From 27c05a118e465cffddc644a9ce5122b9681ea4db Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 2 Mar 2022 13:16:20 +0100 Subject: [PATCH 1/5] Update GhostWriter --- clusters/threat-actor.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dc2a67b..7e15b54 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8450,18 +8450,24 @@ { "description": "Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.", "meta": { + "attribution-confidence": "50", + "cfr-suspected-state-sponsor": "Belarus", "cfr-suspected-victims": [ "Germany", "Latvia", "Lithuania", - "Poland" + "Poland", + "Ukraine" ], "cfr-target-category": [ "Government" ], + "country": "BY", "refs": [ "https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html", - "https://twitter.com/hatr/status/1377220336597483520" + "https://twitter.com/hatr/status/1377220336597483520", + "https://www.mandiant.com/resources/unc1151-linked-to-belarus-government", + "https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers/" ] }, "uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5", From d3d241ca547676c076e6fe4feadfc4df8c219b0d Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 2 Mar 2022 13:53:29 +0100 Subject: [PATCH 2/5] Update Gamaredon target --- clusters/threat-actor.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 7e15b54..de827d5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4190,6 +4190,12 @@ { "description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.", "meta": { + "cfr-suspected-victims": [ + "Ukraine" + ], + "cfr-target-category": [ + "Government" + ], "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution", "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", @@ -4200,7 +4206,8 @@ "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", - "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" + "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", + "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/" ], "synonyms": [ "Primitive Bear", From 0b456b8afaf450f424c2194d0bb14f2abbfd73f1 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 2 Mar 2022 14:40:50 +0100 Subject: [PATCH 3/5] version bump -> 213 --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index de827d5..e12ad26 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8966,5 +8966,5 @@ "value": "TA2541" } ], - "version": 212 + "version": 213 } From a817324cd4bd124a121fb08dcb998b45b10ddeaf Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 2 Mar 2022 15:50:39 +0100 Subject: [PATCH 4/5] adding threat actor "Moses Staff" --- clusters/threat-actor.json | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index dc2a67b..ed4952f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8951,7 +8951,24 @@ }, "uuid": "a57e5bf5-d7f4-43a1-9c15-8a44cdb95079", "value": "TA2541" - } + }, + { + "description": "Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.", + "meta": { + "country": "IR", + "refs": [ + "https://twitter.com/campuscodi/status/1450455259202166799", + "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/", + "https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations", + "https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard" + ], + "synonyms": [ + "Moses Staff" + ] + }, + "uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", + "value": "MosesStaff" + }, ], - "version": 212 + "version": 213 } From 896a4514617d9fc8416bdb60999455c7bf7ac94a Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Wed, 2 Mar 2022 21:22:28 +0100 Subject: [PATCH 5/5] fixed with linted JSON. --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ed4952f..3d3b2f8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8968,7 +8968,7 @@ }, "uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", "value": "MosesStaff" - }, + } ], "version": 213 }