Merge pull request #748 from r0ny123/patch-2

Update threat-actor.json
This commit is contained in:
Alexandre Dulaunoy 2022-08-17 07:44:46 +02:00 committed by GitHub
commit a373909bb1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -2382,28 +2382,27 @@
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
], ],
"synonyms": [ "synonyms": [
"APT 28",
"APT28",
"Pawn Storm",
"Pawn Storm", "Pawn Storm",
"FANCY BEAR", "FANCY BEAR",
"Sednit", "Sednit",
"SNAKEMACKEREL", "SNAKEMACKEREL",
"Tsar Team", "Tsar Team",
"Tsar Team",
"TG-4127", "TG-4127",
"Group-4127",
"STRONTIUM", "STRONTIUM",
"TAG_0700",
"Swallowtail", "Swallowtail",
"IRON TWILIGHT", "IRON TWILIGHT",
"Group 74", "Group 74",
"SIG40", "SIG40",
"Grizzly Steppe", "Grizzly Steppe",
"apt_sofacy",
"G0007", "G0007",
"ATK5", "ATK5",
"Fighting Ursa" "Fighting Ursa",
"ITG05",
"Blue Athena",
"TA422",
"T-APT-12",
"APT-C-20",
"UAC-0028"
] ]
}, },
"related": [ "related": [
@ -2423,7 +2422,7 @@
} }
], ],
"uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", "uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754",
"value": "Sofacy" "value": "APT28"
}, },
{ {
"description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '", "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '",
@ -2466,28 +2465,20 @@
"https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/" "https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/"
], ],
"synonyms": [ "synonyms": [
"Dukes",
"Group 100", "Group 100",
"Cozy Duke", "COZY BEAR",
"CozyDuke",
"EuroAPT",
"CozyBear",
"CozyCar",
"Cozer",
"Office Monkeys",
"OfficeMonkeys",
"APT29",
"Cozy Bear",
"The Dukes", "The Dukes",
"Minidionis", "Minidionis",
"SeaDuke", "SeaDuke",
"Hammer Toss",
"YTTRIUM", "YTTRIUM",
"Iron Hemlock", "IRON HEMLOCK",
"Grizzly Steppe", "Grizzly Steppe",
"G0016", "G0016",
"ATK7", "ATK7",
"Cloaked Ursa" "Cloaked Ursa",
"TA421",
"Blue Kitsune",
"ITG11"
] ]
}, },
"related": [ "related": [
@ -2565,14 +2556,11 @@
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
], ],
"synonyms": [ "synonyms": [
"Turla",
"Snake", "Snake",
"Venomous Bear",
"VENOMOUS Bear", "VENOMOUS Bear",
"Group 88", "Group 88",
"Waterbug", "Waterbug",
"WRAITH", "WRAITH",
"Turla Team",
"Uroburos", "Uroburos",
"Pfinet", "Pfinet",
"TAG_0530", "TAG_0530",
@ -2581,10 +2569,12 @@
"Pacifier APT", "Pacifier APT",
"Popeye", "Popeye",
"SIG23", "SIG23",
"Iron Hunter", "IRON HUNTER",
"MAKERSMARK", "MAKERSMARK",
"ATK13", "ATK13",
"G0010" "G0010",
"ITG12",
"Blue Python"
] ]
}, },
"related": [ "related": [
@ -2604,7 +2594,7 @@
} }
], ],
"uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68",
"value": "Turla Group" "value": "Turla"
}, },
{ {
"description": "A Russian group that collects intelligence on the energy industry.", "description": "A Russian group that collects intelligence on the energy industry.",
@ -2644,10 +2634,13 @@
"https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat", "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat",
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672", "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672",
"https://attack.mitre.org/groups/G0035/", "https://attack.mitre.org/groups/G0035/",
"https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector",
"https://dragos.com/adversaries.html",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://www.cfr.org/interactive/cyber-operations/dymalloy"
], ],
"synonyms": [ "synonyms": [
"Beserk Bear", "BERSERK BEAR",
"ALLANITE", "ALLANITE",
"CASTLE", "CASTLE",
"DYMALLOY", "DYMALLOY",
@ -2656,11 +2649,13 @@
"Crouching Yeti", "Crouching Yeti",
"Group 24", "Group 24",
"Havex", "Havex",
"CrouchingYeti",
"Koala Team", "Koala Team",
"IRON LIBERTY", "IRON LIBERTY",
"G0035", "G0035",
"ATK6" "ATK6",
"ITG15",
"BROMINE",
"Blue Kraken"
] ]
}, },
"related": [ "related": [
@ -2673,7 +2668,7 @@
} }
], ],
"uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", "uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee",
"value": "Energetic Bear" "value": "ENERGETIC BEAR"
}, },
{ {
"description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage", "description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage",
@ -2705,19 +2700,29 @@
"https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid",
"https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
"https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks",
"https://attack.mitre.org/groups/G0034/", "https://attack.mitre.org/groups/G0034",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://dragos.com/adversaries.html",
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks",
"https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt",
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine",
"https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare",
"https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine",
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back"
], ],
"synonyms": [ "synonyms": [
"Sandworm Team",
"Black Energy",
"BlackEnergy",
"Quedagh", "Quedagh",
"VOODOO BEAR", "VOODOO BEAR",
"TEMP.Noble", "TEMP.Noble",
"Iron Viking", "IRON VIKING",
