From 98f0572d51d12d7297f29a2a178b643fbf017a5d Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 16:06:09 +0200 Subject: [PATCH 1/9] update threat actor galaxy --- clusters/threat-actor.json | 209 ++++++++++++++++++++++++++++++------- 1 file changed, 169 insertions(+), 40 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4f474b0..62c6de0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -291,16 +291,19 @@ "country": "CN", "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", - "https://www.cfr.org/interactive/cyber-operations/putter-panda" + "https://www.cfr.org/interactive/cyber-operations/putter-panda", + "https://attack.mitre.org/groups/G0024/" ], "synonyms": [ "PLA Unit 61486", "APT 2", + "APT2", "Group 36", "APT-2", "MSUpdater", "4HCrew", "SULPHUR", + "SearchFire", "TG-6952" ] }, @@ -1390,7 +1393,12 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2" + "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2", + "http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2", + "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/", + "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html", + "https://attack.mitre.org/groups/G0011/" ], "synonyms": [ "PittyTiger", @@ -1412,7 +1420,8 @@ { "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" + "https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/", + "http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf" ] }, "uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d", @@ -1625,11 +1634,12 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india", + "https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/", "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" ], "synonyms": [ "APT23", + "APT 23", "KeyBoy" ] }, @@ -2315,7 +2325,43 @@ "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/", "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/", - "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware" + "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", + "http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament", + "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f", + "https://www.bbc.com/news/technology-37590375", + "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", + "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff", + "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/", + "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "http://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630", + "http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508", + "https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/", + "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/", + "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/", + "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/", + "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html", + "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", + "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", + "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN", + "https://www.bbc.co.uk/news/technology-45257081", + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", + "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf", + "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", + "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", + "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://en.wikipedia.org/wiki/Fancy_Bear", + "https://attack.mitre.org/groups/G0007/" ], "synonyms": [ "APT 28", @@ -2333,7 +2379,9 @@ "TAG_0700", "Swallowtail", "IRON TWILIGHT", - "Group 74" + "Group 74", + "SIG40", + "Grizzly Steppe" ] }, "related": [ @@ -2595,7 +2643,11 @@ "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-163A", "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", - "https://www.cfr.org/interactive/cyber-operations/black-energy" + "https://www.cfr.org/interactive/cyber-operations/black-energy", + "https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", + "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", + "https://attack.mitre.org/groups/G0034/" ], "synonyms": [ "Sandworm Team", @@ -2603,7 +2655,8 @@ "BlackEnergy", "Quedagh", "Voodoo Bear", - "TEMP.Noble" + "TEMP.Noble", + "Iron Viking" ] }, "related": [ @@ -3005,6 +3058,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "linked-to" } ], "uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", @@ -3084,11 +3144,13 @@ "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", - "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html", - "https://www.cfr.org/interactive/cyber-operations/snowglobe" + "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", + "https://www.cfr.org/interactive/cyber-operations/snowglobe", + "https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/" ], "synonyms": [ - "Animal Farm" + "Animal Farm", + "Snowglobe" ] }, "uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab", @@ -3194,7 +3256,10 @@ "description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.", "meta": { "refs": [ - "https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/" + "https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/", + "https://securelist.com/operation-daybreak/75100/", + "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", + "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/" ], "synonyms": [ "Operation Daybreak", @@ -3249,17 +3314,23 @@ "cfr-type-of-incident": "Espionage", "country": "IN", "refs": [ - "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", - "https://www.cymmetria.com/patchwork-targeted-attack/" + "https://www.cymmetria.com/patchwork-targeted-attack/", + "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://attack.mitre.org/groups/G0040/", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://securelist.com/the-dropping-elephant-actor/75328/", + "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" ], "synonyms": [ "Chinastrats", "Patchwork", "Monsoon", "Sarit", - "Quilted Tiger" + "Quilted Tiger", + "APT-C-09" ] }, "related": [ @@ -3282,13 +3353,14 @@ "value": "Dropping Elephant" }, { - "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", + "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same.\nThe attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.\nThe attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC.\nScarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ "https://attack.mitre.org/wiki/Groups", - "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" + "https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/", + "https://attack.mitre.org/groups/G0029/" ] }, "related": [ @@ -3309,8 +3381,9 @@ "attribution-confidence": "50", "country": "BR", "refs": [ - "https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/", - "https://attack.mitre.org/wiki/Groups" + "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/", + "https://attack.mitre.org/wiki/Groups", + "https://attack.mitre.org/groups/G0033/" ] }, "related": [ @@ -3867,10 +3940,10 @@ "attribution-confidence": "50", "country": "TR", "refs": [ - "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", - "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users", "https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", - "https://attack.mitre.org/groups/G0055/" + "https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users", + "https://attack.mitre.org/groups/G0055/", + "https://attack.mitre.org/groups/G0056/" ], "synonyms": [ "StrongPity" @@ -3957,12 +4030,12 @@ "value": "Chafer" }, { - "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on. ", + "description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.", "meta": { "attribution-confidence": "50", "country": "CN", "refs": [ - "https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies" + "https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html" ] }, "uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965", @@ -4081,7 +4154,9 @@ "country": "IR", "refs": [ "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", - "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" + "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/", + "https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/", + "https://www.clearskysec.com/greenbug/" ] }, "related": [ @@ -4187,7 +4262,7 @@ "value": "Infy" }, { - "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.", + "description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.\nIn February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.", "meta": { "attribution-confidence": "50", "country": "IR", @@ -4378,7 +4453,8 @@ "meta": { "refs": [ "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", - "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/" + "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/", + "https://attack.mitre.org/groups/G0068/" ], "synonyms": [ "TwoForOne" @@ -4991,9 +5067,12 @@ "value": "Kimsuki" }, { + "description": "While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’.\nThe Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.", "meta": { "refs": [ - "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" + "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html", + "https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html", + "https://www.jpcert.or.jp/magazine/acreport-ChChes.html" ] }, "uuid": "7b6ba207-94de-4f94-bc7f-52cd0dafade5", @@ -5515,7 +5594,10 @@ "http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://twitter.com/mstoned7/status/966126706107953152", "https://www.cfr.org/interactive/cyber-operations/apt-37", - "https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/" + "https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/", + "https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://attack.mitre.org/groups/G0067/" ], "synonyms": [ "APT 37", @@ -5528,7 +5610,8 @@ "Ricochet Chollima", "StarCruft", "Operation Daybreak", - "Operation Erebus." + "Operation Erebus", + "Venus 121" ] }, "related": [ @@ -5545,6 +5628,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "linked-to" } ], "uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", @@ -5652,7 +5742,8 @@ "description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.", "meta": { "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" + "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia", + "https://attack.mitre.org/groups/G0071/" ] }, "uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c", @@ -6036,11 +6127,14 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", - "https://www.cfr.org/interactive/cyber-operations/rancor" + "https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://www.cfr.org/interactive/cyber-operations/rancor", + "https://attack.mitre.org/groups/G0075/" ], "synonyms": [ - "Rancor group" + "Rancor group", + "Rancor", + "Rancor Group" ] }, "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", @@ -6152,7 +6246,7 @@ "value": "TempTick" }, { - "description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.", + "description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.\nBased on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on.\nOperation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital).\nWith deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Unknown", @@ -6192,7 +6286,8 @@ "cfr-type-of-incident": "Espionage", "refs": [ "https://www.cfr.org/interactive/cyber-operations/operation-parliament", - "https://securelist.com/operation-parliament-who-is-doing-what/85237/" + "https://securelist.com/operation-parliament-who-is-doing-what/85237/", + "https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html" ] }, "uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d", @@ -6783,11 +6878,14 @@ "value": "Cold River" }, { - "description": "a relatively new threat actor that’s been operating since mid-2016", + "description": "a relatively new threat actor that’s been operating since mid-2016\nGroup-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.\nSilence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.", "meta": { "refs": [ - "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/" - ] + "https://reaqta.com/2019/01/silence-group-targeting-russian-banks/", + "https://www.group-ib.com/blog/silence", + "https://securelist.com/the-silence/83009/" + ], + "synonyms": "Silence" }, "uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726", "value": "Silence group" @@ -7054,7 +7152,7 @@ "value": "Whitefly" }, { - "description": " This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.", + "description": "This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.", "meta": { "refs": [ "https://blog.talosintelligence.com/2019/04/seaturtle.html" @@ -7221,6 +7319,37 @@ }, "uuid": "e502802e-8d0a-11e9-bd72-9f046529b3fd", "value": "Lucky Cat" + }, + { + "description": "There are several groups actively and profitably targeting businesses in Russia. A trend that we have seen unfold before our eyes lately is these cybercriminals’ use of simple backdoors to gain a foothold in their targets’ networks. Once they have this access, a lot of the work is done manually, slowly getting to understand the network layout and deploying custom tools the criminals can use to steal funds from these entities. Some of the groups that best exemplify these trends are Buhtrap, Cobalt and Corkow.