mirror of
https://github.com/MISP/misp-galaxy.git
synced 2024-11-30 02:37:17 +00:00
Merged (most) SecureWorks threat actor profiles && jq
This commit is contained in:
parent
dee9a56460
commit
fbfe9d23c3
1 changed files with 217 additions and 77 deletions
|
@ -336,7 +336,8 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
|
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
|
||||||
"https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
|
"https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/apt-3"
|
"https://www.cfr.org/interactive/cyber-operations/apt-3",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-mayfair"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Gothic Panda",
|
"Gothic Panda",
|
||||||
|
@ -347,7 +348,8 @@
|
||||||
"APT3",
|
"APT3",
|
||||||
"Buckeye",
|
"Buckeye",
|
||||||
"Boyusec",
|
"Boyusec",
|
||||||
"BORON"
|
"BORON",
|
||||||
|
"BRONZE MAYFAIR"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -388,7 +390,8 @@
|
||||||
"https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/",
|
"https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/darkhotel",
|
"https://www.cfr.org/interactive/cyber-operations/darkhotel",
|
||||||
"https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians",
|
"https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians",
|
||||||
"https://attack.mitre.org/groups/G0012/"
|
"https://attack.mitre.org/groups/G0012/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/tungsten-bridge"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"DUBNIUM",
|
"DUBNIUM",
|
||||||
|
@ -401,7 +404,8 @@
|
||||||
"Pioneer",
|
"Pioneer",
|
||||||
"Shadow Crane",
|
"Shadow Crane",
|
||||||
"APT-C-06",
|
"APT-C-06",
|
||||||
"SIG25"
|
"SIG25",
|
||||||
|
"TUNGSTEN BRIDGE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -434,7 +438,8 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.crowdstrike.com/blog/whois-numbered-panda/",
|
"http://www.crowdstrike.com/blog/whois-numbered-panda/",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/apt-12",
|
"https://www.cfr.org/interactive/cyber-operations/apt-12",
|
||||||
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html"
|
"https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-globe"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Numbered Panda",
|
"Numbered Panda",
|
||||||
|
@ -446,7 +451,8 @@
|
||||||
"DNSCalc",
|
"DNSCalc",
|
||||||
"Crimson Iron",
|
"Crimson Iron",
|
||||||
"APT12",
|
"APT12",
|
||||||
"APT 12"
|
"APT 12",
|
||||||
|
"BRONZE GLOBE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -509,7 +515,8 @@
|
||||||
"https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/",
|
"https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/",
|
||||||
"https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
|
"https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
|
||||||
"https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
|
"https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
|
||||||
"https://www.recordedfuture.com/hidden-lynx-analysis/"
|
"https://www.recordedfuture.com/hidden-lynx-analysis/",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-keystone"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 17",
|
"APT 17",
|
||||||
|
@ -518,7 +525,8 @@
|
||||||
"APT17",
|
"APT17",
|
||||||
"Hidden Lynx",
|
"Hidden Lynx",
|
||||||
"Tailgater Team",
|
"Tailgater Team",
|
||||||
"Dogfish"
|
"Dogfish",
|
||||||
|
"BRONZE KEYSTONE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -648,7 +656,9 @@
|
||||||
"https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",
|
"https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",
|
||||||
"https://401trg.com/burning-umbrella/",
|
"https://401trg.com/burning-umbrella/",
|
||||||
"https://attack.mitre.org/groups/G0044/",
|
"https://attack.mitre.org/groups/G0044/",
|
||||||
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/"
|
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-atlas",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-export"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Winnti Umbrella",
|
"Winnti Umbrella",
|
||||||
|
@ -670,7 +680,9 @@
|
||||||
"Dogfish",
|
"Dogfish",
|
||||||
"Deputy Dog",
|
"Deputy Dog",
|
||||||
"Wicked Panda",
|
"Wicked Panda",
|
||||||
"Barium"
|
"Barium",
|
||||||
|
"BRONZE ATLAS",
|
||||||
|
"BRONZE EXPORT"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -741,7 +753,8 @@
|
||||||
"https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695",
|
"https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695",
|
||||||
"https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/",
|
"https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/",
|
||||||
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf",
|
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf",
|
||||||
"https://attack.mitre.org/groups/G0009/"
|
"https://attack.mitre.org/groups/G0009/",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-firestone"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Deep Panda",
|
"Deep Panda",
|
||||||
|
@ -751,7 +764,8 @@
|
||||||
"Black Vine",
|
"Black Vine",
|
||||||
"Group 13",
|
"Group 13",
|
||||||
"PinkPanther",
|
"PinkPanther",
|
||||||
