From f4b63d4514e4df3423987a1342eaa09cee4b1c6d Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 10:30:33 +0530 Subject: [PATCH 01/12] updates to tianwu --- clusters/threat-actor.json | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fd0711b..2b6a3fb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10013,12 +10013,29 @@ "meta": { "attribution-confidence": "75", "cfr-suspected-state-sponsor": "China", + "cfr-suspected-victims": [ + "China", + "Hong Kong", + "Kazakhstan", + "Taiwan", + "Philippines" + ], "cfr-target-category": [ - "Private Sector" + "Private Sector", + "Gambling companies", + "Gaming", + "Information technology", + "Telecommunications", + "Government", + "Transportation systems", + "Dissident" ], "country": "CN", "refs": [ - "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf" + "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf", + "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", + "https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies", + "https://github.com/avast/ioc/tree/master/OperationDragonCastling" ] }, "uuid": "a3831248-5e2f-492d-8bb6-5e82c2f6481d", @@ -10033,7 +10050,6 @@ ], "country": "CN", "refs": [ - "https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf", "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf" ] }, From de76aef02388febd12bf0dd97ed3cf1440341272 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 10:49:13 +0530 Subject: [PATCH 02/12] Update threat-actor.json --- clusters/threat-actor.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2b6a3fb..c3687d7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4455,12 +4455,19 @@ { "description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.", "meta": { + "country": "RU", "refs": [ "https://www.f-secure.com/documents/996508/1030745/callisto-group", - "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" + "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe", + "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", + "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations", + "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign" ], "synonyms": [ - "COLDRIVER" + "COLDRIVER", + "SEABORGIUM", + "TA446" ] }, "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", From bbe84c5985082309aed55f5cc83179d00bb892f9 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 12:07:59 +0530 Subject: [PATCH 03/12] updates to russian actors --- clusters/threat-actor.json | 255 ++++++++++--------------------------- 1 file changed, 67 insertions(+), 188 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c3687d7..25225c1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2366,28 +2366,27 @@ "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ - "APT 28", - "APT28", "Pawn Storm", - "PawnStorm", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", - "TsarTeam", "Tsar Team", "TG-4127", - "Group-4127", "STRONTIUM", - "TAG_0700", "Swallowtail", "IRON TWILIGHT", "Group 74", "SIG40", "Grizzly Steppe", - "apt_sofacy", "G0007", "ATK5", - "Fighting Ursa" + "Fighting Ursa", + "ITG05", + "Blue Athena", + "TA422", + "T-APT-12", + "APT-C-20", + "UAC-0028" ] }, "related": [ @@ -2407,7 +2406,7 @@ } ], "uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", - "value": "Sofacy" + "value": "APT28" }, { "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '", @@ -2450,28 +2449,20 @@ "https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/" ], "synonyms": [ - "Dukes", "Group 100", - "Cozy Duke", - "CozyDuke", - "EuroAPT", - "CozyBear", - "CozyCar", - "Cozer", - "Office Monkeys", - "OfficeMonkeys", - "APT29", - "Cozy Bear", + "COZY BEAR", "The Dukes", "Minidionis", "SeaDuke", - "Hammer Toss", "YTTRIUM", - "Iron Hemlock", + "IRON HEMLOCK", "Grizzly Steppe", "G0016", "ATK7", - "Cloaked Ursa" + "Cloaked Ursa", + "TA421", + "Blue Kitsune", + "ITG11" ] }, "related": [ @@ -2484,7 +2475,7 @@ } ], "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", - "value": "APT 29" + "value": "APT29" }, { "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", @@ -2549,14 +2540,11 @@ "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ - "Turla", "Snake", - "Venomous Bear", "VENOMOUS Bear", "Group 88", "Waterbug", "WRAITH", - "Turla Team", "Uroburos", "Pfinet", "TAG_0530", @@ -2565,10 +2553,12 @@ "Pacifier APT", "Popeye", "SIG23", - "Iron Hunter", + "IRON HUNTER", "MAKERSMARK", "ATK13", - "G0010" + "G0010", + "ITG12", + "Blue Python" ] }, "related": [ @@ -2588,7 +2578,7 @@ } ], "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", - "value": "Turla Group" + "value": "Turla" }, { "description": "A Russian group that collects intelligence on the energy industry.", @@ -2628,10 +2618,13 @@ "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat", "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672", "https://attack.mitre.org/groups/G0035/", - "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" + "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "https://dragos.com/adversaries.html", + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://www.cfr.org/interactive/cyber-operations/dymalloy" ], "synonyms": [ - "Beserk Bear", + "BERSERK BEAR", "ALLANITE", "CASTLE", "DYMALLOY", @@ -2640,11 +2633,13 @@ "Crouching Yeti", "Group 24", "Havex", - "CrouchingYeti", "Koala Team", "IRON LIBERTY", "G0035", - "ATK6" + "ATK6", + "ITG15", + "BROMINE", + "Blue Kraken" ] }, "related": [ @@ -2657,7 +2652,7 @@ } ], "uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", - "value": "Energetic Bear" + "value": "ENERGETIC BEAR" }, { "description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage", @@ -2689,19 +2684,31 @@ "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", - "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", - "https://attack.mitre.org/groups/G0034/", - "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks", + "https://attack.mitre.org/groups/G0034", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://dragos.com/adversaries.html", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks", + "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine", + "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare", + "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks" ], "synonyms": [ - "Sandworm Team", - "Black Energy", - "BlackEnergy", "Quedagh", "VOODOO BEAR", "TEMP.Noble", - "Iron Viking", - "G0034" + "IRON VIKING", + "G0034", + "ELECTRUM", + "TeleBots", + "IRIDIUM", + "Blue Echidna" ] }, "related": [ @@ -2737,50 +2744,6 @@ "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", "value": "Sandworm" }, - { - "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group. TeleBots appear to be associated with Sandworm Team, Iron Viking, Voodoo Bear.", - "meta": { - "attribution-confidence": "50", - "country": "RU", - "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/", - "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/", - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/" - ], - "synonyms": [ - "Sandworm" - ] - }, - "related": [ - { - "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "b47250ec-2094-4d06-b658-11456e05fe89", - "value": "TeleBots" - }, { "description": "Groups targeting financial organizations or people with significant financial assets.", "meta": { @@ -2870,7 +2833,6 @@ "synonyms": [ "TeamSpy", "Team Bear", - "Berserk Bear", "Anger Bear", "IRON LYRIC" ] @@ -2905,23 +2867,6 @@ "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", "value": "BuhTrap" }, - { - "meta": { - "attribution-confidence": "50", - "country": "RU" - }, - "related": [ - { - "dest-uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624", - "value": "Berserk Bear" - }, { "description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.", "meta": { @@ -4267,23 +4212,30 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution", "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", - "https://attack.mitre.org/groups/G0047/", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://attack.mitre.org/groups/G0047", "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", + "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", - "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", - "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", - "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", - "https://unit42.paloaltonetworks.com/atoms/tridentursa/" + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", + "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game", + "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021", + "https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf", + "https://unit42.paloaltonetworks.com/atoms/tridentursa" ], "synonyms": [ - "Primitive Bear", - "Shuckworm", "ACTINIUM", + "DEV-0157", + "Blue Otso", + "BlueAlpha", "G0047", - "Trident Ursa" + "IRON TILDEN", + "PRIMITIVE BEAR", + "Shuckworm", + "Trident Ursa", + "UAC-0010", + "Winterflounder" ] }, "related": [ @@ -4611,49 +4563,6 @@ "uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", "value": "PLATINUM" }, - { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list). Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.", - "meta": { - "capabilities": "CRASHOVERRIDE", - "mode-of-operation": "Electric grid disruption and long-term persistence", - "refs": [ - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://dragos.com/adversaries.html" - ], - "since": "2016", - "synonyms": [ - "Sandworm" - ], - "victimology": "Ukraine, Electric Utilities" - }, - "related": [ - { - "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", - "value": "ELECTRUM" - }, { "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.", "meta": { @@ -6102,36 +6011,6 @@ "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "value": "CHRYSENE" }, - { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti", - "meta": { - "attribution-confidence": "50", - "capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz", - "cfr-suspected-state-sponsor": "Unknown", - "cfr-suspected-victims": [ - "Turkey" - ], - "cfr-target-category": [ - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", - "refs": [ - "https://dragos.com/adversaries.html", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://www.cfr.org/interactive/cyber-operations/dymalloy" - ], - "since": "2016", - "synonyms": [ - "Dragonfly 2.0", - "Dragonfly2", - "Berserker Bear" - ], - "victimology": "Turkey, Europe, US" - }, - "uuid": "a08ab076-33c1-4350-b021-650c34277f2d", - "value": "DYMALLOY" - }, { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { From 490bc6a05cd83b618c28af142268d87cb0dc7af4 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 12:10:27 +0530 Subject: [PATCH 04/12] fix duplicate --- clusters/threat-actor.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 25225c1..e665a88 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2696,8 +2696,7 @@ "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine", "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare", "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", - "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks" + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back" ], "synonyms": [ "Quedagh", From 62b168600f22c81be11a4c90140b31bdbf836068 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 12:15:30 +0530 Subject: [PATCH 05/12] fix duplicates --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e665a88..3df1d77 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2687,7 +2687,6 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks", "https://attack.mitre.org/groups/G0034", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", "https://dragos.com/adversaries.html", From 370045b01db64084ab6d3cdf1c302ece4590358a Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 09:30:29 +0000 Subject: [PATCH 06/12] Merge "red october" and "cloud atlas" to inception framework" --- clusters/threat-actor.json | 118 +++++++++++++------------------------ 1 file changed, 42 insertions(+), 76 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3df1d77..a4b63eb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6264,33 +6264,66 @@ "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.", "meta": { "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Unknown", + "cfr-suspected-state-sponsor": "Russian Federation", "cfr-suspected-victims": [ - "South Africa", - "Malaysia", + "Afghanistan", + "Armenia", + "Azerbaijan", + "Belarus", + "Belgium", + "Czech Republic", + "Greece", + "India", + "Iran", + "Italy", + "Kazakhstan", "Kenya", + "Malaysia", + "Russia", + "South Africa", "Suriname", - "United Kingdom" + "Turkmenistan", + "Ukraine", + "United Kingdom", + "United States", + "Vietnam" ], "cfr-target-category": [ "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", + "country": "RU", "refs": [ "https://www.cfr.org/interactive/cyber-operations/inception-framework", "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf", - "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/", + "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf", - "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/", + "https://securelist.com/the-red-october-campaign/57647", + "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740", + "https://securelist.com/red-october-part-two-the-modules/57645", + "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083", + "https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899", + "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability", + "https://securelist.com/recent-cloud-atlas-activity/92016", "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", - "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/", "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf", - "https://unit42.paloaltonetworks.com/atoms/clean-ursa/" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://unit42.paloaltonetworks.com/atoms/clean-ursa", + "https://www.cfr.org/interactive/cyber-operations/cloud-atlas", + "https://www.cfr.org/cyber-operations/red-october", + "https://attack.mitre.org/groups/G0100" ], "synonyms": [ - "Clean Ursa" + "Clean Ursa", + "Cloud Atlas", + "OXYGEN", + "G0100", + "ATK116", + "Blue Odin" ] }, "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", @@ -6489,73 +6522,6 @@ "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1", "value": "Operation BugDrop" }, - { - "description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-suspected-victims": [ - "Russia", - "Belgium", - "Armenia", - "Ukraine", - "Belarus", - "Kazakhstan", - "India", - "Iran", - "United States", - "Greece", - "Azerbaijan", - "Afghanistan", - "Turkmenistan", - "Vietnam", - "Italy" - ], - "cfr-target-category": [ - "Government", - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "country": "RU", - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/red-october" - ], - "synonyms": [ - "the Rocra" - ] - }, - "uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0", - "value": "Red October" - }, - { - "description": "This threat actor targets governments and diplomatic organizations for espionage purposes.", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "Russian Federation", - "cfr-suspected-victims": [ - "Russia", - "India", - "Kazakhstan", - "Czech Republic", - "Belarus" - ], - "cfr-target-category": [ - "Government" - ], - "cfr-type-of-incident": "Espionage", - "country": "RU", - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/cloud-atlas", - "https://attack.mitre.org/groups/G0100/" - ], - "synonyms": [ - "ATK116", - "G0100" - ] - }, - "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", - "value": "Cloud Atlas" - }, { "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ", "meta": { From 5b25b574b38102590eea5715a8619bd7b41210fb Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 10:19:53 +0000 Subject: [PATCH 07/12] add uac-0010 references from cert-ua --- clusters/threat-actor.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a4b63eb..6145b2d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4220,7 +4220,14 @@ "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game", "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021", "https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf", - "https://unit42.paloaltonetworks.com/atoms/tridentursa" + "https://unit42.paloaltonetworks.com/atoms/tridentursa", + "https://cert.gov.ua/article/1229152", + "https://cert.gov.ua/article/971405", + "https://cert.gov.ua/article/40240", + "https://cert.gov.ua/article/39386", + "https://cert.gov.ua/article/39086", + "https://cert.gov.ua/article/39138", + "https://cert.gov.ua/article/18365" ], "synonyms": [ "ACTINIUM", From d05b29c1af47824dc2ef14e5cb4838725fef190a Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Tue, 16 Aug 2022 17:15:30 -0700 Subject: [PATCH 08/12] [threat-actors] Remove duplicate APT33 --- clusters/threat-actor.json | 62 +++++++++----------------------------- 1 file changed, 14 insertions(+), 48 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fd0711b..28c65f7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1947,7 +1947,19 @@ "description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.", "meta": { "attribution-confidence": "50", + "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware", + "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", + "cfr-suspected-victims": [ + "United States", + "Saudi Arabia", + "South Korea" + ], + "cfr-target-category": [ + "Private sector" + ], + "cfr-type-of-incident": "Espionage", "country": "IR", + "mode-of-operation": "IT network limited, information gathering against industrial orgs", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/", @@ -1966,7 +1978,8 @@ "COBALT