From f4b63d4514e4df3423987a1342eaa09cee4b1c6d Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 10:30:33 +0530 Subject: [PATCH 1/7] updates to tianwu --- clusters/threat-actor.json | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fd0711b..2b6a3fb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10013,12 +10013,29 @@ "meta": { "attribution-confidence": "75", "cfr-suspected-state-sponsor": "China", + "cfr-suspected-victims": [ + "China", + "Hong Kong", + "Kazakhstan", + "Taiwan", + "Philippines" + ], "cfr-target-category": [ - "Private Sector" + "Private Sector", + "Gambling companies", + "Gaming", + "Information technology", + "Telecommunications", + "Government", + "Transportation systems", + "Dissident" ], "country": "CN", "refs": [ - "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf" + "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf", + "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", + "https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies", + "https://github.com/avast/ioc/tree/master/OperationDragonCastling" ] }, "uuid": "a3831248-5e2f-492d-8bb6-5e82c2f6481d", @@ -10033,7 +10050,6 @@ ], "country": "CN", "refs": [ - "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf" ] }, From de76aef02388febd12bf0dd97ed3cf1440341272 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 10:49:13 +0530 Subject: [PATCH 2/7] Update threat-actor.json --- clusters/threat-actor.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2b6a3fb..c3687d7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4455,12 +4455,19 @@ { "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "meta": { + "country": "RU", "refs": [ "https://www.f-secure.com/documents/996508/1030745/callisto-group", - "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" + "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe", + "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", + "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations", + "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign" ], "synonyms": [ - "COLDRIVER" + "COLDRIVER", + "SEABORGIUM", + "TA446" ] }, "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", From bbe84c5985082309aed55f5cc83179d00bb892f9 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 12:07:59 +0530 Subject: [PATCH 3/7] updates to russian actors --- clusters/threat-actor.json | 255 ++++++++++--------------------------- 1 file changed, 67 insertions(+), 188 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c3687d7..25225c1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2366,28 +2366,27 @@ "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ - "APT 28", - "APT28", "Pawn Storm", - "PawnStorm", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", - "TsarTeam", "Tsar Team", "TG-4127", - "Group-4127", "STRONTIUM", - "TAG_0700", "Swallowtail", "IRON TWILIGHT", "Group 74", "SIG40", "Grizzly Steppe", - "apt_sofacy", "G0007", "ATK5", - "Fighting Ursa" + "Fighting Ursa", + "ITG05", + "Blue Athena", + "TA422", + "T-APT-12", + "APT-C-20", + "UAC-0028" ] }, "related": [ @@ -2407,7 +2406,7 @@ } ], "uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", - "value": "Sofacy" + "value": "APT28" }, { "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '", @@ -2450,28 +2449,20 @@ "https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/" ], "synonyms": [ - "Dukes", "Group 100", - "Cozy Duke", - "CozyDuke", - "EuroAPT", - "CozyBear", - "CozyCar", - "Cozer", - "Office Monkeys", - "OfficeMonkeys", - "APT29", - "Cozy Bear", + "COZY BEAR", "The Dukes", "Minidionis", "SeaDuke", - "Hammer Toss", "YTTRIUM", - "Iron Hemlock", + "IRON HEMLOCK", "Grizzly Steppe", "G0016", "ATK7", - "Cloaked Ursa" + "Cloaked Ursa", + "TA421", + "Blue Kitsune", + "ITG11" ] }, "related": [ @@ -2484,7 +2475,7 @@ } ], "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", - "value": "APT 29" + "value": "APT29" }, { "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", @@ -2549,14 +2540,11 @@ "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ - "Turla", "Snake", - "Venomous Bear", "VENOMOUS Bear", "Group 88", "Waterbug", "WRAITH", - "Turla Team", "Uroburos", "Pfinet", "TAG_0530", @@ -2565,10 +2553,12 @@ "Pacifier APT", "Popeye", "SIG23", - "Iron Hunter", + "IRON HUNTER", "MAKERSMARK", "ATK13", - "G0010" + "G0010", + "ITG12", + "Blue Python" ] }, "related": [ @@ -2588,7 +2578,7 @@ } ], "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", - "value": "Turla Group" + "value": "Turla" }, { "description": "A Russian group that collects intelligence on the energy industry.", @@ -2628,10 +2618,13 @@ "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat", "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672", "https://attack.mitre.org/groups/G0035/", - "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" + "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "https://dragos.com/adversaries.html", + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://www.cfr.org/interactive/cyber-operations/dymalloy" ], "synonyms": [ - "Beserk Bear", + "BERSERK BEAR", "ALLANITE", "CASTLE", "DYMALLOY", @@ -2640,11 +2633,13 @@ "Crouching Yeti", "Group 24", "Havex", - "CrouchingYeti", "Koala Team", "IRON LIBERTY", "G0035", - "ATK6" + "ATK6", + "ITG15", + "BROMINE", + "Blue Kraken" ] }, "related": [ @@ -2657,7 +2652,7 @@ } ], "uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", - "value": "Energetic Bear" + "value": "ENERGETIC