"Sh3llCr3w"
|
"Sh3llCr3w",
|
||||||
|
"BRONZE FIRESTONE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -815,7 +829,8 @@
|
||||||
"https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
|
||||||
"https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/",
|
"https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/",
|
||||||
"https://threatconnect.com/blog/tag/naikon/",
|
"https://threatconnect.com/blog/tag/naikon/",
|
||||||
"https://attack.mitre.org/groups/G0019/"
|
"https://attack.mitre.org/groups/G0019/",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-geneva"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"PLA Unit 78020",
|
"PLA Unit 78020",
|
||||||
|
@ -825,7 +840,8 @@
|
||||||
"Camerashy",
|
"Camerashy",
|
||||||
"APT.Naikon",
|
"APT.Naikon",
|
||||||
"Lotus Panda",
|
"Lotus Panda",
|
||||||
"Hellsing"
|
"Hellsing",
|
||||||
|
"BRONZE GENEVA"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -889,13 +905,15 @@
|
||||||
"https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/",
|
"https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/",
|
||||||
"https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting",
|
"https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting",
|
||||||
"https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf",
|
"https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf",
|
||||||
"https://attack.mitre.org/groups/G0030/"
|
"https://attack.mitre.org/groups/G0030/",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-elgin"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Spring Dragon",
|
"Spring Dragon",
|
||||||
"ST Group",
|
"ST Group",
|
||||||
"Esile",
|
"Esile",
|
||||||
"DRAGONFISH"
|
"DRAGONFISH",
|
||||||
|
"BRONZE ELGIN"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1111,7 +1129,8 @@
|
||||||
"https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf",
|
"https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf",
|
||||||
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html",
|
"https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html",
|
||||||
"https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018",
|
"https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018",
|
||||||
"https://attack.mitre.org/groups/G0045/"
|
"https://attack.mitre.org/groups/G0045/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/bronze-riverside"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT10",
|
"APT10",
|
||||||
|
@ -1126,7 +1145,8 @@
|
||||||
"Red Apollo",
|
"Red Apollo",
|
||||||
"CVNX",
|
"CVNX",
|
||||||
"HOGFISH",
|
"HOGFISH",
|
||||||
"Cloud Hopper"
|
"Cloud Hopper",
|
||||||
|
"BRONZE RIVERSIDE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1242,7 +1262,8 @@
|
||||||
"https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
|
"https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/",
|
||||||
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
|
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/",
|
||||||
"https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/",
|
"https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/",
|
||||||
"https://attack.mitre.org/groups/G0004/"
|
"https://attack.mitre.org/groups/G0004/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/bronze-palace"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Vixen Panda",
|
"Vixen Panda",
|
||||||
|
@ -1254,7 +1275,8 @@
|
||||||
"Metushy",
|
"Metushy",
|
||||||
"Lurid",
|
"Lurid",
|
||||||
"Social Network Team",
|
"Social Network Team",
|
||||||
"Royal APT"
|
"Royal APT",
|
||||||
|
"BRONZE PALACE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
|
"uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8",
|
||||||
|
@ -1441,7 +1463,12 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/",
|
"https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/",
|
||||||
"http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf"
|
"http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/bronze-woodland"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"BRONZE WOODLAND",
|
||||||
|
"Rotten Tomato"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d",
|
"uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d",
|
||||||
|
@ -1532,13 +1559,15 @@
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.crowdstrike.com/blog/whois-samurai-panda/",
|
"http://www.crowdstrike.com/blog/whois-samurai-panda/",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/sykipot"
|
"https://www.cfr.org/interactive/cyber-operations/sykipot",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-edison"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"PLA Navy",
|
"PLA Navy",
|
||||||
"APT4",
|
"APT4",
|
||||||
"APT 4",
|
"APT 4",
|
||||||
"Wisp Team"
|
"Wisp Team",
|
||||||
|
"BRONZE EDISON"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1662,14 +1691,16 @@
|
||||||
"https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
|
||||||
"https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
|
"https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
|
||||||
"https://blog.lookout.com/titan-mobile-threat",
|
"https://blog.lookout.com/titan-mobile-threat",
|
||||||
"https://attack.mitre.org/groups/G0081/"
|
