diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2600adf..866302d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -52,14 +52,13 @@ "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://attack.mitre.org/groups/G0006/", - "https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html" + "https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "Comment Panda", + "COMMENT PANDA", "PLA Unit 61398", - "APT 1", - "APT1", - "Advanced Persistent Threat 1", + "Comment Crew", "Byzantine Candor", "Group 3", "TG-8223", @@ -67,7 +66,6 @@ "Brown Fox", "GIF89a", "ShadyRAT", - "Shanghai Group", "G0006" ] }, @@ -81,7 +79,7 @@ } ], "uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", - "value": "Comment Crew" + "value": "APT1" }, { "description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ", @@ -109,12 +107,12 @@ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html", - "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" + "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "C0d0so", - "APT19", - "APT 19", + "Codoso", "Sunshop Group" ] }, @@ -142,7 +140,7 @@ } ], "uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c", - "value": "Codoso" + "value": "APT19" }, { "meta": { @@ -167,17 +165,6 @@ "uuid": "9e71024e-817f-45b0-92a0-d886c30bc929", "value": "Dust Storm" }, - { - "meta": { - "attribution-confidence": "50", - "country": "CN", - "synonyms": [ - "temp.bottle" - ] - }, - "uuid": "ad022538-b457-4839-8ebd-3fdcc807a820", - "value": "Keyhole Panda" - }, { "meta": { "attribution-confidence": "50", @@ -187,7 +174,7 @@ ] }, "uuid": "ba8973b2-fd97-4aa7-9307-ea4838d96428", - "value": "Wet Panda" + "value": "WET PANDA" }, { "description": "Adversary group targeting telecommunication and technology organizations.", @@ -199,7 +186,7 @@ ] }, "uuid": "41c15f08-a646-49f7-a644-1bebbf7a4dcd", - "value": "Foxy Panda" + "value": "FOXY PANDA" }, { "meta": { @@ -210,7 +197,7 @@ ] }, "uuid": "1969f622-d64a-4436-9a34-4c47fcb2535f", - "value": "Predator Panda" + "value": "PREDATOR PANDA" }, { "meta": { @@ -221,7 +208,7 @@ ] }, "uuid": "7195b51f-500e-4034-a851-bf34a2728dc8", - "value": "Union Panda" + "value": "UNION PANDA" }, { "meta": { @@ -232,7 +219,7 @@ ] }, "uuid": "4959652d-72fa-46e4-be20-4ec686409bfb", - "value": "Spicy Panda" + "value": "SPICY PANDA" }, { "meta": { @@ -243,7 +230,7 @@ ] }, "uuid": "432b0304-768f-4fb9-9762-e745ef524ec7", - "value": "Eloquent Panda" + "value": "ELOQUENT PANDA" }, { "meta": { @@ -252,7 +239,7 @@ ] }, "uuid": "8a8f39df-74b3-4946-ab64-f84968bababe", - "value": "Dizzy Panda" + "value": "DIZZY PANDA" }, { "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", @@ -271,14 +258,12 @@ "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://www.cfr.org/interactive/cyber-operations/putter-panda", - "https://attack.mitre.org/groups/G0024/" + "https://attack.mitre.org/groups/G0024", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "PLA Unit 61486", - "APT 2", - "APT2", - "Group 36", - "APT-2", + "PUTTER PANDA", "MSUpdater", "4HCrew", "SULPHUR", @@ -297,7 +282,7 @@ } ], "uuid": "0ca45163-e223-4167-b1af-f088ed14a93d", - "value": "Putter Panda" + "value": "APT2" }, { "description": "Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'", @@ -318,14 +303,14 @@ "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", "https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://www.cfr.org/interactive/cyber-operations/apt-3", - "https://www.secureworks.com/research/threat-profiles/bronze-mayfair" + "https://www.secureworks.com/research/threat-profiles/bronze-mayfair", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "Gothic Panda", + "GOTHIC PANDA", "TG-0110", - "APT 3", "Group 6", - "UPS Team", + "UPS", "APT3", "Buckeye", "Boyusec", @@ -343,7 +328,7 @@ } ], "uuid": "d144c83e-2302-4947-9e24-856fbf7949ae", - "value": "UPS" + "value": "APT3" }, { "description": "Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'", @@ -424,10 +409,11 @@ "http://www.crowdstrike.com/blog/whois-numbered-panda/", "https://www.cfr.org/interactive/cyber-operations/apt-12", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html", - "https://www.secureworks.com/research/threat-profiles/bronze-globe" + "https://www.secureworks.com/research/threat-profiles/bronze-globe", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "Numbered Panda", + "NUMBERED PANDA", "TG-2754", "BeeBus", "Group 22", @@ -435,8 +421,7 @@ "Calc Team", "DNSCalc", "Crimson Iron", - "APT12", - "APT 12", + "IXESHE", "BRONZE GLOBE" ] }, @@ -450,7 +435,7 @@ } ], "uuid": "48146604-6693-4db1-bd94-159744726514", - "value": "IXESHE" + "value": "APT12" }, { "description": "Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.", @@ -469,16 +454,16 