{ "authors": [ "MITRE" ], "category": "actor", "description": "Name of ATT&CK Group", "name": "Intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-intrusion-set", "uuid": "10df003c-7831-11e7-bdb9-971cdd1218df", "values": [ { "description": "[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)", "meta": { "external_id": "G0130", "refs": [ "https://attack.mitre.org/groups/G0130", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", "https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", "https://www.mandiant.com/sites/default/files/2021-09/rpt-operation-saffron-rose.pdf" ], "synonyms": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" }, { "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", "type": "uses" } ], "uuid": "fa19de15-6169-428d-9cd6-3ca3d56075b7", "value": "Ajax Security Team - G0130" }, { "description": "[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)", "meta": { "external_id": "G0089", "refs": [ "https://attack.mitre.org/groups/G0089", "https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" ], "synonyms": [ "The White Company" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "6688d679-ccdb-4f12-abf6-c7545dd767a4", "value": "The White Company - G0089" }, { "description": "[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)", "meta": { "external_id": "G0027", "refs": [ "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/", "https://attack.mitre.org/groups/G0027", "https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf", "https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/", "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html", "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", "https://www.secureworks.com/research/bronze-union", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" ], "synonyms": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03acae53-9b98-46f6-b204-16b930839055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", "type": "uses" }, { "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", "type": "uses" }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "type": "uses" }, { "dest-uuid": "506f6f49-7045-4156-9007-7474cb44ad6d", "type": "uses" }, { "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "5e814485-012d-423d-b769-026bfed0f451", "type": "uses" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "6e95feb1-78ee-48d3-b421-4d76663b5c49", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a545456a-f9a7-47ad-9ea6-8b017def38d1", "type": "uses" }, { "dest-uuid": "a750a9f6-0bde-4bb3-9aae-1e2786e9780c", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c009560a-f097-45a3-8f9f-78ec1440a783", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", "type": "uses" }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" }, { "dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4af45fea-72d3-11e8-846c-d37699506c8d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "value": "Threat Group-3390 - G0027" }, { "description": "[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)", "meta": { "external_id": "G0028", "refs": [ "http://www.secureworks.com/resources/blog/living-off-the-land/", "https://attack.mitre.org/groups/G0028" ], "synonyms": [ "Threat Group-1314", "TG-1314" ] }, "related": [ { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", "value": "Threat Group-1314 - G0028" }, { "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", "meta": { "external_id": "G0074", "refs": [ "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", "https://attack.mitre.org/groups/G0074", "https://www.dragos.com/threat/dymalloy/", "https://www.secureworks.com/research/mcmd-malware-analysis", "https://www.secureworks.com/research/threat-profiles/iron-liberty", "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", "https://www.us-cert.gov/ncas/alerts/TA18-074A" ], "synonyms": [ "Dragonfly 2.0", "IRON LIBERTY", "DYMALLOY", "Berserk Bear" ] }, "related": [ { "dest-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "type": "revoked-by" } ], "uuid": "76d59913-1d24-4992-a8ac-05a3eb093f71", "value": "Dragonfly 2.0 - G0074" }, { "description": "[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)", "meta": { "external_id": "G0030", "refs": [ "https://attack.mitre.org/groups/G0030", "https://securelist.com/the-spring-dragon-apt/70726/", "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" ], "synonyms": [ "Lotus Blossom", "DRAGONFISH", "Spring Dragon" ] }, "related": [ { "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "type": "uses" }, { "dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "type": "uses" }, { "dest-uuid": "32fafa69-fe3c-49db-afd4-aac2664bcf0d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", "value": "Lotus Blossom - G0030" }, { "description": "[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)", "meta": { "external_id": "G0060", "refs": [ "http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/", "https://attack.mitre.org/groups/G0060", "https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan" ], "synonyms": [ "BRONZE BUTLER", "REDBALDKNIGHT", "Tick" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "type": "uses" }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "36ede314-7db4-4d09-b53d-81bbfbe5f6f8", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "77eae145-55db-4519-8ae5-77b0c7215d69", "type": "uses" }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8be7c69e-d8e3-4970-9668-61de08e508cc", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a0ebedca-d558-4e48-8ff7-4bf76208d90c", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "type": "uses" }, { "dest-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "type": "uses" }, { "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d2c7f8ad-3b50-4cfa-bbb1-799eff06fb40", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", "type": "uses" }, { "dest-uuid": "f0fc920e-57a3-4af5-89be-9ea594c8b1ea", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" }, { "dest-uuid": "add6554a-815a-4ac3-9b22-9337b9661ab8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "value": "BRONZE