"https://attack.mitre.org/groups/G0081/",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-hobart"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT23",
|
"APT23",
|
||||||
"APT 23",
|
"APT 23",
|
||||||
"KeyBoy",
|
"KeyBoy",
|
||||||
"TropicTrooper",
|
"TropicTrooper",
|
||||||
"Tropic Trooper"
|
"Tropic Trooper",
|
||||||
|
"BRONZE HOBART"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
|
"uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
|
||||||
|
@ -1984,14 +2015,16 @@
|
||||||
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
|
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
|
||||||
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
|
||||||
"https://www.brighttalk.com/webcast/10703/275683",
|
"https://www.brighttalk.com/webcast/10703/275683",
|
||||||
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage"
|
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/cobalt-trinity"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 33",
|
"APT 33",
|
||||||
"Elfin",
|
"Elfin",
|
||||||
"MAGNALLIUM",
|
"MAGNALLIUM",
|
||||||
"Refined Kitten",
|
"Refined Kitten",
|
||||||
"HOLMIUM"
|
"HOLMIUM",
|
||||||
|
"COBALT TRINITY"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -2474,7 +2507,8 @@
|
||||||
"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html",
|
"https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/dukes",
|
"https://www.cfr.org/interactive/cyber-operations/dukes",
|
||||||
"https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
|
"https://pylos.co/2018/11/18/cozybear-in-from-the-cold/",
|
||||||
"https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/"
|
"https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/iron-hemlock"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Dukes",
|
"Dukes",
|
||||||
|
@ -2566,7 +2600,8 @@
|
||||||
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
|
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
|
||||||
"https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
|
"https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
|
||||||
"https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
|
"https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
|
||||||
"https://attack.mitre.org/groups/G0010/"
|
"https://attack.mitre.org/groups/G0010/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/iron-hunter"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Turla",
|
"Turla",
|
||||||
|
@ -2820,12 +2855,14 @@
|
||||||
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
|
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
|
||||||
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
|
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
|
||||||
"https://attack.mitre.org/groups/G0046/",
|
"https://attack.mitre.org/groups/G0046/",
|
||||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
|
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/gold-niagara"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Carbanak",
|
"Carbanak",
|
||||||
"Carbon Spider",
|
"Carbon Spider",
|
||||||
"FIN7"
|
"FIN7",
|
||||||
|
"GOLD NIAGARA"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3076,7 +3113,8 @@
|
||||||
"https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret",
|
"https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret",
|
||||||
"https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/",
|
"https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/",
|
||||||
"https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678",
|
"https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678",
|
||||||
"https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/"
|
"https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/nickel-gladstone"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Operation DarkSeoul",
|
"Operation DarkSeoul",
|
||||||
|
@ -3101,7 +3139,8 @@
|
||||||
"Zinc",
|
"Zinc",
|
||||||
"Appleworm",
|
"Appleworm",
|
||||||
"Nickel Academy",
|
"Nickel Academy",
|
||||||
"APT-C-26"
|
"APT-C-26",
|
||||||
|
"NICKEL GLADSTONE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3260,7 +3299,8 @@
|
||||||
"https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf",
|
"https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf",
|
||||||
"https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
|
"https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
|
||||||
"https://s.tencent.com/research/report/669.html",
|
"https://s.tencent.com/research/report/669.html",
|
||||||
"https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html"
|
"https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/copper-fieldstone"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"C-Major",
|
"C-Major",
|
||||||
|
@ -3269,7 +3309,9 @@
|
||||||
"ProjectM",
|
"ProjectM",
|
||||||
"APT36",
|
"APT36",
|
||||||
"APT 36",
|
"APT 36",
|
||||||
"TMP.Lapis"
|
"TMP.Lapis",
|
||||||
|
"Green Havildar",
|
||||||
|
"COPPER FIELDSTONE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3390,7 +3432,8 @@
|
||||||
"https://attack.mitre.org/groups/G0040/",
|
"https://attack.mitre.org/groups/G0040/",
|
||||||
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
|
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
|
||||||