"G0034" "G0034",
"ELECTRUM",
"TeleBots",
"IRIDIUM",
"Blue Echidna"
] ]
}, },
"related": [ "related": [
@ -2753,50 +2758,6 @@
"uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
"value": "Sandworm" "value": "Sandworm"
}, },
{
"description": "We will refer to the gang behind the malware as TeleBots. However its important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group. TeleBots appear to be associated with Sandworm Team, Iron Viking, Voodoo Bear.",
"meta": {
"attribution-confidence": "50",
"country": "RU",
"refs": [
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/",
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
"https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/",
"https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/",
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/"
],
"synonyms": [
"Sandworm"
]
},
"related": [
{
"dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b47250ec-2094-4d06-b658-11456e05fe89",
"value": "TeleBots"
},
{ {
"description": "Groups targeting financial organizations or people with significant financial assets.", "description": "Groups targeting financial organizations or people with significant financial assets.",
"meta": { "meta": {
@ -2886,7 +2847,6 @@
"synonyms": [ "synonyms": [
"TeamSpy", "TeamSpy",
"Team Bear", "Team Bear",
"Berserk Bear",
"Anger Bear", "Anger Bear",
"IRON LYRIC" "IRON LYRIC"
] ]
@ -2921,23 +2881,6 @@
"uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb",
"value": "BuhTrap" "value": "BuhTrap"
}, },
{
"meta": {
"attribution-confidence": "50",
"country": "RU"
},
"related": [
{
"dest-uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624",
"value": "Berserk Bear"
},
{ {
"description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.", "description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.",
"meta": { "meta": {
@ -4283,23 +4226,37 @@
"refs": [ "refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution", "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution",
"https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf",
"https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
"https://attack.mitre.org/groups/G0047/", "https://attack.mitre.org/groups/G0047",
"https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon", "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
"https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations",
"https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game",
"https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021",
"https://unit42.paloaltonetworks.com/atoms/tridentursa/" "https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf",
"https://unit42.paloaltonetworks.com/atoms/tridentursa",
"https://cert.gov.ua/article/1229152",
"https://cert.gov.ua/article/971405",
"https://cert.gov.ua/article/40240",
"https://cert.gov.ua/article/39386",
"https://cert.gov.ua/article/39086",
"https://cert.gov.ua/article/39138",
"https://cert.gov.ua/article/18365"
], ],
"synonyms": [ "synonyms": [
"Primitive Bear",
"Shuckworm",
"ACTINIUM", "ACTINIUM",
"DEV-0157",
"Blue Otso",
"BlueAlpha",
"G0047", "G0047",
"Trident Ursa" "IRON TILDEN",
"PRIMITIVE BEAR",
"Shuckworm",
"Trident Ursa",
"UAC-0010",
"Winterflounder"
] ]
}, },
"related": [ "related": [
@ -4471,12 +4428,19 @@
{ {
"description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.",
"meta": { "meta": {
"country": "RU",
"refs": [ "refs": [
"https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://www.f-secure.com/documents/996508/1030745/callisto-group",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe",
"https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations",
"https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign"
], ],
"synonyms": [ "synonyms": [
"COLDRIVER" "COLDRIVER",
"SEABORGIUM",
"TA446"
] ]
}, },
"uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f",
@ -4620,49 +4584,6 @@
"uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", "uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a",
"value": "PLATINUM" "value": "PLATINUM"
}, },
{
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list). Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.",
"meta": {
"capabilities": "CRASHOVERRIDE",
"mode-of-operation": "Electric grid disruption and long-term persistence",
"refs": [
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://dragos.com/adversaries.html"
],
"since": "2016",
"synonyms": [
"Sandworm"
],
"victimology": "Ukraine, Electric Utilities"
},
"related": [
{
"dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c",
"value": "ELECTRUM"
},
{ {
"description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.", "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.",
"meta": { "meta": {
@ -6111,36 +6032,6 @@
"uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"value": "CHRYSENE" "value": "CHRYSENE"
}, },
{
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti",
"meta": {
"attribution-confidence": "50",
"capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"Turkey"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
"refs": [