\nThe group discussed in this white paper is part of this new trend. We call this new group RTM; it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighboring countries.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf", + "https://attack.mitre.org/groups/G0048/" + ] + }, + "uuid": "88100602-8e8b-11e9-bb7c-1bf20b58e305", + "value": "RTM" + }, + { + "description": "Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows’ attackers, which leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence. The investigation is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The investigation employed a fusion methodology, combining technical interrogation techniques, data analysis, and field research, to track and uncover the Shadow cyber espionage network.", + "meta": { + "refs": [ + "https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf" + ] + }, + "uuid": "ef800f1c-8e90-11e9-972c-53e01614f101", + "value": "Shadow Network" + }, + { + "description": "While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.\nWhile for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to MikroTik routers and placed a component downloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this infected the administrator of the router.\nWe believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).", + "meta": { + "refs": [ + "https://securelist.com/apt-slingshot/84312/" + ] + }, + "uuid": "4fcbd08a-8ea6-11e9-8bf2-970182ab6bb5", + "value": "Slingshot" } ], "version": 114 From ead217eb28aef5edf82495be4e54b41b8483383e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 16:11:02 +0200 Subject: [PATCH 2/9] Update version --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 62c6de0..93d13ed 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7352,5 +7352,5 @@ "value": "Slingshot" } ], - "version": 114 + "version": 115 } From 1e5292d9995499b697af57ccb1ca47d7d9fda5ad Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 16:21:33 +0200 Subject: [PATCH 3/9] fix duplicate --- clusters/threat-actor.json | 77 +++++++++++++++++++------------------- 1 file changed, 38 insertions(+), 39 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 93d13ed..5dff709 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2315,53 +2315,52 @@ "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ + "https://attack.mitre.org/groups/G0007/" + "https://en.wikipedia.org/wiki/Fancy_Bear", "https://en.wikipedia.org/wiki/Sofacy_Group", - "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", - "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", - "https://www.cfr.org/interactive/cyber-operations/apt-28", - "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", - "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/", - "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/", - "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", - "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", - "http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament", - "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f", "https://www.bbc.com/news/technology-37590375", - "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", - "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff", - "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/", - "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT", - "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/", - "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "https://www.bbc.co.uk/news/technology-45257081", + "https://www.cfr.org/interactive/cyber-operations/apt-28", + "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f", + "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "http://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630", - "http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508", "https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/", - "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", + "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html", + "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", + "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff", + "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", + "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware", + "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", + "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT", + "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/", "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/", "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/", - "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/", - "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html", - "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", - "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/", - "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/", - "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN", - "https://www.bbc.co.uk/news/technology-45257081", - "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/", "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", - "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf", - "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", - "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", + "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/", + "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", + "http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament", + "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/", + "http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508", + "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/", "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected", - "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", - "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", - "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", - "https://en.wikipedia.org/wiki/Fancy_Bear", - "https://attack.mitre.org/groups/G0007/" + "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf", + "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN", + "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/", + "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", + "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", + "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", + "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", ], "synonyms": [ "APT 28", From b966369933df0c31f9ab7d1264d11c49960c0784 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 14 Jun 2019 16:35:55 +0200 Subject: [PATCH 4/9] ##COMMA## --- clusters/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5dff709..8ed9e23 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2315,7 +2315,7 @@ "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ - "https://attack.mitre.org/groups/G0007/" + "https://attack.mitre.org/groups/G0007/", "https://en.wikipedia.org/wiki/Fancy_Bear", "https://en.wikipedia.org/wiki/Sofacy_Group", "https://www.bbc.com/news/technology-37590375", @@ -2360,7 +2360,7 @@ "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/", "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae", "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1", - "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf", + "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf" ], "synonyms": [ "APT 28", From 431e7a36c1e48cb9ed0aaf793481224b6db47362 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 17 Jun 2019 16:36:42 +0200 Subject: [PATCH 5/9] update threat actor galaxy --- clusters/threat-actor.json | 46 +++++++++++++++++++++++++++++--------- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8ed9e23..047a49b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1097,24 +1097,34 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", + "https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "https://www.cfr.org/interactive/cyber-operations/apt-10", "https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", + "https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret", + "https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/", + "https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf", + "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", + "https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf", + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018", + "https://attack.mitre.org/groups/G0045/" ], "synonyms": [ "APT10", "APT 10", "MenuPass", "Menupass Team", + "menuPass", + "menuPass Team", "happyyongzi", "POTASSIUM", "DustStorm", "Red Apollo", "CVNX", "HOGFISH", - "Cloud Hopper", - "Stone Panda" + "Cloud Hopper" ] }, "related": [ @@ -3233,7 +3243,8 @@ "refs": [ "https://citizenlab.org/2016/05/stealth-falcon/", "https://www.cfr.org/interactive/cyber-operations/stealth-falcon", - "https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/" + "https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/", + "https://attack.mitre.org/groups/G0038/" ], "synonyms": [ "FruityArmor" @@ -3518,7 +3529,10 @@ "country": "US", "refs": [ "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/", - "https://www.cfr.org/interactive/cyber-operations/project-sauron" + "https://www.cfr.org/interactive/cyber-operations/project-sauron", + "https://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf", + "https://attack.mitre.org/groups/G0041/" ], "synonyms": [ "Strider", @@ -3648,7 +3662,8 @@ "country": "CN", "refs": [ "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", - "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks", + "https://attack.mitre.org/groups/G0039/" ] }, "related": [ @@ -4640,7 +4655,8 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", + "https://attack.mitre.org/groups/G0062/" ] }, "related": [ @@ -5458,7 +5474,8 @@ "cfr-type-of-incident": "Espionage", "refs": [ "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", - "https://www.cfr.org/interactive/cyber-operations/sowbug" + "https://www.cfr.org/interactive/cyber-operations/sowbug", + "https://attack.mitre.org/groups/G0054/" ] }, "related": [ @@ -6811,7 +6828,12 @@ "meta": { "refs": [ "https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/", - "https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png" + "https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png", + "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter", + "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", + "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", + "https://threatpost.com/ta505-servhelper-malware/140792/" + "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7053,7 +7075,9 @@ "meta": { "refs": [ "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", + "https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia", + "https://attack.mitre.org/groups/G0086/" ] }, "uuid": "769aeaa6-d193-4e90-a818-d74c6ff7b845", From 52e51833de582895f4a3a6a3c30d7bf16c257502 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 18 Jun 2019 16:05:49 +0200 Subject: [PATCH 6/9] update threat actor galaxy --- clusters/threat-actor.json | 95 +++++++++++++++++++++++++++++++++----- 1 file changed, 83 insertions(+), 12 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 047a49b..1a76931 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -613,7 +613,11 @@ "meta": { "refs": [ "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", - "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", + "https://blog.lookout.com/titan-mobile-threat", + "https://attack.mitre.org/groups/G0081/" ], "synonyms": [ "Operation Tropic Trooper", @@ -1618,7 +1622,8 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html", - "https://www.cfr.org/interactive/cyber-operations/admin338" + "https://www.cfr.org/interactive/cyber-operations/admin338", + "https://attack.mitre.org/groups/G0018/" ], "synonyms": [ "Admin338", @@ -2524,7 +2529,26 @@ "https://www.cfr.org/interactive/cyber-operations/turla", "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", - "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf" + "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/", + "https://www.nytimes.com/2010/08/26/technology/26cyber.html", + "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548", + "https://securelist.com/the-epic-turla-operation/65545/", + "https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html", + "https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/", + "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://securelist.com/introducing-whitebear/81638/", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", + "https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/", + "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit", + "https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/", + "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", + "https://attack.mitre.org/groups/G0010/" ], "synonyms": [ "Turla", @@ -2540,7 +2564,9 @@ "KRYPTON", "Hippo Team", "Pacifier APT", - "Popeye" + "Popeye", + "SIG23", + "Iron Hunter" ] }, "related": [ @@ -2702,12 +2728,18 @@ "value": "Sandworm" }, { - "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.", + "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group. TeleBots appear to be associated with Sandworm Team, Iron Viking, Voodoo Bear.", "meta": { "attribution-confidence": "50", "country": "RU", "refs": [ - "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/", + "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/", + "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/", + "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/", + "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/" ], "synonyms": [ "Sandworm" @@ -2797,6 +2829,7 @@ "value": "Anunak" }, { + "description": "Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say.\nThe attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets.\nResearchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", @@ -2812,7 +2845,10 @@ "country": "RU", "refs": [ "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/", - "https://www.cfr.org/interactive/cyber-operations/team-spy-crew" + "https://www.cfr.org/interactive/cyber-operations/team-spy-crew", + "https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/", + "https://www.crysys.hu/publications/files/teamspy.pdf", + "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf" ], "synonyms": [ "TeamSpy", @@ -3202,7 +3238,8 @@ "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf", "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf", "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", - "https://s.tencent.com/research/report/669.html" + "https://s.tencent.com/research/report/669.html", + "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html" ], "synonyms": [ "C-Major", @@ -3871,7 +3908,14 @@ "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .", "meta": { "refs": [ - "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf" + "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf", + "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/", + "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/" + ], + "synonyms": [ + "Reuse team", + "Malware reusers", + "Dancing Salome" ] }, "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a", @@ -6417,7 +6461,8 @@ "cfr-type-of-incident": "Espionage", "refs": [ "https://www.cfr.org/interactive/cyber-operations/thrip", - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets", + "https://attack.mitre.org/groups/G0076/" ] }, "uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc", @@ -6832,7 +6877,7 @@ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter", "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware", "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf", - "https://threatpost.com/ta505-servhelper-malware/140792/" + "https://threatpost.com/ta505-servhelper-malware/140792/", "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/" ] }, @@ -7373,7 +7418,33 @@ }, "uuid": "4fcbd08a-8ea6-11e9-8bf2-970182ab6bb5", "value": "Slingshot" + }, + { + "description": "The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues. The attackers actively sent out malicious documents and maintained several IP addresses for command and control.\nAs part of their social engineering ploy, the Taidoor attackers attach a decoy document to their emails that, when opened, displays the contents of a legitimate document but executes a malicious payload in the background.\nWe were only able to gather a limited amount of information regarding the Taidoor attackers’ activities after they have compromised a target. We did, however, find that the Taidoor malware allowed attackers to operate an interactive shell on compromised computers and to upload and download files. In order to determine the operational capabilities of the attackers behind the Taidoor campaign, we monitored a compromised honeypot. The attackers issued out some basic commands in an attempt to map out the extent of the network compromise but quickly realized that the honeypot was not an intended targeted and so promptly disabled the Taidoor malware running on it. This indicated that while Taidoor malware were more widely distributed compared with those tied to other targeted campaigns, the attackers could quickly assess their targets and distinguish these from inadvertently compromised computers and honeypots.", + "meta": { + "refs": [ + "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf", + "https://attack.mitre.org/groups/G0015/" + ] + }, + "uuid": "e6669606-91ad-11e9-b6f5-374843911989", + "value": "Taidoor" + }, + { + "description": "TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.", + "meta": { + "refs": [ + "https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/", + "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html", + "https://attack.mitre.org/groups/G0088/" + ], + "synonyms": [ + "Xenotime" + ] + }, + "uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", + "value": "TEMP.Veles" } ], - "version": 115 + "version": 117 } From 4bd37e2b2dbc68b1053dcbdb0fd3ce886fb5d3ae Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Wed, 19 Jun 2019 16:38:04 +0200 Subject: [PATCH 7/9] update threat actor galaxy --- clusters/threat-actor.json | 87 +++++++++++++++++++++++++++++++++++--- 1 file changed, 80 insertions(+), 7 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1a76931..84df172 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -653,10 +653,22 