"https://securelist.com/the-dropping-elephant-actor/75328/",
|
"https://securelist.com/the-dropping-elephant-actor/75328/",
|
||||||
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
|
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/zinc-emerson"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Chinastrats",
|
"Chinastrats",
|
||||||
|
@ -3398,7 +3441,8 @@
|
||||||
"Monsoon",
|
"Monsoon",
|
||||||
"Sarit",
|
"Sarit",
|
||||||
"Quilted Tiger",
|
"Quilted Tiger",
|
||||||
"APT-C-09"
|
"APT-C-09",
|
||||||
|
"ZINC EMERSON"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3489,10 +3533,12 @@
|
||||||
"https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
|
"https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
|
||||||
"https://www.phnompenhpost.com/national/kingdom-targeted-new-malware",
|
"https://www.phnompenhpost.com/national/kingdom-targeted-new-malware",
|
||||||
"https://attack.mitre.org/groups/G0017/",
|
"https://attack.mitre.org/groups/G0017/",
|
||||||
"https://attack.mitre.org/groups/G0002/"
|
"https://attack.mitre.org/groups/G0002/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/bronze-overbrook"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Moafee"
|
"Moafee",
|
||||||
|
"BRONZE OVERBROOK"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3833,7 +3879,8 @@
|
||||||
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
|
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
|
||||||
"https://www.clearskysec.com/oilrig/",
|
"https://www.clearskysec.com/oilrig/",
|
||||||
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
|
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
|
||||||
"https://attack.mitre.org/groups/G0049/"
|
"https://attack.mitre.org/groups/G0049/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/cobalt-gypsy"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Twisted Kitten",
|
"Twisted Kitten",
|
||||||
|
@ -3991,7 +4038,8 @@
|
||||||
"https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
|
"https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
|
||||||
"https://securelist.com/gaza-cybergang-updated-2017-activity/82765/",
|
"https://securelist.com/gaza-cybergang-updated-2017-activity/82765/",
|
||||||
"https://www.kaspersky.com/blog/gaza-cybergang/26363/",
|
"https://www.kaspersky.com/blog/gaza-cybergang/26363/",
|
||||||
"https://attack.mitre.org/groups/G0021/"
|
"https://attack.mitre.org/groups/G0021/",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/aluminum-saratoga"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Gaza Hackers Team",
|
"Gaza Hackers Team",
|
||||||
|
@ -3999,7 +4047,8 @@
|
||||||
"Gaza Cybergang",
|
"Gaza Cybergang",
|
||||||
"Operation Molerats",
|
"Operation Molerats",
|
||||||
"Extreme Jackal",
|
"Extreme Jackal",
|
||||||
"Moonlight"
|
"Moonlight",
|
||||||
|
"ALUMINUM SARATOGA"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4205,13 +4254,15 @@
|
||||||
"https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0",
|
"https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0",
|
||||||
"https://en.wikipedia.org/wiki/Stuxnet",
|
"https://en.wikipedia.org/wiki/Stuxnet",
|
||||||
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf",
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf",
|
||||||
"https://attack.mitre.org/groups/G0020/"
|
"https://attack.mitre.org/groups/G0020/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/platinum-terminal"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Tilded Team",
|
"Tilded Team",
|
||||||
"Lamberts",
|
"Lamberts",
|
||||||
"EQGRP",
|
"EQGRP",
|
||||||
"Longhorn"
|
"Longhorn",
|
||||||
|
"PLATINUM TERMINAL"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4471,7 +4522,8 @@
|
||||||
"https://www.brighttalk.com/webcast/10703/261205",
|
"https://www.brighttalk.com/webcast/10703/261205",
|
||||||
"https://github.com/eset/malware-research/tree/master/oceanlotus",
|
"https://github.com/eset/malware-research/tree/master/oceanlotus",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/ocean-lotus",
|
"https://www.cfr.org/interactive/cyber-operations/ocean-lotus",
|
||||||
"https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware"
|
"https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/tin-woodlawn"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"OceanLotus Group",
|
"OceanLotus Group",
|
||||||
|
@ -4484,7 +4536,8 @@
|
||||||
"APT-32",
|
"APT-32",
|
||||||
"APT 32",
|
"APT 32",
|
||||||
"Ocean Buffalo",
|
"Ocean Buffalo",
|
||||||
"POND LOACH"
|
"POND LOACH",
|
||||||
|
"TIN WOODLAWN"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4714,7 +4767,8 @@
|
||||||
"https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain",
|
"https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain",
|
||||||
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
|
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
|
||||||
"https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf",
|
"https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf",
|
||||||
"https://attack.mitre.org/groups/G0080/"
|
"https://attack.mitre.org/groups/G0080/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/gold-kingswood"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Cobalt group",
