From ece56dff38ac6b8085a030193bd7caade451816d Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 2 Aug 2018 15:08:39 +0200
Subject: [PATCH] chg: [threat-actor] leafminer - RASPITE added

---
 clusters/threat-actor.json | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 32f1dac..6e56d7d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2687,6 +2687,20 @@
       },
       "uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c"
     },
+    {
+      "value": "RASPITE",
+      "description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE.  Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time.  RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.",
+      "uuid": "2c8994ba-367c-46f6-bfb0-390c8760dd9e",
+      "meta": {
+        "synonyms": "LeafMiner",
+        "since": "2017",
+        "victimology": "Electric utility sector",
+        "refs": [
+          "https://dragos.com/blog/20180802Raspite.html",
+          "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east"
+        ]
+      }
+    },
     {
       "meta": {
         "refs": [
@@ -3764,5 +3778,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 47
+  "version": 48
 }