From 540c71d33be44367977ad2936b2ed8fda7f37018 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 14 Dec 2023 15:00:22 +0100 Subject: [PATCH 1/3] [threat-actors] Add Sandworm aliases --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8fb9360..2e9178d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2798,7 +2798,9 @@ "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare", "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", - "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" + "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", + "https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine", + "https://cert.gov.ua/article/405538" ], "synonyms": [ "Quedagh", @@ -2810,7 +2812,8 @@ "TeleBots", "IRIDIUM", "Blue Echidna", - "FROZENBARENTS" + "FROZENBARENTS", + "UAC-0113" ], "targeted-sector": [ "Electric", From 81c2e4d7fe5f44301197839a532f2cdcc214c2a7 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 14 Dec 2023 15:00:22 +0100 Subject: [PATCH 2/3] [threat-actors] Add Hagga aliases --- clusters/threat-actor.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2e9178d..f76a009 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11978,7 +11978,13 @@ "meta": { "refs": [ "https://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor", - "https://otx.alienvault.com/pulse/62cfe4ef3415be5f83be81d1" + "https://otx.alienvault.com/pulse/62cfe4ef3415be5f83be81d1", + "https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor/", + "https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/" + ], + "synonyms": [ + "Aggah", + "TH-157" ] }, "related": [ From 92f9ed1148b245b62ef892262dea6fb696f24674 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 14 Dec 2023 15:00:22 +0100 Subject: [PATCH 3/3] [threat-actors] Add Callisto aliases --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f76a009..a00fe33 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4751,14 +4751,16 @@ "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations", "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.darkreading.com/attacks-breaches/russian-apt-bluecharlie-swaps-infrastructure-to-evade-detection" + "https://www.darkreading.com/attacks-breaches/russian-apt-bluecharlie-swaps-infrastructure-to-evade-detection", + "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/" ], "synonyms": [ "COLDRIVER", "SEABORGIUM", "TA446", "GOSSAMER BEAR", - "BlueCharlie" + "BlueCharlie", + "Star Blizzard" ], "targeted-sector": [ "Government, Administration",