|
"Cobalt group",
|
||||||
|
@ -4722,7 +4776,8 @@
|
||||||
"Cobalt gang",
|
"Cobalt gang",
|
||||||
"Cobalt Gang",
|
"Cobalt Gang",
|
||||||
"GOLD KINGSWOOD",
|
"GOLD KINGSWOOD",
|
||||||
"Cobalt Spider"
|
"Cobalt Spider",
|
||||||
|
"GOLD KINGSWOOD"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
|
"uuid": "01967480-c49b-4d4a-a7fa-aef0eaf535fe",
|
||||||
|
@ -4786,10 +4841,12 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.fireeye.com/current-threats/apt-groups.html",
|
"https://www.fireeye.com/current-threats/apt-groups.html",
|
||||||
"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf"
|
"https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-fleetwood"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"MANGANESE"
|
"MANGANESE",
|
||||||
|
"BRONZE FLEETWOOD"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795",
|
"uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795",
|
||||||
|
@ -4800,10 +4857,12 @@
|
||||||
"attribution-confidence": "50",
|
"attribution-confidence": "50",
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild"
|
"http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-olive"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT22"
|
"APT22",
|
||||||
|
"BRONZE OLIVE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842",
|
"uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842",
|
||||||
|
@ -4833,7 +4892,8 @@
|
||||||
"https://www.cfr.org/interactive/cyber-operations/bronze-butler",
|
"https://www.cfr.org/interactive/cyber-operations/bronze-butler",
|
||||||
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
|
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses",
|
||||||
"https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
|
||||||
"https://attack.mitre.org/groups/G0060/"
|
"https://attack.mitre.org/groups/G0060/",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-butler"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Bronze Butler",
|
"Bronze Butler",
|
||||||
|
@ -4856,11 +4916,15 @@
|
||||||
"meta": {
|
"meta": {
|
||||||
"attribution-confidence": "50",
|
"attribution-confidence": "50",
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-express"
|
||||||
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT26",
|
"APT26",
|
||||||
"Hippo Team",
|
"Hippo Team",
|
||||||
"JerseyMikes",
|
"JerseyMikes",
|
||||||
"Turbine Panda"
|
"Turbine Panda",
|
||||||
|
"BRONZE EXPRESS"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4957,10 +5021,12 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/",
|
"https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/mofang",
|
"https://www.cfr.org/interactive/cyber-operations/mofang",
|
||||||
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf"
|
"https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/bronze-walker"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Superman"
|
"Superman",
|
||||||
|
"BRONZE WALKER"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "999f3008-2b2f-467d-ab4d-c5a2fd80b344",
|
"uuid": "999f3008-2b2f-467d-ab4d-c5a2fd80b344",
|
||||||
|
@ -5610,13 +5676,15 @@
|
||||||
"https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/",
|
"https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/",
|
||||||
"https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
|
"https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html",
|
||||||
"https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/",
|
"https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/",
|
||||||
"https://attack.mitre.org/groups/G0069/"
|
"https://attack.mitre.org/groups/G0069/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/cobalt-ulster"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"TEMP.Zagros",
|
"TEMP.Zagros",
|
||||||
"Static Kitten",
|
"Static Kitten",
|
||||||
"Seedworm",
|
"Seedworm",
|
||||||
"MERCURY"
|
"MERCURY",
|
||||||
|
"COBALT ULSTER"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -5774,7 +5842,8 @@
|
||||||
"https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu",
|
"https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu",
|
||||||
"https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network",
|
"https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network",
|
||||||
"https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding",
|
"https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding",
|
||||||
"https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40"
|
"https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-mohawk"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"TEMP.Periscope",
|
"TEMP.Periscope",
|
||||||
|
@ -5783,7 +5852,8 @@
|
||||||
"APT40",
|
"APT40",
|
||||||
"BRONZE MOHAWK",
|
"BRONZE MOHAWK",
|
||||||
"GADOLINIUM",
|
"GADOLINIUM",
|
||||||
"Kryptonite Panda"
|
"Kryptonite Panda",
|
||||||
|
"BRONZE MOHAWK"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -6182,7 +6252,8 @@
|
||||||
"https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
|
"https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
|
||||||
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
|
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
|
||||||
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