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/", + "https://securelist.com/winnti-faq-more-than-just-a-game/57585/", + "https://securelist.com/winnti-more-than-just-a-game/37029/", "http://williamshowalter.com/a-universal-windows-bootkit/", "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", - "https://www.cfr.org/interactive/cyber-operations/axiom" + "https://www.cfr.org/interactive/cyber-operations/axiom", + "https://securelist.com/games-are-over/70991/", + "https://blog.vsec.com.vn/apt/initial-winnti-analysis-against-vietnam-game-company.html", + "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", + "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341", + "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", + "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004", + "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/", + "https://securelist.com/winnti-more-than-just-a-game/37029/", + "https://401trg.com/burning-umbrella/", + "https://attack.mitre.org/groups/G0044/" ], "synonyms": [ "Winnti Group", @@ -4490,12 +4502,16 @@ "value": "SilverTerrier" }, { - "description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.", + "description": "A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks.\n Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.\n This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.", "meta": { "refs": [ "https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks", - "https://securelist.com/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/", - "https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/" + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/", + "https://blog.twitter.com/official/en_us/a/2013/keeping-our-users-secure.html", + "https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766", + "https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219", + "https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/" ], "synonyms": [ "Butterfly", @@ -5451,6 +5467,7 @@ "value": "Unit 8200" }, { + "description": "As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other Turla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload from Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as well as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts. However, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with a separate focus. We note that this observation of delineated target focus, tooling, and project context is an interesting one that also can be repeated across broadly labeled Turla and Sofacy activity.\nFrom February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "Russian Federation", @@ -7213,7 +7230,8 @@ "description": "In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.", "meta": { "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore" + "https://www.symantec.com/blogs/threat-intelligence/whitefly-espionage-singapore", + "https://www.reuters.com/article/us-singapore-cyberattack/cyberattack-on-singapore-health-database-steals-details-of-1-5-million-including-pm-idUSKBN1KA14J" ] }, "uuid": "943f490e-ac7f-40fe-b6f3-33e2623649d2", @@ -7444,7 +7462,62 @@ }, "uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2", "value": "TEMP.Veles" + }, + { + "description": "In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.", + "meta": { + "refs": [ + "https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/", + "https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf" + ] + }, + "uuid": "cbbbfc82-9294-11e9-8e19-2bc14137b25b", + "value": "WindShift" + }, + { + "description": "Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose.\n Below are the three main Telegram groups on which the leaks were posted: \nLab Dookhtegam pseudonym (\"The people whose lips are stitched and sealed\" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. \nGreen Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the \"green movement\", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) \nBlack Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as \"secret\" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.", + "meta": { + "refs": [ + "https://www.clearskysec.com/wp-content/uploads/2019/05/Iranian-Nation-State-APT-Leak-Analysis-and-Overview.pdf" + ] + }, + "uuid": "f50a5f64-9296-11e9-9b46-a331d01a008d", + "value": "[Unnamed group]" + }, + { + "description": "DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that encrypts files using a combination of cryptographic algorithms: RSA with a key size of 2,048 bits, and AES with a key size of 128 bits. Locky targets a large number of file extensions and is able to encrypt data on shared network drives. In an attempt to further impact victims and prevent file recovery, Locky deletes all of the Shadow Volume Copies on the machine.\nDUNGEON SPIDER primarily relies on broad spam campaigns with malicious attachments for distribution. Locky is the community/industry name associated with this actor.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-october-dungeon-spider/" + ] + }, + "uuid": "f1da463c-9297-11e9-875a-d327fc8282f2", + "value": "Dungeon Spider" + }, + { + "description": "Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground. Some of the known Fxmsp TTPs included accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory.\nMost recently, the actor claimed to have developed a credential-stealing botnet capable of infecting high-profile targets in order to exfiltrate sensitive usernames and passwords. Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal.", + "meta": { + "refs": [ + "https://www.advanced-intel.com/blog/top-tier-russian-hacking-collective-claims-breaches-of-three-major-anti-virus-companies" + ] + }, + "uuid": "686f4fe0-9298-11e9-b02a-af9595918956", + "value": "Fxmsp" + }, + { + "description": "The hacker said that he put up the data for sale mainly because these companies had failed to protect passwords with strong encryption algorithms like bcrypt.\nMost of the hashed passwords the hacker put up for sale today can cracked with various levels of difficulty --but they can be cracked.\n\"I got upset because I feel no one is learning,\" the hacker told ZDNet in an online chat earlier today. \"I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry.\"\nIn a conversation with ZDNet last month, the hacker told us he wanted to hack and put up for sale more than one billion records and then retire and disappear with the money.\nBut in a conversation today, the hacker says this is not his target anymore, as he learned that other hackers have already achieved the same goal before him.