From d4225c546958e96017686d510de264392a1d8baa Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 17 Apr 2023 11:16:21 +0200 Subject: [PATCH 1/5] add some SNOWYAMBER relationships --- clusters/microsoft-activity-group.json | 7 +++++++ clusters/threat-actor.json | 14 +++++++++++++ clusters/tool.json | 27 ++++++++++++++++++++++++-- 3 files changed, 46 insertions(+), 2 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 012e1bd..d611db8 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -315,6 +315,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" + }, + { + "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c929748..b1e8967 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2274,6 +2274,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", @@ -8160,6 +8167,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", diff --git a/clusters/tool.json b/clusters/tool.json index 1bc037b..3aab56e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8711,7 +8711,7 @@ }, "related": [ { - "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36,", + "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -8756,7 +8756,7 @@ "value": "AHK Bot" }, { - "description": "A tool first used in October 2022, abusing the Notion7 service to communicate and download further malicious files. Two versions of this tool have been observed.", + "description": "A tool first used in October 2022, abusing the Notion service to communicate and download further malicious files. Two versions of this tool have been observed.\n\nSNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls.", "meta": { "refs": [ "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services", @@ -8764,6 +8764,29 @@ "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d" ] }, + "related": [ + { + "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "0125ef58-2675-426f-90eb-0b189961199a", "value": "SNOWYAMBER" }, From 6d5df91efab527dc68ded6fe645adb69f058a25e Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 17 Apr 2023 11:31:48 +0200 Subject: [PATCH 2/5] add relationship SNOWYAMBER & Notion --- clusters/online-service.json | 11 ++++++++++- clusters/tool.json | 9 ++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/clusters/online-service.json b/clusters/online-service.json index 92fdb22..1f45bd1 100644 --- a/clusters/online-service.json +++ b/clusters/online-service.json @@ -16,9 +16,18 @@ "https://www.notion.so/product" ] }, + "related": [ + { + "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "5c807e49-dc90-4f80-b044-49bb990acb61", "value": "Notion" } ], - "version": 1 + "version": 2 } diff --git a/clusters/tool.json b/clusters/tool.json index 3aab56e..72716b9 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8785,6 +8785,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "used-by" + }, + { + "dest-uuid": "5c807e49-dc90-4f80-b044-49bb990acb61", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "0125ef58-2675-426f-90eb-0b189961199a", @@ -8815,5 +8822,5 @@ "value": "QUARTERRIG" } ], - "version": 162 + "version": 163 } From 4a4fa6d16ff3d7e1877f9662d9bab2d04deca6a5 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 17 Apr 2023 11:32:51 +0200 Subject: [PATCH 3/5] fix versions --- clusters/microsoft-activity-group.json | 2 +- clusters/threat-actor.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index d611db8..ba6cdba 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -328,5 +328,5 @@ "value": "NOBELIUM" } ], - "version": 11 + "version": 12 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9c0ef00..0265c4a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10650,5 +10650,5 @@ "value": "Anonymous Sudan" } ], - "version": 263 + "version": 264 } From 6b8994271e08cf0ce32265625d268f3887003ab2 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 18 Apr 2023 12:20:20 +0200 Subject: [PATCH 4/5] add relationships for HALFRIG & QUATTERRIG --- clusters/microsoft-activity-group.json | 16 +++++++- clusters/threat-actor.json | 30 ++++++++++++++- clusters/tool.json | 52 ++++++++++++++++++++++++-- 3 files changed, 93 insertions(+), 5 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index ba6cdba..5063270 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -322,11 +322,25 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" + }, + { + "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", "value": "NOBELIUM" } ], - "version": 12 + "version": 13 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0265c4a..dcceae3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2281,6 +2281,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" + }, + { + "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", @@ -8176,6 +8190,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" + }, + { + "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" } ], "uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", @@ -10650,5 +10678,5 @@ "value": "Anonymous Sudan" } ], - "version": 264 + "version": 265 } diff --git a/clusters/tool.json b/clusters/tool.json index 72716b9..76d1f62 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -8798,7 +8798,7 @@ "value": "SNOWYAMBER" }, { - "description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.", + "description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.