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "https://www.cfr.org/interactive/cyber-operations/apt-16", - "https://attack.mitre.org/groups/G0023" + "https://attack.mitre.org/groups/G0023", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "APT16", "SVCMONDR", "G0023" ] }, "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", - "value": "APT 16" + "value": "APT16" }, { "description": "FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'", @@ -517,11 +502,12 @@ "https://attack.mitre.org/groups/G0025/", "cfr.org/cyber-operations/axiom", "https://attack.mitre.org/groups/G0001/", - "https://www.youtube.com/watch?v=NFJqD-LcpIg" + "https://www.youtube.com/watch?v=NFJqD-LcpIg", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "Group 8", - "APT17", + "AURORA PANDA", "Hidden Lynx", "Tailgater Team", "Dogfish", @@ -530,8 +516,7 @@ "Group 72", "G0001", "Axiom", - "Earth Baku", - "Amoeba" + "HELIUM" ] }, "related": [ @@ -558,7 +543,7 @@ } ], "uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", - "value": "Aurora Panda" + "value": "APT17" }, { "description": "Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'", @@ -578,15 +563,16 @@ "refs": [ "https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828", "https://www.cfr.org/interactive/cyber-operations/apt-18", - "https://attack.mitre.org/groups/G0026" + "https://attack.mitre.org/groups/G0026", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "Dynamite Panda", + "DYNAMITE PANDA", "TG-0416", "APT 18", "SCANDIUM", "PLA Navy", - "APT18", + "Wekby", "G0026" ] }, @@ -607,7 +593,7 @@ } ], "uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", - "value": "Wekby" + "value": "APT18" }, { "description": "Adversary group targeting financial, technology, non-profit organisations.", @@ -648,9 +634,9 @@ "https://www.secureworks.com/research/threat-profiles/bronze-firestone" ], "synonyms": [ - "Deep Panda", + "DEEP PANDA", "WebMasters", - "APT 19", + "APT19", "KungFu Kittens", "Black Vine", "Group 13", @@ -728,7 +714,8 @@ "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://attack.mitre.org/wiki/Group/G0013", - "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf" + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "PLA Unit 78020", @@ -736,7 +723,7 @@ "Camerashy", "BRONZE GENEVA", "G0019", - "APT30", + "Naikon", "BRONZE STERLING", "G0013" ] @@ -765,7 +752,7 @@ } ], "uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", - "value": "Naikon" + "value": "APT30" }, { "description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.", @@ -796,7 +783,8 @@ "https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting", "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://attack.mitre.org/groups/G0030/", - "https://www.secureworks.com/research/threat-profiles/bronze-elgin" + "https://www.secureworks.com/research/threat-profiles/bronze-elgin", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "Spring Dragon", @@ -806,7 +794,7 @@ "ATK1", "G0030", "Red Salamander", - "LOTUS PANDA" + "Lotus BLossom" ] }, "related": [ @@ -819,7 +807,7 @@ } ], "uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d", - "value": "Lotus Blossom" + "value": "LOTUS PANDA" }, { "description": "We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone.\nHURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence.\nOnce inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.", @@ -861,7 +849,7 @@ } ], "uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb", - "value": "Hurricane Panda" + "value": "HURRICANE PANDA" }, { "description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.", @@ -909,13 +897,13 @@ "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://attack.mitre.org/groups/G0027/", "https://www.secureworks.com/research/threat-profiles/bronze-union", - "https://unit42.paloaltonetworks.com/atoms/iron-taurus/" + "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "GreedyTaotie", "TG-3390", - "APT 27", - "APT27", + "EMISSARY PANDA", "TEMP.Hippo", "Red Phoenix", "Budworm", @@ -938,7 +926,7 @@ } ], "uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32", - "value": "EMISSARY PANDA" + "value": "APT27" }, { "meta": { @@ -981,15 +969,12 @@ "https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018", "https://attack.mitre.org/groups/G0045/", "https://www.secureworks.com/research/threat-profiles/bronze-riverside", - "https://unit42.paloaltonetworks.com/atoms/granite-taurus/" + "https://unit42.paloaltonetworks.com/atoms/granite-taurus", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "APT10", - "APT 10", - "MenuPass", + "STONE PANDAD", "Menupass Team", - "menuPass", - "menuPass Team", "happyyongzi", "POTASSIUM", "DustStorm", @@ -1013,24 +998,7 @@ } ], "uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", - "value": "Stone Panda" - }, - { - "meta": { - "attribution-confidence": "50", - "country": "CN", - "refs": [ - "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/" - ], - "synonyms": [ - "APT 9", - "Flowerlady/Flowershow", - "Flowerlady", - "Flowershow" - ] - }, - "uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45", - "value": "Nightshade Panda" + "value": "APT10" }, { "description": "This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage", @@ -1107,25 +1075,29 @@ "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", "https://attack.mitre.org/groups/G0004/", - "https://www.secureworks.com/research/threat-profiles/bronze-palace" + "https://www.secureworks.com/research/threat-profiles/bronze-palace", + "https://www.mandiant.com/resources/insights/apt-groups", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" ], "synonyms": [ - "Vixen Panda", + "VIXEN PANDA", "Ke3Chang", - "GREF", "Playful Dragon", - "APT 15", - "APT15", "Metushy", "Lurid", "Social Network Team", "Royal APT", "BRONZE PALACE", - "G0004" + "BRONZE DAVENPORT", + "BRONZE IDLEWOOD", + "NICKEL", + "G0004", + "Red Vulture" ] }, "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", - "value": "Mirage" + "value": "APT15" }, { "description": "PLA Navy\nAnchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. \nNot surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.", @@ -1148,11 +1120,11 @@ "motive": "Espionage", "refs": [ "http://www.crowdstrike.com/blog/whois-anchor-panda/", - "https://www.cfr.org/interactive/cyber-operations/anchor-panda" + "https://www.cfr.org/interactive/cyber-operations/anchor-panda", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "APT14", - "APT 14", + "ANCHOR PANDA", "QAZTeam", "ALUMINUM" ] @@ -1195,7 +1167,7 @@ } ], "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", - "value": "Anchor Panda" + "value": "APT14" }, { "meta": { @@ -1230,16 +1202,18 @@ "https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes", "https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary", "https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/", - "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests" + "https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests", + "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "APT 21", - "APT21", - "TravNet" + "HAMMER PANDA", + "TEMP.Zhenbao", + "NetTraveler" ] }, "uuid": "b80f4788-ccb2-466d-ae16-b397159d907e", - "value": "NetTraveler" + "value": "APT21" }, { "description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.", @@ -1263,18 +1237,18 @@ "https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/", "https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/", "https://www.cfr.org/interactive/cyber-operations/icefog", - "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf" + "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "IceFog", - "Dagger Panda", "Trident", "RedFoxtrot", "Red Wendigo" ] }, "uuid": "32c534b9-abec-4823-b223-a810f897b47b", - "value": "Ice Fog" + "value": "DAGGER PANDA" }, { "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials", @@ -1287,11 +1261,11 @@ "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html", - "https://attack.mitre.org/groups/G0011/" + "https://attack.mitre.org/groups/G0011", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "PittyTiger", - "MANGANESE", + "PITTY PANDA", "G0011" ] }, @@ -1305,7 +1279,7 @@ } ], "uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189", - "value": "Pitty Panda" + "value": "APT24" }, { "meta": { @@ -1350,7 +1324,7 @@ "https://attack.mitre.org/groups/G0066/" ], "synonyms": [ - "Sneaky Panda", + "SNEAKY PANDA", "Elderwood", "Elderwood Gang", "SIG22", @@ -1378,7 +1352,7 @@ ] }, "uuid": "c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e", - "value": "Radio Panda" + "value": "RADIO PANDA" }, { "meta": { @@ -1431,7 +1405,7 @@ } ], "uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7", - "value": "Samurai Panda" + "value": "SAMURAI PANDA" }, { "meta": { @@ -1439,7 +1413,7 @@ "country": "CN" }, "uuid": "b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1", - "value": "Impersonating Panda" + "value": "IMPERSONATING PANDA" }, { "description": "We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.