From e61733591f3a51a94b005f71e11222d42af31964 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 2 Nov 2022 20:30:40 -0700 Subject: [PATCH 1/2] [threat-actors] Remove SectorJ04 duplicate --- clusters/threat-actor.json | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b4923fb..36d0f1f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6477,7 +6477,9 @@ "https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546", "https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/", "https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic", - "https://cyberthreat.thalesgroup.com/attackers/ATK103" + "https://cyberthreat.thalesgroup.com/attackers/ATK103", + "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", + "https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain" ], "synonyms": [ "SectorJ04 Group", @@ -6485,7 +6487,9 @@ "GOLD TAHOE", "Dudear", "G0092", - "ATK103" + "ATK103", + "Hive0065", + "CHIMBORAZO" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7492,11 +7496,6 @@ "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "value": "APT41" }, - { - "description": "SectorJ04 is a Russian-based cybercrime group that began operating about five years ago and conducted hacking activities for financial profit using malware such as banking trojans and ransomware against national and industrial sectors located across Europe, North America and West Africa.\nIn 2019, the SectorJ04 group expanded its hacking activities to cover various industrial sectors located across Southeast Asia and East Asia, and is changing the pattern of their attacks from targeted attacks to searching for random victims. This report includes details related to the major hacking targets of the SectorJ04 group in 2019, how those targets were hacked, characteristics of their hacking activities this year and recent cases of the SectorJ04 group’s hacking.", - "uuid": "50e25cfb-8b4d-408d-a7c6-bd0672662d39", - "value": "SectorJ04" - }, { "description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.", "meta": { From a452263aceea3b0879630f8ff22693a2fc516583 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Fri, 27 Jan 2023 13:32:58 +0100 Subject: [PATCH 2/2] [threat-actors] pr.review: Add SectorJ04 as alias of TA505 --- clusters/threat-actor.json | 1 + 1 file changed, 1 insertion(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 36d0f1f..02c9db0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6482,6 +6482,7 @@ "https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain" ], "synonyms": [ + "SectorJ04", "SectorJ04 Group", "GRACEFUL SPIDER", "GOLD TAHOE",