diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2676e58..eb98b36 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -9200,29 +9200,54 @@ "value": "UNC3524" }, { - "description": "Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. The actor has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.", - "meta": { - "cfr-suspected-victims":[ - "Ukraine", - "Russia", - "Kazakhstan", - "Mongolia" - ], - "cfr-target-category": [ - "Government", - "Military", - "Logistics", - "Defense Contractor" - ], - "cfr-type-of-incident": "Espionage", - "country": "CN", - "refs": [ - "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe", - "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/" + "description": "Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. The actor has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.", + "meta": { + "cfr-suspected-victims": [ + "Ukraine", + "Russia", + "Kazakhstan", + "Mongolia" + ], + "cfr-target-category": [ + "Government", + "Military", + "Logistics", + "Defense Contractor" + ], + "cfr-type-of-incident": "Espionage", + "country": "CN", + "refs": [ + "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe", + "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/" ] - }, - "uuid": "6ee284d9-2742-4468-851c-a61366cc9a20", - "value": "Curious Gorge" + }, + "uuid": "6ee284d9-2742-4468-851c-a61366cc9a20", + "value": "Curious Gorge" + }, + { + "description": "Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to aid in its lateral movement across Windows systems. Also, They have been seen sending commands to BPFDoor victims via Virtual Privat Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels. Most Red Menshen activity that has been observed took place between Monday to Friday (with none observed on the weekends), with most communication taking place between 01:00 and 10:00 UTC.131 This pattern suggests a consistent 8 to 9-hour activity window for the threat actor, with realistic probability of it aligning to local working hours.", + "meta": { + "cfr-suspected-victims": [ + "Middle East", + "Asia" + ], + "cfr-target-category": [ + "Government", + "Education", + "Logistics" + ], + "country": "CN", + "refs": [ + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf", + "https://troopers.de/troopers22/talks/7cv8pz" + ], + "synonyms": [ + "Red Dev 18" + ] + }, + "uuid": "bfe66711-32dc-4c1f-b78b-9b2f9e4c1525", + "value": "Red Menshen" } ], "version": 222