|
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
|
||||||
"https://attack.mitre.org/groups/G0027/"
|
"https://attack.mitre.org/groups/G0027/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/bronze-union"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Emissary Panda",
|
"Emissary Panda",
|
||||||
|
@ -6497,7 +6568,13 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.cfr.org/interactive/cyber-operations/mustang-panda",
|
"https://www.cfr.org/interactive/cyber-operations/mustang-panda",
|
||||||
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
|
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
|
||||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
|
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/bronze-president"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"BRONZE PRESIDENT",
|
||||||
|
"HoneyMyte",
|
||||||
|
"Red Lich"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
|
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
|
||||||
|
@ -6843,7 +6920,11 @@
|
||||||
"https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html",
|
"https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html",
|
||||||
"https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html",
|
"https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html",
|
||||||
"https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/",
|
"https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/",
|
||||||
"https://krebsonsecurity.com/tag/dnspionage/"
|
"https://krebsonsecurity.com/tag/dnspionage/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/cobalt-edgewater"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"COBALT EDGEWATER"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "608a903a-8145-4fd1-84bc-235e278480bf",
|
"uuid": "608a903a-8145-4fd1-84bc-235e278480bf",
|
||||||
|
@ -6948,11 +7029,13 @@
|
||||||
"https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf",
|
"https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf",
|
||||||
"https://threatpost.com/ta505-servhelper-malware/140792/",
|
"https://threatpost.com/ta505-servhelper-malware/140792/",
|
||||||
"https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/",
|
"https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/",
|
||||||
"https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/"
|
"https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/gold-tahoe"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"SectorJ04 Group",
|
"SectorJ04 Group",
|
||||||
"GRACEFUL SPIDER"
|
"GRACEFUL SPIDER",
|
||||||
|
"GOLD TAHOE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
|
"uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f",
|
||||||
|
@ -6964,6 +7047,9 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
|
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
|
||||||
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
|
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"GOLD ULRICK"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "3cf6dbb5-bf9e-47d4-a8d5-b6d76f5a791f",
|
"uuid": "3cf6dbb5-bf9e-47d4-a8d5-b6d76f5a791f",
|
||||||
|
@ -6979,7 +7065,8 @@
|
||||||
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/",
|
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/",
|
||||||
"https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/",
|
"https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/",
|
||||||
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
|
"https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware",
|
||||||
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html"
|
"https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/gold-ulrick"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"TEMP.MixMaster"
|
"TEMP.MixMaster"
|
||||||
|
@ -6994,11 +7081,13 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
|
"https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/",
|
||||||
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
|
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/",
|
||||||
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service"
|
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/gold-crestwood"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"TA542",
|
"TA542",
|
||||||
"Mummy Spider"
|
"Mummy Spider",
|
||||||
|
"GOLD CRESTWOOD"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b",
|
"uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b",
|
||||||
|
@ -7058,12 +7147,14 @@
|
||||||
"https://securelist.com/chafer-used-remexi-malware/89538/",
|
"https://securelist.com/chafer-used-remexi-malware/89538/",
|
||||||
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
|
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets",
|
||||||
"https://attack.mitre.org/groups/G0087/",
|
"https://attack.mitre.org/groups/G0087/",
|
||||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
|
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/cobalt-hickman"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 39",
|
"APT 39",
|
||||||
"Chafer",
|
"Chafer",
|
||||||
"REMIX KITTEN"
|
"REMIX KITTEN",
|
||||||
|
"COBALT HICKMAN"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
|
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