BUTLER - G0060" }, { "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)", "meta": { "external_id": "G0070", "refs": [ "https://attack.mitre.org/groups/G0070", "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" ], "synonyms": [ "Dark Caracal" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "2282a98b-5049-4f61-9381-55baca7c1add", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", "type": "uses" }, { "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", "type": "uses" }, { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" } ], "uuid": "8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "value": "Dark Caracal - G0070" }, { "description": "[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://attack.mitre.org/groups/G0080) has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between [Cobalt Group](https://attack.mitre.org/groups/G0080) and both the malware [Carbanak](https://attack.mitre.org/software/S0030) and the group [Carbanak](https://attack.mitre.org/groups/G0008).(Citation: Europol Cobalt Mar 2018)", "meta": { "external_id": "G0080", "refs": [ "https://attack.mitre.org/groups/G0080", "https://blog.morphisec.com/cobalt-gang-2.0", "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report", "https://web.archive.org/web/20190508170147/https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/", "https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/", "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain", "https://www.group-ib.com/blog/cobalt", "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target", "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf", "https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf", "https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" ], "synonyms": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "599cd7b5-37b5-4cdd-8174-2811531ce9d0", "type": "uses" }, { "dest-uuid": "6e3bd510-6b33-41a4-af80-2d80f3ee0071", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "type": "uses" }, { "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", "value": "Cobalt Group - G0080" }, { "description": "[Deep Panda](https://attack.mitre.org/groups/G0009) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://attack.mitre.org/groups/G0009). (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) [Deep Panda](https://attack.mitre.org/groups/G0009) also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track [Deep Panda](https://attack.mitre.org/groups/G0009) and [APT19](https://attack.mitre.org/groups/G0073) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016)", "meta": { "external_id": "G0009", "refs": [ "https://attack.mitre.org/groups/G0009", "https://web.archive.org/web/20170823094836/http:/www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf", "https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/", "https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/", "https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/" ], "synonyms": [ "Deep Panda", "Shell Crew", "WebMasters", "KungFu Kittens", "PinkPanther", "Black Vine" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "type": "uses" }, { "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "type": "uses" }, { "dest-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "type": "uses" }, { "dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "value": "Deep Panda - G0009" }, { "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse aresenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", "meta": { "external_id": "G0102", "refs": [ "https://attack.mitre.org/groups/G0102", "https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/", "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf", "https://www.secureworks.com/research/threat-profiles/gold-blackburn" ], "synonyms": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "34e793de-0274-4982-9c1a-246ed1c19dee", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4dea7d8e-af94-4bfb-afe4-7ff54f59308b", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", "type": "uses" }, { "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "type": "uses" }, { "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", "type": "uses" }, { "dest-uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a020a61c-423f-4195-8c46-ba1d21abba37", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e33267fe-099f-4af2-8730-63d49f8813b2", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", "type": "uses" }, { "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "dd2d9ca6-505b-4860-a604-233685b802c7", "value": "Wizard Spider - G0102" }, { "description": "[Ember Bear](https://attack.mitre.org/groups/G1003) is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. [Ember Bear](https://attack.mitre.org/groups/G1003) has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess [Ember Bear](https://attack.mitre.org/groups/G1003) likely conducted the [WhisperGate](https://attack.mitre.org/software/S0689) destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) ", "meta": { "external_id": "G1003", "refs": [ "https://attack.mitre.org/groups/G1003", "https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/", "https://www.crowdstrike.com/blog/who-is-ember-bear/", "https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation" ], "synonyms": [ "Ember Bear", "Saint Bear", "UNC2589", "UAC-0056", "Lorec53", "Lorec Bear", "Bleeding Bear" ] }, "related": [ { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "49fee0b0-390e-4bde-97f8-97ed46bd19b7", "type": "uses" }, { "dest-uuid": "4ff5d6a8-c062-4c68-a778-36fc5edd564f", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "7724581b-06ff-4d2b-b77c-80dc8d53070b", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c113230f-f044-423b-af63-9b63c802f5ae", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "a7f57cc1-4540-4429-823f-f4e56b8473c9", "value": "Ember Bear - G1003" }, { "description": "[Dust Storm](https://attack.mitre.org/groups/G0031) is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)", "meta": { "external_id": "G0031", "refs": [ "https://attack.mitre.org/groups/G0031", "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" ], "synonyms": [ "Dust Storm" ] }, "related": [ { "dest-uuid": "9e71024e-817f-45b0-92a0-d886c30bc929", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9e71024e-817f-45b0-92a0-d886c30bc929", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "value": "Dust Storm - G0031" }, { "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)", "meta": { "external_id": "G0014", "refs": [ "https://attack.mitre.org/groups/G0014", "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" ], "synonyms": [ "Night Dragon" ] }, "related": [ { "dest-uuid": "286cc500-4291-45c2-99a1-e760db176402", "type": "uses" }, { "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", "type": "uses" }, { "dest-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92", "type": "uses" }, { "dest-uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b3714d59-b61e-4713-903a-9b4f04ae7f3d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", "value": "Night Dragon - G0014" }, { "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)", "meta": { "external_id": "G1006", "refs": [ "https://attack.mitre.org/groups/G1006", "https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan", "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" ], "synonyms": [ "Earth Lusca", "TAG-22" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2de47683-f398-448f-b947-9abcc3e32fad", "type": "uses" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "8787e86d-8475-4f13-acea-d33eb83b6105", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "ae797531-3219-49a4-bccf-324ad7a4c7b2", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "type": "uses" } ], "uuid": "cc613a49-9bfa-4e22-98d1-15ffbb03f034", "value": "Earth Lusca - G1006" }, { "description": "[Aoqin Dragon](https://attack.mitre.org/groups/G1007) is a suspected Chinese cyber espionage threat group that has been active since at least 2013. [Aoqin Dragon](https://attack.mitre.org/groups/G1007) has primarily targeted government, education, and telecommunication organizations in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. Security researchers noted a potential association between [Aoqin Dragon](https://attack.mitre.org/groups/G1007) and UNC94, based on malware, infrastructure, and targets.(Citation: SentinelOne Aoqin Dragon June 2022)", "meta": { "external_id": "G1007", "refs": [ "https://attack.mitre.org/groups/G1007", "https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" ], "synonyms": [ "Aoqin Dragon" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "6fb36c6f-bb3d-4ed6-9471-cb9933e5c154", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "dff90475-9f72-41a6-84ed-1fbefd3874c0", "type": "uses" } ], "uuid": "64d5f96a-f121-4d19-89f6-6709f5c49faa", "value": "Aoqin Dragon - G1007" }, { "description": "[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)", "meta": { "external_id": "G0108", "refs": [ "https://attack.mitre.org/groups/G0108", "https://redcanary.com/blog/blue-mockingbird-cryptominer/" ], "synonyms": [ "Blue Mockingbird" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "ffeb0780-356e-4261-b036-cfb6bd234335", "type": "uses" } ], "uuid": "73a80fab-2aa3-48e0-a4d0-3a4828200aee", "value": "Blue Mockingbird - G0108" }, { "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)", "meta": { "external_id": "G0081", "refs": [ "https://attack.mitre.org/groups/G0081", "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", "https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf", "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/", "https://www.crowdstrike.com/blog/on-demand-webcast-crowdstrike-experts-on-covid-19-cybersecurity-challenges-and-recommendations/" ], "synonyms": [ "Tropic Trooper", "Pirate Panda", "KeyBoy" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "5dd649c0-bca4-488b-bd85-b180474ec62e", "type": "uses" }, { "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "75bba379-4ba1-467e-8c60-ec2b269ee984", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "cb444a16-3ea5-4a91-88c6-f329adcb8af3", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" } ], "uuid": "56319646-eb6e-41fc-ae53-aadfa7adb924", "value": "Tropic Trooper - G0081" }, { "description": "[Moses Staff](https://attack.mitre.org/groups/G1009) is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. [Moses Staff](https://attack.mitre.org/groups/G1009) openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.(Citation: Checkpoint MosesStaff Nov 2021) \n\nSecurity researchers assess [Moses Staff](https://attack.mitre.org/groups/G1009) is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.