\nIn contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.", @@ -1450,10 +1424,11 @@ "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/", "https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf", - "https://unit42.paloaltonetworks.com/atoms/crawling-taurus/" + "https://unit42.paloaltonetworks.com/atoms/crawling-taurus/", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "APT20", + "VIOLIN PANDA", "APT 20", "TH3Bug", "Twivy", @@ -1461,7 +1436,7 @@ ] }, "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40", - "value": "Violin Panda" + "value": "APT20" }, { "description": "A group targeting dissident groups in China and at the boundaries.", @@ -1473,7 +1448,7 @@ ] }, "uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761", - "value": "Toxic Panda" + "value": "TOXIC PANDA" }, { "description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.", @@ -1515,7 +1490,7 @@ } ], "uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b", - "value": "Temper Panda" + "value": "TEMPER PANDA" }, { "description": "TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'", @@ -1532,10 +1507,11 @@ "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", "https://blog.lookout.com/titan-mobile-threat", "https://attack.mitre.org/groups/G0081/", - "https://www.secureworks.com/research/threat-profiles/bronze-hobart" + "https://www.secureworks.com/research/threat-profiles/bronze-hobart", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ - "APT23", + "PIRATE PANDA", "KeyBoy", "Tropic Trooper", "BRONZE HOBART", @@ -1543,7 +1519,7 @@ ] }, "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", - "value": "Pirate Panda" + "value": "APT23" }, { "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.", @@ -3446,11 +3422,12 @@ "https://attack.mitre.org/groups/G0039/", "https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab", "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild", - "https://www.secureworks.com/research/threat-profiles/bronze-olive" + "https://www.secureworks.com/research/threat-profiles/bronze-olive", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "G0039", - "APT22", + "Suckfly", "BRONZE OLIVE", "Group 46" ] @@ -3465,7 +3442,7 @@ } ], "uuid": "5abb12e7-5066-4f84-a109-49a037205c76", - "value": "Suckfly" + "value": "APT22" }, { "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.", @@ -4064,22 +4041,6 @@ "uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", "value": "Gamaredon Group" }, - { - "description": "Hammer Panda is a group of suspected Chinese origin targeting organisations in Russia.", - "meta": { - "attribution-confidence": "50", - "country": "CN", - "refs": [ - "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" - ], - "synonyms": [ - "Zhenbao", - "TEMP.Zhenbao" - ] - }, - "uuid": "1f2762d9-a4b5-4457-ac51-00be05be9e23", - "value": "Hammer Panda" - }, { "description": "Infy is a group of suspected Iranian origin.\nSince early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in the infrastructure and its two families of malware agents.\nThanks to information we have been able to collect during the course of our research, such as characteristics of the group’s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.", "meta": { @@ -4584,11 +4545,15 @@ "refs": [ "https://www.fireeye.com/current-threats/apt-groups.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", - "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood" + "https://www.secureworks.com/research/threat-profiles/bronze-fleetwood", + "https://www.mandiant.com/resources/insights/apt-groups", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" ], "synonyms": [ + "KEYHOLE PANDA", "MANGANESE", - "BRONZE FLEETWOOD" + "BRONZE FLEETWOOD", + "TEMP.Bottle" ] }, "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", @@ -4649,14 +4614,15 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://www.secureworks.com/research/threat-profiles/bronze-express" + "https://www.secureworks.com/research/threat-profiles/bronze-express", + "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf" ], "synonyms": [ - "APT26", "Hippo Team", "JerseyMikes", - "Turbine Panda", - "BRONZE EXPRESS" + "TURBINE PANDA", + "BRONZE EXPRESS", + "TECHNETIUM" ] }, "related": [ @@ -4676,7 +4642,7 @@ } ], "uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11", - "value": "APT 26" + "value": "APT26" }, { "meta": { @@ -4687,7 +4653,7 @@ ] }, "uuid": "67adfa07-869f-4052-9d56-b88a51489902", - "value": "Sabre Panda" + "value": "SABRE PANDA" }, { "meta": { @@ -4698,7 +4664,7 @@ ] }, "uuid": "06e89270-ca1b-4cd4-85f3-940d23c76766", - "value": "Big Panda" + "value": "BIG PANDA" }, { "meta": { @@ -4709,7 +4675,7 @@ ] }, "uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c", - "value": "Poisonous Panda" + "value": "POISONUS PANDA" }, { "meta": { @@ -4838,7 +4804,7 @@ ] }, "uuid": "cd6ac640-9ae9-4aa9-89cd-89b95be1a3ab", - "value": "Test Panda" + "value": "TEST PANDA" }, { "description": "Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East.