|
||||||
|
@ -7093,7 +7184,11 @@
|
||||||
"description": "Throughout 2018, CrowdStrike Intelligence tracked BOSS SPIDER as it regularly updated Samas ransomware and received payments to known Bitcoin (BTC) addresses. This consistent pace of activity came to an abrupt halt at the end of November 2018 when the U.S. DoJ released an indictment for Iran-based individuals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, alleged members of the group.",
|
"description": "Throughout 2018, CrowdStrike Intelligence tracked BOSS SPIDER as it regularly updated Samas ransomware and received payments to known Bitcoin (BTC) addresses. This consistent pace of activity came to an abrupt halt at the end of November 2018 when the U.S. DoJ released an indictment for Iran-based individuals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, alleged members of the group.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/"
|
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/gold-lowell"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"GOLD LOWELL"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "d6a13387-4c98-4a0c-a516-6c36c081b64c",
|
"uuid": "d6a13387-4c98-4a0c-a516-6c36c081b64c",
|
||||||
|
@ -7189,7 +7284,11 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
|
"https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/",
|
||||||
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/",
|
"https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/",
|
||||||
"https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/"
|
"https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/gold-swathmore"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"GOLD SWATHMORE"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "0db4c708-f33d-4d46-906d-12fdf7415f62",
|
"uuid": "0db4c708-f33d-4d46-906d-12fdf7415f62",
|
||||||
|
@ -7317,7 +7416,8 @@
|
||||||
"https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again",
|
"https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again",
|
||||||
"https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities",
|
"https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities",
|
||||||
"https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff",
|
"https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff",
|
||||||
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian"
|
"https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/cobalt-dickens"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"COBALT DICKENS",
|
"COBALT DICKENS",
|
||||||
|
@ -7335,11 +7435,13 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/",
|
"https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/",
|
||||||
"https://duo.com/decipher/apt-groups-moving-down-the-supply-chain",
|
"https://duo.com/decipher/apt-groups-moving-down-the-supply-chain",
|
||||||
"https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf"
|
"https://github.com/GuardaCyber/APT-Groups-and-Operations/blob/master/Reports/FireEye%20Intel%20-%20APT31%20Threat%20Group%20Profile.pdf",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/bronze-vinewood"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 31",
|
"APT 31",
|
||||||
"ZIRCONIUM"
|
"ZIRCONIUM",
|
||||||
|
"BRONZE VINEWOOD"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c",
|
"uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c",
|
||||||
|
@ -7701,7 +7803,11 @@
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign"
|
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/cobalt-lyceum"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"COBALT LYCEUM"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a",
|
"uuid": "e1b95185-8db6-4f3c-9ffd-1749087d934a",
|
||||||
|
@ -8083,7 +8189,11 @@
|
||||||
"description": "NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.",
|
"description": "NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
|
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/gold-essex"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"GOLD ESSEX"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "fda9cdea-0017-495e-879d-0f348db2aa07",
|
"uuid": "fda9cdea-0017-495e-879d-0f348db2aa07",
|
||||||
|
@ -8207,6 +8317,36 @@
|
||||||
},
|
},
|
||||||
"uuid": "a9df6cb7-74ff-482f-b23b-ac40e975a31a",
|
"uuid": "a9df6cb7-74ff-482f-b23b-ac40e975a31a",
|
||||||
"value": "Higaisa"
|
"value": "Higaisa"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/cobalt-juno"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"APT-C-38 (QiAnXin)",
|
||||||
|
"SABER LION",
|
||||||
|
"TG-2884 (SCWX CTU)"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "4687e1ab-a361-4165-b142-00845f4b2c62",
|
||||||
|
"value": "COBALT JUNO"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"http://www.secureworks.com/research/threat-profiles/cobalt-katana"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Hive0081 (IBM)",
|
||||||
|
"SectorD01 (NHSC)",
|
||||||
|
"xHunt campaign (Palo Alto)"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "d1c25b0e-e4c5-4b7c-b790-2e185cb2f07e",
|
||||||
|
"value": "COBALT KATANA"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 159
|
"version": 159
|
||||||
|
|
Loading…
Reference in a new issue