merge into apt41

clusters/threat-actor.json

@@ -601,67 +601,39 @@
       "value": "Wekby"
     },
     {
-      "description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'",
+      "description": "Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.",
       "meta": {
         "attribution-confidence": "50",
         "cfr-suspected-state-sponsor": "China",
         "cfr-suspected-victims": [
           "United States",
-          "South Korea",
-          "Universities in Hong Kong",
-          "United Kingdom",
-          "China",
+          "Netherlands",
+          "Italy",
           "Japan",
-          "Hong Kong"
+          "United Kingdom",
+          "Belgium",
+          "Russia",
+          "Indonesia",
+          "Germany",
+          "Switzerland",
+          "China"
         ],
         "cfr-target-category": [
+          "Government",
           "Private sector"
         ],
         "cfr-type-of-incident": "Espionage",
         "country": "CN",
         "refs": [
-          "https://securelist.com/winnti-faq-more-than-just-a-game/57585/",
-          "https://securelist.com/winnti-more-than-just-a-game/37029/",
-          "http://williamshowalter.com/a-universal-windows-bootkit/",
-          "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
-          "https://securelist.com/games-are-over/70991/",
-          "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
-          "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341",
-          "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/",
-          "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/",
-          "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004",
-          "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",
-          "https://401trg.com/burning-umbrella/",
-          "https://attack.mitre.org/groups/G0044/",
-          "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/",
-          "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
-          "https://www.secureworks.com/research/threat-profiles/bronze-export",
-          "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
-          "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
-          "https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf",
-          "https://www.cfr.org/cyber-operations/winnti-umbrella"
+          "cfr.org/cyber-operations/axiom",
+          "https://attack.mitre.org/groups/G0001/"
         ],
         "synonyms": [
-          "Winnti Umbrella",
-          "Blackfly",
-          "LEAD",
-          "WICKED SPIDER",
-          "WICKED PANDA",
-          "BARIUM",
-          "BRONZE ATLAS",
-          "BRONZE EXPORT",
-          "Red Kelpie",
-          "G0044"
+          "Group72",
+          "G0001"
         ]
       },
       "related": [
-        {
-          "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "similar"
-        },
         {
           "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
           "tags": [
@@ -689,17 +661,10 @@
             "estimative-language:likelihood-probability=\"likely\""
           ],
           "type": "similar"
-        },
-        {
-          "dest-uuid": "2943148b-8bc5-4bcb-b85e-f00c2174dd47",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "similar"
         }
       ],
       "uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
-      "value": "Winnti"
+      "value": "Axiom"
     },
     {
       "description": "Adversary group targeting financial, technology, non-profit organisations.",
@@ -7618,7 +7583,9 @@
       "meta": {
         "cfr-suspected-state-sponsor": "People's Republic of China",
         "cfr-suspected-victims": [
+          "China",
           "France",
+          "Hong Kong",
           "India",
           "Italy",
           "Japan",
@@ -7646,12 +7613,33 @@
           "Intergovernmental",
           "Media and Entertainment",
           "Pharmaceuticals",
+          "Private sector",
           "Retail",
           "Telecommunications",
           "Travel"
         ],
         "country": "CN",
         "refs": [
+          "https://securelist.com/winnti-faq-more-than-just-a-game/57585/",
+          "https://securelist.com/winnti-more-than-just-a-game/37029/",
+          "http://williamshowalter.com/a-universal-windows-bootkit/",
+          "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
+          "https://securelist.com/games-are-over/70991/",
+          "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
+          "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341",
+          "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/",
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/",
+          "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004",
+          "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",
+          "https://401trg.com/burning-umbrella/",
+          "https://attack.mitre.org/groups/G0044/",
+          "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/",
+          "https://www.secureworks.com/research/threat-profiles/bronze-atlas",
+          "https://www.secureworks.com/research/threat-profiles/bronze-export",
+          "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
+          "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
+          "https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf",
+          "https://www.cfr.org/cyber-operations/winnti-umbrella",
           "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html",
           "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/",
           "https://www.mandiant.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation",
@@ -7661,7 +7649,18 @@
         "synonyms": [
           "Double Dragon",
           "G0096",
-          "TA415"
+          "TA415",
+          "Winnti Group",
+          "Blackfly",
+          "Grayfly",
+          "LEAD",
+          "BARIUM",
+          "WICKED SPIDER",
+          "WICKED PANDA",
+          "BRONZE ATLAS",
+          "BRONZE EXPORT",
+          "Red Kelpie",
+          "G0044"
         ]
       },
       "related": [
@@ -7678,6 +7677,13 @@
             "estimative-language:likelihood-probability=\"very-likely\""
           ],
           "type": "similar"
+        },
+        {
+          "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
         }
       ],
       "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
@@ -9867,50 +9873,6 @@
       },
       "uuid": "e1e70539-8916-45c2-9b01-891c1c5bd8a1",
       "value": "TA558"
-    },
-    {
-      "description": "Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.",
-      "meta": {
-        "cfr-suspected-state-sponsor": "China",
-        "cfr-suspected-victims": [
-          "United States",
-          "Netherlands",
-          "Italy",
-          "Japan",
-          "United Kingdom",
-          "Belgium",
-          "Russia",
-          "Indonesia",
-          "Germany",
-          "Switzerland",
-          "China"
-        ],
-        "cfr-target-category": [
-          "Government",
-          "Private sector"
-        ],
-        "cfr-type-of-incident": "Espionage",
-        "country": "CN",
-        "refs": [
-          "cfr.org/cyber-operations/axiom",
-          "https://attack.mitre.org/groups/G0001/"
-        ],
-        "synonyms": [
-          "Group72",
-          "G0001"
-        ]
-      },
-      "related": [
-        {
-          "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
-          "tags": [
-            "estimative-language:likelihood-probability=\"likely\""
-          ],
-          "type": "similar"
-        }
-      ],
-      "uuid": "2943148b-8bc5-4bcb-b85e-f00c2174dd47",
-      "value": "Axiom"
     }
   ],
   "version": 241