From 5dd0c7d8b3d6b00698847cf83b6dca00e1256b20 Mon Sep 17 00:00:00 2001
From: Rony <rony_123@protonmail.ch>
Date: Mon, 2 Aug 2021 22:30:05 +0530
Subject: [PATCH] chg: [threat-actor] add origin country to UNC2452 & HAFNIUM

addressed https://github.com/MISP/misp-galaxy/pull/660#issuecomment-884475015
---
 clusters/threat-actor.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index f245a4e..e1d2e7d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8338,6 +8338,8 @@
     {
       "description": "Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used.  MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.",
       "meta": {
+        "attribution-confidence": "100",
+        "country": "RU",
         "refs": [
           "https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714",
           "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
@@ -8387,6 +8389,8 @@
     {
       "description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.",
       "meta": {
+        "attribution-confidence": "100",
+        "country": "CN",
         "refs": [
           "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
           "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/",