\n Gnosticplayers also revealed that not all the data he obtained from hacked companies had been put up for sale. Some companies gave into extortion demands and paid fees so breaches would remain private.\n\"I came to an agreement with some companies, but the concerned startups won't see their data for sale,\" he said. \"I did it that's why I can't publish the rest of my databases or even name them.\"", + "meta": { + "refs": [ + "https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/", + "https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/", + "https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/", + "https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/", + "https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/" + ] + }, + "uuid": "f32e3682-9298-11e9-8dcb-639156d97cd1", + "value": "Gnosticplayers" } ], - "version": 117 + "version": 118 } From a984786c8b75f8c2053a04c09dc06d806e5b7487 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 20 Jun 2019 16:25:23 +0200 Subject: [PATCH 8/9] update threat actor galaxy --- clusters/threat-actor.json | 116 ++++++++++++++++++++++++++++++++----- 1 file changed, 102 insertions(+), 14 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 84df172..cd7a485 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -668,7 +668,8 @@ "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/", "https://securelist.com/winnti-more-than-just-a-game/37029/", "https://401trg.com/burning-umbrella/", - "https://attack.mitre.org/groups/G0044/" + "https://attack.mitre.org/groups/G0044/", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/" ], "synonyms": [ "Winnti Group", @@ -6737,7 +6738,17 @@ "meta": { "refs": [ "https://en.wikipedia.org/wiki/The_Shadow_Brokers", - "https://securelist.com/darkpulsar/88199/" + "https://securelist.com/darkpulsar/88199/", + "https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html", + "https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files", + "https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023", + "https://securelist.com/darkpulsar/88199/", + "https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/", + "https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html", + "https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/", + "http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html", + "https://www.hackread.com/nsa-data-dump-shadowbrokers-expose-unitedrake-malware/", + "https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/" ], "synonyms": [ "The ShadowBrokers", @@ -6774,7 +6785,7 @@ "value": "HookAds" }, { - "description": "INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.", + "description": "INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware.\nIn August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.", "meta": { "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" @@ -6902,27 +6913,30 @@ "value": "TA505" }, { - "description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return.", + "description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.\nSimilar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.\nGrim Spider is reportedly associated with Lunar Spider and Wizard Spider.", "meta": { "refs": [ - "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" ] }, "uuid": "3cf6dbb5-bf9e-47d4-a8d5-b6d76f5a791f", "value": "GRIM SPIDER" }, { - "description": "GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.", + "description": "Wizard Spider is reportedly associated with Grim Spider and Lunar Spider.\nThe WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function.\nGRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.", "meta": { "refs": [ - "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", + "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/" ] }, "uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f", "value": "WIZARD SPIDER" }, { - "description": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.", + "description": "MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.\nMUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version.\nAfter a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot.\n MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operate", "meta": { "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", @@ -6930,7 +6944,8 @@ "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service" ], "synonyms": [ - "TA542" + "TA542", + "Mummy Spider" ] }, "uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b", @@ -7023,10 +7038,11 @@ "value": "Boss Spider" }, { - "description": "First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.", + "description": "First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates.\nCrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”\n PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/" ] }, "uuid": "80f07c15-cad3-44a2-a8a4-dd14490b5117", @@ -7113,10 +7129,12 @@ "value": "Tiny Spider" }, { - "description": "According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections.", + "description": "According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections.\nOn March 17, 2019, CrowdStrike Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors.\nLunar Spider is reportedly associated withGrim Spider and Wizard Spider.", "meta": { "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/" + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", + "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", + "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/" ] }, "uuid": "0db4c708-f33d-4d46-906d-12fdf7415f62", @@ -7517,7 +7535,77 @@ }, "uuid": "f32e3682-9298-11e9-8dcb-639156d97cd1", "value": "Gnosticplayers" + }, + { + "description": "The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since.\nSince being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world.\nThe capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments – an allegation it has consistently denied.\nWhen the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code – leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future.\nFollowing the hack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.", + "meta": { + "refs": [ + "https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/", + "https://en.wikipedia.org/wiki/Hacking_Team", + "https://www.vice.com/en_us/article/gvye3m/spy-tech-company-hacking-team-gets-hacked" + ] + }, + "uuid": "d7f0d2a8-9329-11e9-851e-dbfc1c517e4e", + "value": "Hacking Team" + }, + { + "description": "OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services.