From bbe84c5985082309aed55f5cc83179d00bb892f9 Mon Sep 17 00:00:00 2001 From: Rony Date: Tue, 16 Aug 2022 12:07:59 +0530 Subject: [PATCH] updates to russian actors --- clusters/threat-actor.json | 255 ++++++++++--------------------------- 1 file changed, 67 insertions(+), 188 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index c3687d7..25225c1 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2366,28 +2366,27 @@ "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ - "APT 28", - "APT28", "Pawn Storm", - "PawnStorm", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", - "TsarTeam", "Tsar Team", "TG-4127", - "Group-4127", "STRONTIUM", - "TAG_0700", "Swallowtail", "IRON TWILIGHT", "Group 74", "SIG40", "Grizzly Steppe", - "apt_sofacy", "G0007", "ATK5", - "Fighting Ursa" + "Fighting Ursa", + "ITG05", + "Blue Athena", + "TA422", + "T-APT-12", + "APT-C-20", + "UAC-0028" ] }, "related": [ @@ -2407,7 +2406,7 @@ } ], "uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", - "value": "Sofacy" + "value": "APT28" }, { "description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '", @@ -2450,28 +2449,20 @@ "https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/" ], "synonyms": [ - "Dukes", "Group 100", - "Cozy Duke", - "CozyDuke", - "EuroAPT", - "CozyBear", - "CozyCar", - "Cozer", - "Office Monkeys", - "OfficeMonkeys", - "APT29", - "Cozy Bear", + "COZY BEAR", "The Dukes", "Minidionis", "SeaDuke", - "Hammer Toss", "YTTRIUM", - "Iron Hemlock", + "IRON HEMLOCK", "Grizzly Steppe", "G0016", "ATK7", - "Cloaked Ursa" + "Cloaked Ursa", + "TA421", + "Blue Kitsune", + "ITG11" ] }, "related": [ @@ -2484,7 +2475,7 @@ } ], "uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", - "value": "APT 29" + "value": "APT29" }, { "description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'", @@ -2549,14 +2540,11 @@ "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" ], "synonyms": [ - "Turla", "Snake", - "Venomous Bear", "VENOMOUS Bear", "Group 88", "Waterbug", "WRAITH", - "Turla Team", "Uroburos", "Pfinet", "TAG_0530", @@ -2565,10 +2553,12 @@ "Pacifier APT", "Popeye", "SIG23", - "Iron Hunter", + "IRON HUNTER", "MAKERSMARK", "ATK13", - "G0010" + "G0010", + "ITG12", + "Blue Python" ] }, "related": [ @@ -2588,7 +2578,7 @@ } ], "uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", - "value": "Turla Group" + "value": "Turla" }, { "description": "A Russian group that collects intelligence on the energy industry.", @@ -2628,10 +2618,13 @@ "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat", "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672", "https://attack.mitre.org/groups/G0035/", - "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector" + "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "https://dragos.com/adversaries.html", + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://www.cfr.org/interactive/cyber-operations/dymalloy" ], "synonyms": [ - "Beserk Bear", + "BERSERK BEAR", "ALLANITE", "CASTLE", "DYMALLOY", @@ -2640,11 +2633,13 @@ "Crouching Yeti", "Group 24", "Havex", - "CrouchingYeti", "Koala Team", "IRON LIBERTY", "G0035", - "ATK6" + "ATK6", + "ITG15", + "BROMINE", + "Blue Kraken" ] }, "related": [ @@ -2657,7 +2652,7 @@ } ], "uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", - "value": "Energetic Bear" + "value": "ENERGETIC BEAR" }, { "description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage", @@ -2689,19 +2684,31 @@ "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", - "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", - "https://attack.mitre.org/groups/G0034/", - "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag" + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks", + "https://attack.mitre.org/groups/G0034", + "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", + "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", + "https://dragos.com/adversaries.html", + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks", + "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine", + "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare", + "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back", + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks" ], "synonyms": [ - "Sandworm Team", - "Black Energy", - "BlackEnergy", "Quedagh", "VOODOO BEAR", "TEMP.Noble", - "Iron Viking", - "G0034" + "IRON VIKING", + "G0034", + "ELECTRUM", + "TeleBots", + "IRIDIUM", + "Blue Echidna" ] }, "related": [ @@ -2737,50 +2744,6 @@ "uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", "value": "Sandworm" }, - { - "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group. TeleBots appear to be associated with Sandworm Team, Iron Viking, Voodoo Bear.", - "meta": { - "attribution-confidence": "50", - "country": "RU", - "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", - "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", - "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", - "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/", - "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/", - "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/" - ], - "synonyms": [ - "Sandworm" - ] - }, - "related": [ - { - "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "b47250ec-2094-4d06-b658-11456e05fe89", - "value": "TeleBots" - }, { "description": "Groups targeting financial organizations or people with significant financial assets.", "meta": { @@ -2870,7 +2833,6 @@ "synonyms": [ "TeamSpy", "Team Bear", - "Berserk Bear", "Anger Bear", "IRON LYRIC" ] @@ -2905,23 +2867,6 @@ "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", "value": "BuhTrap" }, - { - "meta": { - "attribution-confidence": "50", - "country": "RU" - }, - "related": [ - { - "dest-uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624", - "value": "Berserk Bear" - }, { "description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.", "meta": { @@ -4267,23 +4212,30 @@ "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution", "https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf", - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/", - "https://attack.mitre.org/groups/G0047/", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", + "https://attack.mitre.org/groups/G0047", "https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/", + "https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", - "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", - "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", - "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", - "https://unit42.paloaltonetworks.com/atoms/tridentursa/" + "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations", + "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game", + "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021", + "https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf", + "https://unit42.paloaltonetworks.com/atoms/tridentursa" ], "synonyms": [ - "Primitive Bear", - "Shuckworm", "ACTINIUM", + "DEV-0157", + "Blue Otso", + "BlueAlpha", "G0047", - "Trident Ursa" + "IRON TILDEN", + "PRIMITIVE BEAR", + "Shuckworm", + "Trident Ursa", + "UAC-0010", + "Winterflounder" ] }, "related": [ @@ -4611,49 +4563,6 @@ "uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", "value": "PLATINUM" }, - { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list). Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.", - "meta": { - "capabilities": "CRASHOVERRIDE", - "mode-of-operation": "Electric grid disruption and long-term persistence", - "refs": [ - "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", - "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://dragos.com/adversaries.html" - ], - "since": "2016", - "synonyms": [ - "Sandworm" - ], - "victimology": "Ukraine, Electric Utilities" - }, - "related": [ - { - "dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", - "value": "ELECTRUM" - }, { "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.", "meta": { @@ -6102,36 +6011,6 @@ "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "value": "CHRYSENE" }, - { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti", - "meta": { - "attribution-confidence": "50", - "capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz", - "cfr-suspected-state-sponsor": "Unknown", - "cfr-suspected-victims": [ - "Turkey" - ], - "cfr-target-category": [ - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", - "refs": [ - "https://dragos.com/adversaries.html", - "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf", - "https://www.cfr.org/interactive/cyber-operations/dymalloy" - ], - "since": "2016", - "synonyms": [ - "Dragonfly 2.0", - "Dragonfly2", - "Berserker Bear" - ], - "victimology": "Turkey, Europe, US" - }, - "uuid": "a08ab076-33c1-4350-b021-650c34277f2d", - "value": "DYMALLOY" - }, { "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", "meta": {