BEAR" }, { "description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage", @@ -2689,19 +2684,31 @@ "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", - "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", - "https://attack.mitre.org/groups/G0034/", - "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks", + "https://attack.mitre.org/groups/G0034", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://dragos.com/adversaries.html", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks", + "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine", + "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare", + "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks" ], "synonyms": [ - "Sandworm Team", - "Black Energy", - "BlackEnergy", "Quedagh", "VOODOO BEAR", "TEMP.Noble", - "Iron Viking", - "G0034" + "IRON VIKING", + "G0034", + "ELECTRUM", + "TeleBots", + "IRIDIUM", + "Blue Echidna" ] }, "related": [ @@ -2737,50 +2744,6 @@ "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", "value": "Sandworm" }, - { - "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group. TeleBots appear to be associated with Sandworm Team, Iron Viking, Voodoo Bear.", - "meta": { - "attribution-confidence": "50", - "country": "RU", - "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/", - "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/", - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/" - ], - "synonyms": [ - "Sandworm" - ] - }, - "related": [ - { - "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "b47250ec-2094-4d06-b658-11456e05fe89", - "value": "TeleBots" - }, { "description": "Groups targeting financial organizations or people with significant financial assets.", "meta": { @@ -2870,7 +2833,6 @@ "synonyms": [ "TeamSpy", "Team Bear", - "Berserk Bear", "Anger Bear", "IRON LYRIC" ] @@ -2905,23 +2867,6 @@ "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", "value": "BuhTrap" }, - { - "meta": { - "attribution-confidence": "50", - "country": "RU" - }, - "related": [ - { - "dest-uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624", - "value": "Berserk Bear" - }, { "description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.", "meta": { @@ -4267,23 +4212,30 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution", "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", - "https://attack.mitre.org/groups/G0047/", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://attack.mitre.org/groups/G0047", "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", + "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", - "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", - "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", - "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", - "https://unit42.paloaltonetworks.com/atoms/tridentursa/" + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", + "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game", + "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021", + "https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf", + "https://unit42.paloaltonetworks.com/atoms/tridentursa" ], "synonyms": [ - "Primitive Bear", - "Shuckworm", "ACTINIUM", + "DEV-0157", + "Blue Otso", + "BlueAlpha", "G0047", - "Trident Ursa" + "IRON TILDEN", + "PRIMITIVE BEAR", + "Shuckworm", + "Trident Ursa", + "UAC-0010", + "Winterflounder" ] }, "related": [ @@ -4611,49 +4563,6 @@ "uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", "value": "PLATINUM" }, - { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list). Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.", - "meta": { - "capabilities": "CRASHOVERRIDE", - "mode-of-operation": "Electric grid disruption and long-term persistence", - "refs": [ - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://dragos.com/adversaries.html" - ], - "since": "2016", - "synonyms": [ - "Sandworm" - ], - "victimology": "Ukraine, Electric Utilities" - }, - "related": [ - { - "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", - "value": "ELECTRUM" - }, { "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.", "meta": { @@ -6102,36 +6011,6 @@ "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "value": "CHRYSENE" }, - { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti", - "meta": { - "attribution-confidence": "50", - "capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz", - "cfr-suspected-state-sponsor": "Unknown", - "cfr-suspected-victims": [ - "Turkey" - ], - "cfr-target-category": [ - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", - "refs": [ - "https://dragos.com/adversaries.html", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://www.cfr.org/interactive/cyber-operations/dymalloy" - ], - "since": "2016", - "synonyms": [ - "Dragonfly 2.0", - "Dragonfly2", - "Berserker Bear" - ], - "victimology": "Turkey, Europe, US" - }, - "uuid": "a08ab076-33c1-4350-b021-650c34277f2d", - "value": "DYMALLOY" - }, { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { From 490bc6a05cd83b618c28af142268d87cb0dc7af4 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 12:10:27 +0530 Subject: [PATCH 4/7] fix duplicate --- clusters/threat-actor.