\nCommon applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.", @@ -4878,7 +4844,7 @@ ] }, "uuid": "69059ec9-45c9-4961-a07e-6b2f2228f0ce", - "value": "Electric Panda" + "value": "ELECTRIC PANDA" }, { "meta": { @@ -4900,18 +4866,18 @@ "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919", "https://www.cfr.org/interactive/cyber-operations/sykipot", - "https://www.secureworks.com/research/threat-profiles/bronze-edison" + "https://www.secureworks.com/research/threat-profiles/bronze-edison", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ "PLA Navy", - "APT4", - "APT 4", + "MAVERICK PANDA", "BRONZE EDISON", "Sykipot" ] }, "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", - "value": "Maverick Panda" + "value": "APT4" }, { "description": "This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.", @@ -5014,7 +4980,7 @@ ] }, "uuid": "b07cf296-7ab9-4b85-a07e-421607c212b0", - "value": "Gibberish Panda" + "value": "GIBBERISH PANDA" }, { "description": "This threat actor targets the South Korean government, transportation, and energy sectors.", @@ -5208,12 +5174,11 @@ "https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/" ], "synonyms": [ - "1.php Group", - "APT6" + "1.php Group" ] }, "uuid": "1a2592a3-eab7-417c-bf2d-9c0558c2b3e7", - "value": "APT 6" + "value": "APT6" }, { "meta": { @@ -5312,7 +5277,7 @@ ] }, "uuid": "43992f81-fd29-4228-94e0-c3aa3e65aab7", - "value": "Pale Panda" + "value": "PALE PANDA" }, { "meta": { @@ -5586,16 +5551,18 @@ "https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks", "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", "https://www.mofa.go.jp/press/danwa/press6e_000312.html", - "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory" + "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory", + "https://www.mandiant.com/resources/insights/apt-groups", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi", + "https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia" ], "synonyms": [ "TEMP.Periscope", "TEMP.Jumper", - "APT 40", - "APT40", + "Leviathan", "BRONZE MOHAWK", "GADOLINIUM", - "Kryptonite Panda", + "KRYPTONITE PANDA", "G0065", "ATK29" ] @@ -5610,7 +5577,7 @@ } ], "uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", - "value": "Leviathan" + "value": "APT40" }, { "description": "FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.", @@ -5917,7 +5884,9 @@ "meta": { "refs": [ "https://www.recordedfuture.com/chinese-cyberespionage-operations", - "https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf" + "https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf", + "https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "DeepCliff", @@ -6745,7 +6714,7 @@ ] }, "uuid": "4b7df353-fbcc-4f00-a54f-5121c5edb9be", - "value": "Nomad Panda" + "value": "NOMAD PANDA" }, { "description": "This suspected Iran-based adversary conducted long-running SWC campaigns from December 2016 until public disclosure in July 2018. Like other Iran-based actors, the target scope for FLASH KITTEN appears to be focused on the MENA region.", @@ -6964,7 +6933,10 @@ "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/", "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", - "https://twitter.com/bkMSFT/status/1417823714922610689" + "https://twitter.com/bkMSFT/status/1417823714922610689", + "https://www.mandiant.com/resources/insights/apt-groups", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" ], "synonyms": [ "ZIRCONIUM", @@ -7019,7 +6991,8 @@ "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", - "https://unit42.paloaltonetworks.com/atoms/mangataurus/" + "https://unit42.paloaltonetworks.com/atoms/mangataurus/", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "CIRCUIT PANDA", @@ -7470,7 +7443,9 @@ "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/", "https://www.mandiant.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation", "https://www.cfr.org/cyber-operations/apt-41", - "https://attack.mitre.org/groups/G0096/" + "https://attack.mitre.org/groups/G0096", + "https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "Double Dragon", @@ -7485,7 +7460,9 @@ "BRONZE ATLAS", "BRONZE EXPORT", "Red Kelpie", - "G0044" + "G0044", + "Earth Baku", + "Amoeba" ] }, "related": [ @@ -8252,7 +8229,8 @@ "https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk", "https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks", "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", - "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china" + "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", + "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi" ], "synonyms": [ "ATK233", @@ -9404,10 +9382,12 @@ ], "country": "CN", "refs": [ - "https://www.mandiant.com/resources/apt-groups#apt19", - "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" + "https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://www.mandiant.com/resources/insights/apt-groups" ], "synonyms": [ + "NIGHTSHADE PANDA", "Red Pegasus" ] }, @@ -9696,7 +9676,7 @@ ] }, "uuid": "8d73715a-8bbd-4eaa-ae24-2f1b1c84cf21", - "value": "Goblin Panda" + "value": "GOBLIN PANDA" }, { "description": "Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads.",