\n\nHALFRIG is a stager for CobaltStrike Beacon that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. HALFRIG has significant code overlap with the QUARTERRIG and it is highly probable that it was developed by the same team.", "meta": { "refs": [ "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services", @@ -8806,11 +8806,34 @@ "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf" ] }, + "related": [ + { + "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", "value": "HALFRIG" }, { - "description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.", + "description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.\n\nQUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries.", "meta": { "refs": [ "https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services", @@ -8818,9 +8841,32 @@ "https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf" ] }, + "related": [ + { + "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + }, + { + "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", "value": "QUARTERRIG" } ], - "version": 163 + "version": 164 } From 063ac9fc71eaa3a7e5eaef91830031f777a085d6 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 19 Apr 2023 15:10:25 +0200 Subject: [PATCH 5/5] jq? --- clusters/microsoft-activity-group.json | 86 +++++++++++++------------- 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 51a3d7c..375a2bd 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -343,10 +343,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT41", "BARIUM" @@ -357,10 +357,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "CHROMIUM", "ControlX" @@ -371,10 +371,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "DEV-0322" ] @@ -384,10 +384,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT40", "GADOLINIUM", @@ -401,10 +401,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "GALLIUM" ] @@ -414,10 +414,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "DEV-0234" ] @@ -427,10 +427,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT5", "Keyhole Panda", @@ -443,10 +443,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT15", "NICKEL", @@ -459,10 +459,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT30", "LotusBlossom", @@ -474,10 +474,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "HAFNIUM" ] @@ -487,10 +487,10 @@ }, { "meta": { + "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "CN", "synonyms": [ "APT31", "ZIRCONIUM" @@ -687,10 +687,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "NEPTUNIUM", "Vice Leaker" @@ -701,10 +701,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "CURIUM", "TA456", @@ -716,10 +716,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0228" ] @@ -729,10 +729,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0343" ] @@ -742,10 +742,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "APT34", "Cobalt Gypsy", @@ -758,10 +758,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "Fox Kitten", "PioneerKitten", @@ -774,10 +774,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "MERCURY", "MuddyWater", @@ -791,10 +791,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0500", "Moses Staff" @@ -805,10 +805,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "APT35", "Charming Kitten", @@ -820,10 +820,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "APT33", "HOLMIUM", @@ -835,10 +835,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "AMERICIUM", "Agrius", @@ -852,10 +852,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "DEV-0146", "ZeroCleare" @@ -866,10 +866,10 @@ }, { "meta": { + "country": "IR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "IR", "synonyms": [ "BOHRIUM" ] @@ -879,10 +879,10 @@ }, { "meta": { + "country": "LB", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "LB", "synonyms": [ "POLONIUM" ] @@ -892,10 +892,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "Labyrinth Chollima", "Lazarus", @@ -907,10 +907,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "Kimsuky", "THALLIUM", @@ -922,10 +922,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "Konni", "OSMIUM" @@ -936,10 +936,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "LAWRENCIUM" ] @@ -949,10 +949,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "CERIUM" ] @@ -962,10 +962,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "BlueNoroff", "COPERNICIUM", @@ -977,10 +977,10 @@ }, { "meta": { + "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KP", "synonyms": [ "DEV-0530", "H0lyGh0st" @@ -1047,10 +1047,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "ACTINIUM", "Gamaredon", @@ -1063,10 +1063,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "DEV-0586" ] @@ -1076,10 +1076,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "APT28", "Fancy Bear", @@ -1091,10 +1091,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "BROMINE", "Crouching Yeti", @@ -1106,10 +1106,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "APT29", "Cozy Bear", @@ -1121,10 +1121,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "IRIDIUM", "Sandworm" @@ -1135,10 +1135,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "Callisto", "Reuse Team", @@ -1150,10 +1150,10 @@ }, { "meta": { + "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "RU", "synonyms": [ "DEV-0665" ] @@ -1163,10 +1163,10 @@ }, { "meta": { + "country": "KR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "KR", "synonyms": [ "DUBNIUM", "Dark Hotel", @@ -1178,10 +1178,10 @@ }, { "meta": { + "country": "TR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "TR", "synonyms": [ "SILICON", "Sea Turtle" @@ -1192,10 +1192,10 @@ }, { "meta": { + "country": "VN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "country": "VN", "synonyms": [ "APT32", "BISMUTH",