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 25225c1..e665a88 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2696,8 +2696,7 @@ "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine", "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare", "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", - "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks" + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back" ], "synonyms": [ "Quedagh", From 62b168600f22c81be11a4c90140b31bdbf836068 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 12:15:30 +0530 Subject: [PATCH 5/7] fix duplicates --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e665a88..3df1d77 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2687,7 +2687,6 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks", "https://attack.mitre.org/groups/G0034", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", "https://dragos.com/adversaries.html", From 370045b01db64084ab6d3cdf1c302ece4590358a Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 09:30:29 +0000 Subject: [PATCH 6/7] Merge "red october" and "cloud atlas" to inception framework" --- clusters/threat-actor.json | 118 +++++++++++++------------------------ 1 file changed, 42 insertions(+), 76 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3df1d77..a4b63eb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6264,33 +6264,66 @@ "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.", "meta": { "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Unknown", + "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ - "South Africa", - "Malaysia", + "Afghanistan", + "Armenia", + "Azerbaijan", + "Belarus", + "Belgium", + "Czech Republic", + "Greece", + "India", + "Iran", + "Italy", + "Kazakhstan", "Kenya", + "Malaysia", + "Russia", + "South Africa", "Suriname", - "United Kingdom" + "Turkmenistan", + "Ukraine", + "United Kingdom", + "United States", + "Vietnam" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", + "country": "RU", "refs": [ "https://www.cfr.org/interactive/cyber-operations/inception-framework", "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf", - "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/", + "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf", - "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/", + "https://securelist.com/the-red-october-campaign/57647", + "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740", + "https://securelist.com/red-october-part-two-the-modules/57645", + "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083", + "https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899", + "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability", + "https://securelist.com/recent-cloud-atlas-activity/92016", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", - "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/", "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf", - "https://unit42.paloaltonetworks.com/atoms/clean-ursa/" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://unit42.paloaltonetworks.com/atoms/clean-ursa", + "https://www.cfr.org/interactive/cyber-operations/cloud-atlas", + "https://www.cfr.org/cyber-operations/red-october", + "https://attack.mitre.org/groups/G0100" ], "synonyms": [ - "Clean Ursa" + "Clean Ursa", + "Cloud Atlas", + "OXYGEN", + "G0100", + "ATK116", + "Blue Odin" ] }, "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", @@ -6489,73 +6522,6 @@ "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1", "value": "Operation BugDrop" }, - { - "description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-suspected-victims": [ - "Russia", - "Belgium", - "Armenia", - "Ukraine", - "Belarus", - "Kazakhstan", - "India", - "Iran", - "United States", - "Greece", - "Azerbaijan", - "Afghanistan", - "Turkmenistan", - "Vietnam", - "Italy" - ], - "cfr-target-category": [ - "Government", - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "country": "RU", - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/red-october" - ], - "synonyms": [ - "the Rocra" - ] - }, - "uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0", - "value": "Red October" - }, - { - "description": "This threat actor targets governments and diplomatic organizations for espionage purposes.", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-suspected-victims": [ - "Russia", - "India", - "Kazakhstan", - "Czech Republic", - "Belarus" - ], - "cfr-target-category": [ - "Government" - ], - "cfr-type-of-incident": "Espionage", - "country": "RU", - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/cloud-atlas", - "https://attack.mitre.org/groups/G0100/" - ], - "synonyms": [ - "ATK116", - "G0100" - ] - }, - "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", - "value": "Cloud Atlas" - }, { "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ", "meta": { From 5b25b574b38102590eea5715a8619bd7b41210fb Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 10:19:53 +0000 Subject: [PATCH 7/7] add uac-0010 references from cert-ua --- clusters/threat-actor.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a4b63eb..6145b2d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4220,7 +4220,14 @@ "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game", "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021", "https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf", - "https://unit42.paloaltonetworks.com/atoms/tridentursa" + "https://unit42.paloaltonetworks.com/atoms/tridentursa", + "https://cert.gov.ua/article/1229152", + "https://cert.gov.ua/article/971405", + "https://cert.gov.ua/article/40240", + "https://cert.gov.ua/article/39386", + "https://cert.gov.ua/article/39086", + "https://cert.gov.ua/article/39138", + "https://cert.gov.ua/article/18365" ], "synonyms": [ "ACTINIUM",