MISP/misp-galaxy
6
0
Fork 0
mirror of https://github.com/MISP/misp-galaxy.git synced 2024-11-23 07:17:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

add cfr related informations -still in progress-

Browse source
This commit is contained in:
Deborah Servili 2018-06-29 16:36:58 +02:00
parent b1aac6b35b
commit 8c51ef98b3
1 changed files with 435 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

471
clusters/threat-actor.json
View file

@ -12,12 +12,37 @@
"Group 3", "Group 3",
"TG-8223", "TG-8223",
"Comment Group", "Comment Group",
"Brown Fox" "Brown Fox",
"GIF89a"
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://en.wikipedia.org/wiki/PLA_Unit_61398", "https://en.wikipedia.org/wiki/PLA_Unit_61398",
"http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf" "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf",
"https://www.cfr.org/interactive/cyber-operations/pla-unit-61398"
],
"cfr-suspected-victims": [
"United States",
"Taiwan",
"Israel",
"Norway",
"United Arab Emirates",
"United Kingdom",
"Singapore",
"India",
"Belgium",
"South Africa",
"Switzerland",
"Canada",
"France",
"Luxembourg",
"Japan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector",
"Government"
] ]
}, },
"description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks", "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",
@ -183,7 +208,17 @@
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
"https://www.cfr.org/interactive/cyber-operations/putter-panda"
],
"cfr-suspected-victims": [
"U.S. satellite and aerospace sector"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector",
"Government"
] ]
}, },
"description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
@ -199,12 +234,24 @@
"Group 6", "Group 6",
"UPS Team", "UPS Team",
"APT3", "APT3",
"Buckeye" "Buckeye",
"Boyusec"
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://www.cfr.org/interactive/cyber-operations/apt-3"
],
"cfr-suspected-victims": [
"United States",
"United Kingdom",
"Hong Kong"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
] ]
}, },
"value": "UPS", "value": "UPS",
@ -249,7 +296,18 @@
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"http://www.crowdstrike.com/blog/whois-numbered-panda/" "http://www.crowdstrike.com/blog/whois-numbered-panda/",
"https://www.cfr.org/interactive/cyber-operations/apt-12"
],
"cfr-suspected-victims": [
"Taiwan",
"Japan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "China",
"cfr-target-category": [
"Private sector",
"Government"
] ]
}, },
"description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.", "description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.",
@ -260,7 +318,17 @@
"meta": { "meta": {
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html" "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html",
"https://www.cfr.org/interactive/cyber-operations/apt-16"
],
"cfr-suspected-victims": [
"Japan",
"Taiwan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
] ]
}, },
"value": "APT 16", "value": "APT 16",
@ -279,7 +347,18 @@
"country": "CN", "country": "CN",
"refs": [ "refs": [
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf" "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf",
"https://www.cfr.org/interactive/cyber-operations/apt-17"
],
"cfr-suspected-victims": [
"United States"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector",
"Civil society"
] ]
}, },
"value": "Aurora Panda", "value": "Aurora Panda",
@ -375,7 +454,17 @@
"country": "CN", "country": "CN",
"refs": [ "refs": [
"http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf",
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf",
"https://www.cfr.org/interactive/cyber-operations/deep-panda"
],
"cfr-suspected-victims": [
"United States"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector",
"Military"
] ]
}, },
"description": "Adversary group targeting financial, technology, non-profit organisations.", "description": "Adversary group targeting financial, technology, non-profit organisations.",
@ -390,12 +479,36 @@
"APT30", "APT30",
"Override Panda", "Override Panda",
"Camerashy", "Camerashy",
"APT.Naikon" "APT.Naikon",