TRINITY", "G0064", "ATK35" - ] + ], + "victimology": "Petrochemical, Aerospace, Saudi Arabia" }, "related": [ { @@ -6125,53 +6138,6 @@ "uuid": "a08ab076-33c1-4350-b021-650c34277f2d", "value": "DYMALLOY" }, - { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", - "meta": { - "attribution-confidence": "50", - "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware", - "cfr-suspected-state-sponsor": "Iran (Islamic Republic of)", - "cfr-suspected-victims": [ - "United States", - "Saudi Arabia", - "South Korea" - ], - "cfr-target-category": [ - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "country": "IR", - "mode-of-operation": "IT network limited, information gathering against industrial orgs", - "refs": [ - "https://dragos.com/adversaries.html", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://www.cfr.org/interactive/cyber-operations/apt-33" - ], - "since": "2016", - "synonyms": [ - "APT33" - ], - "victimology": "Petrochemical, Aerospace, Saudi Arabia" - }, - "related": [ - { - "dest-uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2", - "value": "MAGNALLIUM" - }, { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": { From 352998a84d01bda26e42f18545b0bebeabd66d5e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 17 Aug 2022 07:40:23 +0200 Subject: [PATCH 09/12] fix: [threat-actor] add missing refs for APT33 including CFR link --- clusters/threat-actor.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 28c65f7..fb2c999 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1967,7 +1967,10 @@ "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", "https://www.secureworks.com/research/threat-profiles/cobalt-trinity", "https://attack.mitre.org/groups/G0064/", - "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/" + "https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/", + "https://www.cfr.org/interactive/cyber-operations/apt-33", + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://dragos.com/adversaries.html" ], "synonyms": [ "APT 33", @@ -10007,5 +10010,5 @@ "value": "SLIME29" } ], - "version": 239 + "version": 240 } From 0cec882cc56f52cfb9b209a27c56b96768686fd4 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 17 Aug 2022 07:06:51 +0000 Subject: [PATCH 10/12] merge microcin/sixlittlemonkeys to vicious panda --- clusters/threat-actor.json | 28 ++++++++++------------------ 1 file changed, 10 insertions(+), 18 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a665a51..d8d1850 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5657,23 +5657,6 @@ "uuid": "7d78ec00-dfdc-4a80-a4da-63f1ae63bd7f", "value": "MoneyTaker" }, - { - "description": "We’re already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago – we named it ‘Microcin’ after microini, one of the malicious components used in it.", - "meta": { - "refs": [ - "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf", - "https://securelist.com/apt-trends-report-q2-2019/91897/", - "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/", - "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/" - ], - "synonyms": [ - "SixLittleMonkeys" - ] - }, - "uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632", - "value": "Microcin" - }, { "description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.", "meta": { @@ -9768,11 +9751,20 @@ "country": "CN", "refs": [ "https://securelist.com/microcin-is-here/97353", + "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636", "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia", "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign", "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", - "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf", + "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636", + "https://securelist.com/apt-trends-report-q2-2019/91897", + "https://securelist.com/apt-trends-report-q2-2020/97937", + "https://securelist.com/it-threat-evolution-q2-2020/98230", + "https://securelist.com/apt-trends-report-q3-2021/104708" + ], + "synonyms": [ + "SixLittleMonkeys" ] }, "uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717", From ccd10b54f46bb2fa0edf76dd173cd6e8dc464059 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 17 Aug 2022 12:49:56 +0530 Subject: [PATCH 11/12] remove duplicate reference --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d8d1850..3ecc78b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9757,7 +9757,6 @@ "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign", "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf", - "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636", "https://securelist.com/apt-trends-report-q2-2019/91897", "https://securelist.com/apt-trends-report-q2-2020/97937", "https://securelist.com/it-threat-evolution-q2-2020/98230", From f60831257723362f0057957c8aaff88108befc04 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 17 Aug 2022 08:52:35 +0000 Subject: [PATCH 12/12] addresses https://github.com/MISP/misp-galaxy/pull/751#issuecomment-1217680586 --- clusters/tool.json | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 6360346..9cf6278 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8484,7 +8484,33 @@ }, "uuid": "f43a3828-a3b6-11ec-80e1-55a8e5815c2c", "value": "BadPotato" + }, + { + "description": "A simple RAT used by Vicious Panda", + "meta": { + "refs": [ + "https://securelist.com/microcin-is-here/97353", + "https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636", + "https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia", + "https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia", + "https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign" + ], + "synonyms": [ + "Mikroceen" + ], + "type": [ + "RAT" + ] + }, + "related": [ + { + "dest-uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717", + "type": "used-by" + } + ], + "uuid": "7d17dabf-a68e-4eda-a18f-26868ced8e73", + "value": "Microcin" } ], - "version": 150 + "version": 151 }