[threat-actors] Fix Axiom/Winnti/Suckfly/APT41 conflicts

This commit is contained in:
Mathieu Beligon 2022-08-18 16:52:08 -07:00
parent 937b5640cf
commit a61ef2a88f

View file

@ -607,19 +607,14 @@
"cfr-suspected-state-sponsor": "China", "cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [ "cfr-suspected-victims": [
"United States", "United States",
"Netherlands", "South Korea",
"Italy", "Universities in Hong Kong",
"Japan",
"United Kingdom", "United Kingdom",
"Belgium", "China",
"Russia", "Japan",
"Indonesia", "Hong Kong"
"Germany",
"Switzerland",
"China"
], ],
"cfr-target-category": [ "cfr-target-category": [
"Government",
"Private sector" "Private sector"
], ],
"cfr-type-of-incident": "Espionage", "cfr-type-of-incident": "Espionage",
@ -629,7 +624,6 @@
"https://securelist.com/winnti-more-than-just-a-game/37029/", "https://securelist.com/winnti-more-than-just-a-game/37029/",
"http://williamshowalter.com/a-universal-windows-bootkit/", "http://williamshowalter.com/a-universal-windows-bootkit/",
"https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
"https://www.cfr.org/interactive/cyber-operations/axiom",
"https://securelist.com/games-are-over/70991/", "https://securelist.com/games-are-over/70991/",
"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
"https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341", "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341",
@ -644,14 +638,11 @@
"https://www.secureworks.com/research/threat-profiles/bronze-export", "https://www.secureworks.com/research/threat-profiles/bronze-export",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer", "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
"https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf" "https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf",
"https://www.cfr.org/cyber-operations/winnti-umbrella"
], ],
"synonyms": [ "synonyms": [
"Winnti Umbrella", "Winnti Umbrella",
"Winnti Group",
"Suckfly",
"APT41",
"Group72",
"Blackfly", "Blackfly",
"LEAD", "LEAD",
"WICKED SPIDER", "WICKED SPIDER",
@ -691,10 +682,24 @@
"estimative-language:likelihood-probability=\"likely\"" "estimative-language:likelihood-probability=\"likely\""
], ],
"type": "similar" "type": "similar"
},
{
"dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "2943148b-8bc5-4bcb-b85e-f00c2174dd47",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"value": "Axiom" "value": "Winnti"
}, },
{ {
"description": "Adversary group targeting financial, technology, non-profit organisations.", "description": "Adversary group targeting financial, technology, non-profit organisations.",
@ -3656,7 +3661,8 @@
"refs": [ "refs": [
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://attack.mitre.org/groups/G0039/" "https://attack.mitre.org/groups/G0039/",
"https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab"
], ],
"synonyms": [ "synonyms": [
"G0039" "G0039"
@ -6288,30 +6294,6 @@
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
"value": "Inception Framework" "value": "Inception Framework"
}, },
{
"description": "This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.\nBelieved to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"South Korea",
"United Kingdom",
"China",
"Japan"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/winnti-umbrella"
]
},
"uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"value": "Winnti Umbrella"
},
{ {
"description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.", "description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.",
"meta": { "meta": {
@ -7683,7 +7665,15 @@
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html",
"https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/",
"https://www.mandiant.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation",
"https://www.cfr.org/cyber-operations/apt-41",
"https://attack.mitre.org/groups/G0096/"
],
"synonyms": [
"Double Dragon",
"G0096",
"TA415"
] ]
}, },
"related": [ "related": [
@ -7693,6 +7683,13 @@
"estimative-language:likelihood-probability=\"very-likely\"" "estimative-language:likelihood-probability=\"very-likely\""
], ],
"type": "uses" "type": "uses"
},
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "similar"
} }
], ],
"uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",
@ -9882,6 +9879,50 @@
}, },
"uuid": "e1e70539-8916-45c2-9b01-891c1c5bd8a1", "uuid": "e1e70539-8916-45c2-9b01-891c1c5bd8a1",
"value": "TA558" "value": "TA558"
},
{
"description": "Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.",
"meta": {
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"Netherlands",
"Italy",
"Japan",
"United Kingdom",
"Belgium",
"Russia",
"Indonesia",
"Germany",
"Switzerland",
"China"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"cfr.org/cyber-operations/axiom",
"https://attack.mitre.org/groups/G0001/"
],
"synonyms": [
"Group72",
"G0001"
]
},
"related": [
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "2943148b-8bc5-4bcb-b85e-f00c2174dd47",
"value": "Axiom"
} }
], ],
"version": 241 "version": 241