"Lotus Panda"
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://securelist.com/analysis/publications/69953/the-naikon-apt/", "https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html" "http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
"https://www.cfr.org/interactive/cyber-operations/apt-30"
],
"cfr-suspected-victims": [
"India",
"Saudi Arabia",
"Vietnam",
"Myanmar",
"Singapore",
"Thailand",
"Malaysia",
"Cambodia",
"China",
"Phillipines",
"South Korea",
"United States",
"Indonesia",
"Laos"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
] ]
}, },
"value": "Naikon", "value": "Naikon",
@ -406,12 +519,28 @@
"meta": { "meta": {
"synonyms": [ "synonyms": [
"Spring Dragon", "Spring Dragon",
"ST Group" "ST Group",
"Eslie"
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/", "https://securelist.com/blog/research/70726/the-spring-dragon-apt/",
"https://securelist.com/spring-dragon-updated-activity/79067/" "https://securelist.com/spring-dragon-updated-activity/79067/",
"https://www.cfr.org/interactive/cyber-operations/lotus-blossom"
],
"cfr-suspected-victims": [
"Japan",
"Philippines",
"Hong Kong",
"Indonesia",
"Taiwan",
"Vietnam"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Military",
"Government"
] ]
}, },
"value": "Lotus Blossom", "value": "Lotus Blossom",
@ -496,17 +625,43 @@
"synonyms": [ "synonyms": [
"APT10", "APT10",
"APT 10", "APT 10",
"menuPass", "MenuPass",
"happyyongzi", "happyyongzi",
"POTASSIUM", "POTASSIUM",
"DustStorm", "DustStorm",
"Red Apollo", "Red Apollo",
"CVNX", "CVNX",
"HOGFISH" "HOGFISH",
"Cloud Hopper",
"Stone Panda"
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"https://www.cfr.org/interactive/cyber-operations/apt-10"
],
"cfr-suspected-victims": [
"Japan",
"India",
"South Africa",
"South Korea",
"Sweden",
"United States",
"Canada",
"Australia",
"France",
"Finland",
"United Kingdom",
"Brazil",
"Thailand",
"Switzerland",
"Norway"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector",
"Government"
] ]
}, },
"value": "Stone Panda", "value": "Stone Panda",
@ -586,9 +741,23 @@
"ALUMINUM" "ALUMINUM"
], ],
"refs": [ "refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/" "http://www.crowdstrike.com/blog/whois-anchor-panda/",
"https://www.cfr.org/interactive/cyber-operations/anchor-panda"
], ],
"motive": "Espionage" "motive": "Espionage",
"cfr-suspected-victims": [
"United States",
"United Kingdom",
"Germany",
"Australia",
"Sweden"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Military"
]
}, },
"value": "Anchor Panda", "value": "Anchor Panda",
"description": "PLA Navy", "description": "PLA Navy",
@ -652,6 +821,27 @@
"country": "CN", "country": "CN",
"synonyms": [ "synonyms": [
"Sneaky Panda" "Sneaky Panda"
],
"cfr-suspected-victims": [
"United States",
"Canada",
"United Kingdom",
"Switzerland",
"Hong Kong",
"Australia",
"India",
"Taiwan",
"China",
"Denmark"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector",
"Civil society"
],
"refs": [
"https://www.cfr.org/interactive/cyber-operations/sneaky-panda"
] ]
}, },
"value": "Beijing Group", "value": "Beijing Group",
@ -869,7 +1059,31 @@
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf",
"https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/",
"https://en.wikipedia.org/wiki/Rocket_Kitten" "https://en.wikipedia.org/wiki/Rocket_Kitten",
"https://www.cfr.org/interactive/cyber-operations/rocket-kitten"
],
"cfr-suspected-victims": [
"Saudi Arabia",
"Venezuela",
"Afghanistan",
"United Arab Emirates",
"Iran",
"Israel",
"Iraq",
"Kuwait",
"Turkey",
"Canada",
"Yemen",
"United Kingdom",
"Egypt",
"Syria",
"Jordan"
],
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Military"
] ]
}, },
"description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.",
@ -1073,7 +1287,26 @@
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
"http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
"https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/" "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
"https://www.cfr.org/interactive/cyber-operations/crouching-yeti"
],
"cfr-suspected-victims": [
"United States",
"Germany",
"Turkey",