"https://dragos.com/adversaries.html",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://www.cfr.org/interactive/cyber-operations/dymalloy"
],
"since": "2016",
"synonyms": [
"Dragonfly 2.0",
"Dragonfly2",
"Berserker Bear"
],
"victimology": "Turkey, Europe, US"
},
"uuid": "a08ab076-33c1-4350-b021-650c34277f2d",
"value": "DYMALLOY"
},
{ {
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": { "meta": {
@ -6349,33 +6240,66 @@
"description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.", "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.",
"meta": { "meta": {
"attribution-confidence": "50", "attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Unknown", "cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [ "cfr-suspected-victims": [
"South Africa", "Afghanistan",
"Malaysia", "Armenia",
"Azerbaijan",
"Belarus",
"Belgium",
"Czech Republic",
"Greece",
"India",
"Iran",
"Italy",
"Kazakhstan",
"Kenya", "Kenya",
"Malaysia",
"Russia",
"South Africa",
"Suriname", "Suriname",
"United Kingdom" "Turkmenistan",
"Ukraine",
"United Kingdom",
"United States",
"Vietnam"
], ],
"cfr-target-category": [ "cfr-target-category": [
"Government", "Government",
"Private sector" "Private sector"
], ],
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [ "refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework", "https://www.cfr.org/interactive/cyber-operations/inception-framework",
"https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf",
"https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/", "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf",
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/", "https://securelist.com/the-red-october-campaign/57647",
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740",
"https://securelist.com/red-october-part-two-the-modules/57645",
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083",
"https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899",
"https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability",
"https://securelist.com/recent-cloud-atlas-activity/92016",
"https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
"https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf", "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf",
"https://unit42.paloaltonetworks.com/atoms/clean-ursa/" "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://unit42.paloaltonetworks.com/atoms/clean-ursa",
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas",
"https://www.cfr.org/cyber-operations/red-october",
"https://attack.mitre.org/groups/G0100"
], ],
"synonyms": [ "synonyms": [
"Clean Ursa" "Clean Ursa",
"Cloud Atlas",
"OXYGEN",
"G0100",
"ATK116",
"Blue Odin"
] ]
}, },
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
@ -6574,73 +6498,6 @@
"uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1", "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1",
"value": "Operation BugDrop" "value": "Operation BugDrop"
}, },
{
"description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"Belgium",
"Armenia",
"Ukraine",
"Belarus",
"Kazakhstan",
"India",
"Iran",
"United States",
"Greece",
"Azerbaijan",
"Afghanistan",
"Turkmenistan",
"Vietnam",
"Italy"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/red-october"
],
"synonyms": [
"the Rocra"
]
},
"uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
"value": "Red October"
},
{
"description": "This threat actor targets governments and diplomatic organizations for espionage purposes.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"India",
"Kazakhstan",
"Czech Republic",
"Belarus"
],
"cfr-target-category": [
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas",
"https://attack.mitre.org/groups/G0100/"
],
"synonyms": [
"ATK116",
"G0100"
]
},
"uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
"value": "Cloud Atlas"
},
{ {
"description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ", "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ",
"meta": { "meta": {
@ -9982,12 +9839,29 @@
"meta": { "meta": {
"attribution-confidence": "75", "attribution-confidence": "75",
"cfr-suspected-state-sponsor": "China", "cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"China",
"Hong Kong",
"Kazakhstan",
"Taiwan",
"Philippines"
],
"cfr-target-category": [ "cfr-target-category": [
"Private Sector" "Private Sector",
"Gambling companies",
"Gaming",
"Information technology",
"Telecommunications",
"Government",
"Transportation systems",
"Dissident"
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf" "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf",
"https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
"https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies",
"https://github.com/avast/ioc/tree/master/OperationDragonCastling"
] ]
}, },
"uuid": "a3831248-5e2f-492d-8bb6-5e82c2f6481d", "uuid": "a3831248-5e2f-492d-8bb6-5e82c2f6481d",
@ -10002,7 +9876,6 @@
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
"https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf" "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf"
] ]
}, },