "Germany", + "Singapore", + "Canada", + "India", + "United States", + "South Korea" + ], + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Mofang", @@ -2181,7 +2505,22 @@ "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", "http://www.clearskysec.com/copykitten-jpost/", - "http://www.clearskysec.com/tulip/" + "http://www.clearskysec.com/tulip/", + "https://www.cfr.org/interactive/cyber-operations/copykittens" + ], + "cfr-suspected-victims": [ + "Israel", + "Jordan", + "Saudi Arabia", + "Germany", + "United States" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector", + "Civil society" ] }, "value": "CopyKittens", @@ -2222,7 +2561,20 @@ "country": "IR", "refs": [ "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", - "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" + "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/", + "https://www.cfr.org/interactive/cyber-operations/madi" + ], + "cfr-suspected-victims": [ + "Iran", + "Pakistan", + "Israel", + "United States" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" ] }, "value": "Madi", @@ -2435,10 +2787,23 @@ "country": "IL", "refs": [ "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", - "https://archive.org/details/Stuxnet" + "https://archive.org/details/Stuxnet", + "https://www.cfr.org/interactive/cyber-operations/duqu", + "https://www.cfr.org/interactive/cyber-operations/duqu-20" ], "synonyms": [ "Duqu Group" + ], + "cfr-suspected-victims": [ + "Iran", + "Sudan" + ], + "cfr-suspected-state-sponsor": "Israel", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Military", + "Government", + "Private sector" ] }, "uuid": "e9a6cbd7-ca27-4894-ae20-9d11c06fdc02" @@ -2446,12 +2811,25 @@ { "meta": { "refs": [ - "https://securelist.com/introducing-whitebear/81638/" + "https://securelist.com/introducing-whitebear/81638/", + "https://www.cfr.org/interactive/cyber-operations/whitebears" ], "synonyms": [ "Skipper Turla" ], - "country": "RU" + "country": "RU", + "cfr-suspected-victims": [ + "United States", + "South Korea", + "United Kingdom", + "Uzbekistan" + ], + "cfr-suspected-state-sponsor": "Russian Federation", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" + ] }, "value": "White Bear", "uuid": "dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6" @@ -2594,12 +2972,22 @@ "refs": [ "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ ", - "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://www.cfr.org/interactive/cyber-operations/apt-34" ], "synonyms": [ "APT 34" ], - "country": "IR" + "country": "IR", + "cfr-suspected-victims": [ + "Middle East" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Government", + "Private sector" + ] }, "uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda" }, @@ -2719,7 +3107,8 @@ "meta": { "refs": [ "https://dragos.com/adversaries.html", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf" + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://www.cfr.org/interactive/cyber-operations/apt-33" ], "mode-of-operation": "IT network limited, information gathering against industrial orgs", "since": "2016", @@ -2727,6 +3116,16 @@ "victimology": "Petrochemical, Aerospace, Saudi Arabia", "synonyms": [ "APT33" + ], + "cfr-suspected-victims": [ + "United States", + "Saudi Arabia", + "South Korea" + ], + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Private sector" ] }, "uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2"