"China",
"Spain",
"France",
"Ireland",
"Japan",
"Italy",
"Poland"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector",
"Government"
] ]
}, },
"description": "A Russian group that collects intelligence on the energy industry.", "description": "A Russian group that collects intelligence on the energy industry.",
@ -1149,7 +1382,18 @@
], ],
"country": "RU", "country": "RU",
"refs": [ "refs": [
"https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/" "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/",
"https://www.cfr.org/interactive/cyber-operations/team-spy-crew"
],
"cfr-suspected-victims": [
"Hungary",
"Belarus"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
] ]
}, },
"value": "TeamSpy Crew", "value": "TeamSpy Crew",
@ -1251,7 +1495,20 @@
"https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity", "https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity",
"https://www.us-cert.gov/ncas/alerts/TA17-318A", "https://www.us-cert.gov/ncas/alerts/TA17-318A",
"https://www.us-cert.gov/ncas/alerts/TA17-318B", "https://www.us-cert.gov/ncas/alerts/TA17-318B",
"https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/" "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/",
"https://www.cfr.org/interactive/cyber-operations/lazarus-group"
],
"cfr-suspected-victims": [
"South Korea",
"Bangladesh Bank",
"Sony Pictures Entertainment",
"United States"
],
"cfr-suspected-state-sponsor": "Korea (Democratic People's Republic of)",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
" Government",
"Private sector"
] ]
}, },
"value": "Lazarus Group", "value": "Lazarus Group",
@ -1477,9 +1734,21 @@
], ],
"refs": [ "refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://attack.mitre.org" "https://attack.mitre.org",
"https://www.cfr.org/interactive/cyber-operations/emissary-panda"
], ],
"country": "CN" "country": "CN",
"cfr-suspected-victims": [
"United States",
"United Kingdom",
"France"
],
"cfr-suspected-state-sponsor": " China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
]
}, },
"description": "Chinese threat group that has extensively used strategic Web compromises to target victims.", "description": "Chinese threat group that has extensively used strategic Web compromises to target victims.",
"value": "Threat Group-3390", "value": "Threat Group-3390",
@ -1503,12 +1772,35 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://attack.mitre.org/wiki/Group/G0013" "https://attack.mitre.org/wiki/Group/G0013",
"https://www.cfr.org/interactive/cyber-operations/apt-30"
], ],
"synonyms": [ "synonyms": [
"APT30" "APT30"
], ],
"country": "CN" "country": "CN",
"cfr-suspected-victims": [
"India",
"Saudi Arabia",
"Vietnam",
"Myanmar",
"Singapore",
"Thailand",
"Malaysia",
"Cambodia",
"China",
"Phillipines",
"South Korea",
"United States",
"Indonesia",
"Laos"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
]
}, },
"value": "APT 30", "value": "APT 30",
"description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.",
@ -1911,7 +2203,23 @@
"https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/",
"https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/",
"https://www.brighttalk.com/webcast/10703/261205", "https://www.brighttalk.com/webcast/10703/261205",
"https://github.com/eset/malware-research/tree/master/oceanlotus" "https://github.com/eset/malware-research/tree/master/oceanlotus",
"https://www.cfr.org/interactive/cyber-operations/ocean-lotus"
],
"cfr-suspected-victims": [
"China",
"Germany",
"United States",
"Vietnam",
"Philippines",
"Association of Southeast Asian Nations"
],
"cfr-suspected-state-sponsor": "Vietnam",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector",
"Civil society"
] ]
}, },
"value": "APT32", "value": "APT32",
@ -2165,7 +2473,23 @@
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/",
"https://www.threatconnect.com/china-superman-apt/" "https://www.threatconnect.com/china-superman-apt/",
"https://www.cfr.org/interactive/cyber-operations/mofang"
],
"cfr-suspected-victims": [
"Myanmar",
"Germany",
"Singapore",
"Canada",
"India",
"United States",
"South Korea"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
