From c6fc6f248b6a0206e48b64e28ee98f6c3a23ebd0 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 25 Jun 2024 05:17:02 -0700 Subject: [PATCH 1/3] [threat-actors] Add HellHounds --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 32c1f57..c1f8780 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16272,6 +16272,17 @@ }, "uuid": "06a615dc-fa13-4d6a-ac8b-3d2a8c9501c4", "value": "BlueHornet" + }, + { + "description": "Hellhounds is an APT group targeting organizations in Russia, using a modified version of Pupy RAT called Decoy Dog. They gain initial access through vulnerable web services and trusted relationships, with a focus on the public sector and IT companies. The group has been active since at least 2019, maintaining covert presence inside compromised organizations by modifying open-source projects to evade detection. Hellhounds have successfully targeted at least 48 victims, including a telecom operator where they disrupted services.", + "meta": { + "refs": [ + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/hellhounds-operation-lahat-part-2/", + "https://ics-cert.kaspersky.com/publications/reports/2024/04/02/apt-and-financial-attacks-on-industrial-organizations-in-h2-2023/" + ] + }, + "uuid": "46ef6903-deac-415a-afaf-97e3ce067d7e", + "value": "HellHounds" } ], "version": 312 From 05f449dae388f6b08ff45600a21361798f7aea18 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 25 Jun 2024 05:17:03 -0700 Subject: [PATCH 2/3] [threat-actors] Add IntelBroker --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c1f8780..edd2021 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -16283,6 +16283,19 @@ }, "uuid": "46ef6903-deac-415a-afaf-97e3ce067d7e", "value": "HellHounds" + }, + { + "description": "IntelBroker is a threat actor known for orchestrating high-profile data breaches targeting companies like Apple, Zscaler, and Facebook Marketplace. They have a reputation for selling access to compromised systems and data on underground forums like BreachForums. IntelBroker has claimed responsibility for breaches involving government agencies such as Europol, the U.S. Department of Transportation, and the Pentagon, leaking sensitive information and classified documents. The actor has been linked to breaches at companies like Acuity, General Electric, and Home Depot, showcasing a pattern of targeting critical infrastructure and major corporations.", + "meta": { + "refs": [ + "https://www.cysecurity.news/2024/06/infamous-hacker-intelbroker-breaches.html", + "https://www.malwarebytes.com/blog/news/2024/06/was-t-mobile-compromised-by-a-zero-day-in-jira", + "https://securityaffairs.com/164263/cyber-crime/pandabuy-extorted-again.html", + "https://meterpreter.org/cybersecurity-firm-hacked-sensitive-data-on-sale/" + ] + }, + "uuid": "849d16c8-eaa3-46e7-9c1c-179ef680922e", + "value": "IntelBroker" } ], "version": 312 From 6d185394490b7ae2778a0b3bd4ad0e80000be55a Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 25 Jun 2024 05:17:03 -0700 Subject: [PATCH 3/3] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 28ef9c3..4da4a97 100644 --- a/README.md +++ b/README.md @@ -535,7 +535,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *701* elements +Category: *actor* - source: *MISP Project* - total: *703* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]