\n(Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes’ worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach.\nKnown for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.”\nThis is not the first time that OurMine has claimed responsibility for hacking high- profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.", + "meta": { + "refs": [ + "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hbo-twitter-and-facebook-accounts-hacked-by-ourmine", + "https://gizmodo.com/welp-vevo-just-got-hacked-1813390834", + "https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/", + "https://en.wikipedia.org/wiki/OurMine" + ] + }, + "uuid": "2c9e1964-9357-11e9-ad8f-5f422851e912", + "value": "OurMine" + }, + { + "description": "Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.", + "meta": { + "refs": [ + "https://www.intezer.com/blog-technical-analysis-pacha-group/", + "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/" + ] + }, + "uuid": "aa469d96-9357-11e9-bd7d-df125c7cba53", + "value": "Pacha Group" + }, + { + "description": "This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability.\nIn late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html", + "https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/", + "https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/" + ] + }, + "uuid": "53583c40-935e-11e9-b4fc-d7e217a306d2", + "value": "Rocke" + }, + { + "description": "An unnamed source leaked almost 10,000 documents describing a large number of 0-day vulnerabilities, methodologies and tools that had been collected by the CIA. This leaking was done through WikiLeaks, since March 2017. In weekly publications, the dumps were said to come from Vault 7 and later Vault 8, until his arrest in 2018.\nMost of the published vulnerabilities have since been fixed by the respective vendors, by many have been used by other threat actors. This actor turned out to be a former CIA software engineer.\n(WikiLeaks) Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named \"Vault 7\" by WikiLeaks, it is the largest ever publication of confidential documents on the agency.\nThe first full part of the series, \"Year Zero\", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election.\nRecently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized \"zero day\" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.\n\"Year Zero\" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of \"zero day\" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.", + "meta": { + "refs": [ + "https://wikileaks.org/ciav7p1/", + "https://www.justice.gov/opa/pr/joshua-adam-schulte-charged-unauthorized-disclosure-classified-information-and-other-offenses" + ] + }, + "uuid": "9f133738-935f-11e9-aa5e-bbf8d91abb46", + "value": "[Vault 7/8]" + }, + { + "description": "CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.”\nPINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.", + "meta": { + "refs": [ + "https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/", + "https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0" + ] + }, + "uuid": "e01b8f3a-9366-11e9-9c6f-17ba128aa4b6", + "value": "Zombie Spider" } ], - "version": 118 + "version": 119 } From 30f042211b32d80380d357771ea38e9359180f82 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 20 Jun 2019 16:35:49 +0200 Subject: [PATCH 9/9] fix duplicate --- clusters/threat-actor.json | 36 +++++++++++++++++------------------- 1 file changed, 17 insertions(+), 19 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index cd7a485..78d1c2f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -665,8 +665,7 @@ "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", "https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/", "https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004", - "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/", - "https://securelist.com/winnti-more-than-just-a-game/37029/", + "https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",, "https://401trg.com/burning-umbrella/", "https://attack.mitre.org/groups/G0044/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/" @@ -2530,29 +2529,28 @@ "cfr-type-of-incident": "Espionage", "country": "RU", "refs": [ - "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", "https://www.circl.lu/pub/tr-25/", - "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", - "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", - "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", - "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", - "https://securelist.com/blog/research/67962/the-penquin-turla-2/", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", - "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", - "https://www.cfr.org/interactive/cyber-operations/turla", - "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", - "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/", - "https://www.nytimes.com/2010/08/26/technology/26cyber.html", - "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548", + "https://securelist.com/introducing-whitebear/81638/", "https://securelist.com/the-epic-turla-operation/65545/", - "https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html", + "https://www.cfr.org/interactive/cyber-operations/turla", + "https://www.nytimes.com/2010/08/26/technology/26cyber.html", + "https://securelist.com/blog/research/67962/the-penquin-turla-2/", + "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", "https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/", "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/", "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/", - "https://securelist.com/introducing-whitebear/81638/", + "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", + "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548", "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", + "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", + "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html", "https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/", "https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",