] ]
}, },
"value": "Mofang", "value": "Mofang",
@ -2181,7 +2505,22 @@
"https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf",
"https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/",
"http://www.clearskysec.com/copykitten-jpost/", "http://www.clearskysec.com/copykitten-jpost/",
"http://www.clearskysec.com/tulip/" "http://www.clearskysec.com/tulip/",
"https://www.cfr.org/interactive/cyber-operations/copykittens"
],
"cfr-suspected-victims": [
"Israel",
"Jordan",
"Saudi Arabia",
"Germany",
"United States"
],
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector",
"Civil society"
] ]
}, },
"value": "CopyKittens", "value": "CopyKittens",
@ -2222,7 +2561,20 @@
"country": "IR", "country": "IR",
"refs": [ "refs": [
"https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/",
"https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/",
"https://www.cfr.org/interactive/cyber-operations/madi"
],
"cfr-suspected-victims": [
"Iran",
"Pakistan",
"Israel",
"United States"
],
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
] ]
}, },
"value": "Madi", "value": "Madi",
@ -2435,10 +2787,23 @@
"country": "IL", "country": "IL",
"refs": [ "refs": [
"https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/",
"https://archive.org/details/Stuxnet" "https://archive.org/details/Stuxnet",
"https://www.cfr.org/interactive/cyber-operations/duqu",
"https://www.cfr.org/interactive/cyber-operations/duqu-20"
], ],
"synonyms": [ "synonyms": [
"Duqu Group" "Duqu Group"
],
"cfr-suspected-victims": [
"Iran",
"Sudan"
],
"cfr-suspected-state-sponsor": "Israel",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Military",
"Government",
"Private sector"
] ]
}, },
"uuid": "e9a6cbd7-ca27-4894-ae20-9d11c06fdc02" "uuid": "e9a6cbd7-ca27-4894-ae20-9d11c06fdc02"
@ -2446,12 +2811,25 @@
{ {
"meta": { "meta": {
"refs": [ "refs": [
"https://securelist.com/introducing-whitebear/81638/" "https://securelist.com/introducing-whitebear/81638/",
"https://www.cfr.org/interactive/cyber-operations/whitebears"
], ],
"synonyms": [ "synonyms": [
"Skipper Turla" "Skipper Turla"
], ],
"country": "RU" "country": "RU",
"cfr-suspected-victims": [
"United States",
"South Korea",
"United Kingdom",
"Uzbekistan"
],
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
]
}, },
"value": "White Bear", "value": "White Bear",
"uuid": "dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6" "uuid": "dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6"
@ -2594,12 +2972,22 @@
"refs": [ "refs": [
"https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf",
"https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ ", "https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ ",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html",
"https://www.cfr.org/interactive/cyber-operations/apt-34"
], ],
"synonyms": [ "synonyms": [
"APT 34" "APT 34"
], ],
"country": "IR" "country": "IR",
"cfr-suspected-victims": [
"Middle East"
],
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Government",
"Private sector"
]
}, },
"uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda" "uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda"
}, },
@ -2719,7 +3107,8 @@
"meta": { "meta": {
"refs": [ "refs": [
"https://dragos.com/adversaries.html", "https://dragos.com/adversaries.html",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf" "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://www.cfr.org/interactive/cyber-operations/apt-33"
], ],
"mode-of-operation": "IT network limited, information gathering against industrial orgs", "mode-of-operation": "IT network limited, information gathering against industrial orgs",
"since": "2016", "since": "2016",
@ -2727,6 +3116,16 @@
"victimology": "Petrochemical, Aerospace, Saudi Arabia", "victimology": "Petrochemical, Aerospace, Saudi Arabia",
"synonyms": [ "synonyms": [
"APT33" "APT33"
],
"cfr-suspected-victims": [
"United States",
"Saudi Arabia",
"South Korea"
],
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
] ]
}, },
"uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2" "uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2"