(Citation: Cybereason StrifeWater Feb 2022)", "meta": { "external_id": "G1009", "refs": [ "https://attack.mitre.org/groups/G1009", "https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/", "https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" ], "synonyms": [ "Moses Staff" ] }, "related": [ { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2ac41e8b-4865-4ced-839d-78e7852c47f3", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "5633ffd3-81ef-4f98-8f93-4896b03998f0", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "fb78294a-7d7a-4d38-8ad0-92e67fddc9f0", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "4c4a7846-45d5-4761-8eea-725fa989914c", "value": "Moses Staff - G1009" }, { "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094). ", "meta": { "external_id": "G0032", "refs": [ "https://attack.mitre.org/groups/G0032", "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/", "https://home.treasury.gov/news/press-releases/sm774", "https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", "https://web.archive.org/web/20210723190317/https://adversary.crowdstrike.com/en-US/adversary/labyrinth-chollima/", "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing", "https://www.us-cert.gov/ncas/alerts/TA17-164A", "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" ], "synonyms": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "ZINC", "NICKEL ACADEMY" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "01dbc71d-0ee8-420d-abb4-3dfb6a4bf725", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "069af411-9b24-4e85-b26c-623d035bbe84", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "16040b1c-ed28-4850-9d8f-bb8b81c42092", "type": "uses" }, { "dest-uuid": "19401639-28d0-4c3c-adcc-bc2ba22f6421", "type": "uses" }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", "type": "uses" }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "uses" }, { "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "41868330-6ee2-4d0f-b743-9f2294c3c9b6", "type": "uses" }, { "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", "type": "uses" }, { "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4933e63b-9b77-476e-ab29-761bc5b7d15a", "type": "uses" }, { "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "650c784b-7504-4df7-ab2c-4ea882384d1e", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "type": "uses" }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "type": "uses" }, { "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "7f4bbe05-1674-4087-8a16-8f1ad61b6152", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "937e4772-8441-4e4a-8bf0-8d447d667e23", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "type": "uses" }, { "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a04d9a4c-bb52-40bf-98ec-e350c2d6a862", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a4657bc9-d22f-47d2-a7b7-dd6ec33f3dde", "type": "uses" }, { "dest-uuid": "aad11e34-02ca-4220-91cd-2ed420af4db3", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", "type": "uses" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "uses" }, { "dest-uuid": "e2d34c63-6f5a-41f5-86a2-e2380f27f858", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", "type": "uses" }, { "dest-uuid": "ea4c2f9c-9df1-477c-8c42-6da1118f2ac4", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" }, { "dest-uuid": "f8774023-8021-4ece-9aca-383ac89d2759", "type": "uses" }, { "dest-uuid": "fb640c43-aa6b-431e-a961-a279010424ac", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" }, { "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" }, { "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "value": "Lazarus Group - G0032" }, { "description": "[Putter Panda](https://attack.mitre.org/groups/G0024) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA\u2019s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)", "meta": { "external_id": "G0024", "refs": [ "http://blog.cylance.com/puttering-into-the-future", "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://attack.mitre.org/groups/G0024" ], "synonyms": [ "Putter Panda", "APT2", "MSUpdater" ] }, "related": [ { "dest-uuid": "0ca45163-e223-4167-b1af-f088ed14a93d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "type": "uses" }, { "dest-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", "type": "uses" }, { "dest-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "0ca45163-e223-4167-b1af-f088ed14a93d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "value": "Putter Panda - G0024" }, { "description": "[Scarlet Mimic](https://attack.mitre.org/groups/G0029) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029) and [Putter Panda](https://attack.mitre.org/groups/G0024), it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)", "meta": { "external_id": "G0029", "refs": [ "http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/", "https://attack.mitre.org/groups/G0029" ], "synonyms": [ "Scarlet Mimic" ] }, "related": [ { "dest-uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "type": "uses" }, { "dest-uuid": "77eae145-55db-4519-8ae5-77b0c7215d69", "type": "uses" }, { "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", "type": "uses" }, { "dest-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "type": "uses" }, { "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "type": "uses" }, { "dest-uuid": "0da10682-85c6-4c0b-bace-ba1f7adfb63e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", "value": "Scarlet Mimic - G0029" }, { "description": "[Poseidon Group](https://attack.mitre.org/groups/G0033) is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the [Poseidon Group](https://attack.mitre.org/groups/G0033) as a security firm. (Citation: Kaspersky Poseidon Group)", "meta": { "external_id": "G0033", "refs": [ "https://attack.mitre.org/groups/G0033", "https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/" ], "synonyms": [ "Poseidon Group" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "5fc09923-fcff-4e81-9cae-4518ef31cf4d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "value": "Poseidon Group - G0033" }, { "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", "meta": { "external_id": "G0034", "refs": [ "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html", "https://attack.mitre.org/groups/G0034", "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/", "https://www.dragos.com/resource/electrum/", "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/", "https://www.justice.gov/opa/page/file/1098481/download", "https://www.justice.gov/opa/press-release/file/1328521/download", "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/", "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory", "https://www.secureworks.com/research/threat-profiles/iron-viking" ], "synonyms": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "0cfe31a7-81fc-472c-bc45-e2808d1066a3", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "11194d8b-fdce-45d2-8047-df15bb8f16bd", "type": "uses" }, { "dest-uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1da748a5-875d-4212-9222-b4c23ab861be", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "2b5aa86b-a0df-4382-848d-30abea443327", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2eaa5319-5e1e-4dd7-bbc4-566fced3964a", "type": "uses" }, { "dest-uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8", "type": "uses" }, { "dest-uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", "type": "uses" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "4800d0f9-00aa-47cd-a4d2-92198585b8fd", "type": "uses" }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "type": "uses" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { "dest-uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "6a0d0ea9-b2c4-43fe-a552-ac41a3009dc5", "type": "uses" }, { "dest-uuid": "6ee2dc99-91ad-4534-a7d8-a649358c331f", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "76551c52-b111-4884-bc47-ff3e728f0156", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "810d8072-afb6-4a56-9ee7-86379ac4a6f3", "type": "uses" }, { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "type": "uses" }, { "dest-uuid": "a0d774e4-bafc-4292-8651-3ec899391341", "type": "uses" }, { "dest-uuid": "a0e6614a-7740-4b24-bd65-f1bde09fc365", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "b350b47f-88fe-4921-8538-6d9c59bac84e", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "baf60e1a-afe5-4d31-830f-1b1ba2351884", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3b168bd-fcd7-439e-9382-2e6c2f63514d", "type": "uses" }, { "dest-uuid": "e401d4fe-f0c9-44f0-98e6-f93487678808", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", "value": "Sandworm Team - G0034" }, { "description": "[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)", "meta": { "external_id": "G0038", "refs": [ "https://attack.mitre.org/groups/G0038", "https://citizenlab.org/2016/05/stealth-falcon/" ], "synonyms": [ "Stealth Falcon" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "type": "uses" }, { "dest-uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dab75e38-6969-4e78-9304-dc269c3cbcf0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "value": "Stealth Falcon - G0038" }, { "description": "[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: 401 TRG Winnti Umbrella May 2018)", "meta": { "external_id": "G0044", "refs": [ "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", "https://401trg.github.io/pages/burning-umbrella.html", "https://attack.mitre.org/groups/G0044", "https://securelist.com/games-are-over/70991/", "https://securelist.com/winnti-more-than-just-a-game/37029/", "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" ], "synonyms": [ "Winnti Group", "Blackfly" ] }, "related": [ { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "8393dac0-0583-456a-9372-fd81691bca20", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "value": "Winnti Group - G0044" }, { "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word \"Armageddon\", which was detected in the adversary's early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)\n\nIn November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://attack.mitre.org/groups/G0047) to Russia's Federal Security Service (FSB) Center 18.(Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)", "meta": { "external_id": "G0047", "refs": [ "https://attack.mitre.org/groups/G0047", "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/", "https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/", "https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/", "https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/", "https://www.secureworks.com/research/threat-profiles/iron-tilden", "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" ], "synonyms": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "03eb4a05-6a02-43f6-afb7-3c7835501828", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "8c41090b-aa47-4331-986b-8c9a51a91103", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d52291b4-bb23-45a8-aef0-3dc7e986ba15", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "value": "Gamaredon Group - G0047" }, { "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [[Charming Kitten](https://attack.mitre.org/groups/G0058) often tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities.(Citation: ClearSky Charming Kitten Dec 2017)", "meta": { "external_id": "G0058", "refs": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "https://attack.mitre.org/groups/G0058" ], "synonyms": [ "Charming Kitten" ] }, "related": [ { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "type": "revoked-by" } ], "uuid": "92d5b3fd-3b39-438e-af68-770e447beada", "value": "Charming Kitten - G0058" }, { "description": "[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)", "meta": { "external_id": "G0059", "refs": [ "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", "https://attack.mitre.org/groups/G0059", "https://blog.certfa.com/posts/charming-kitten-christmas-gift/", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/", "https://noticeofpleadings.com/phosphorus/files/Complaint.pdf", "https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/", "https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf", "https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf", "https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering", "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential", "https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453", "https://www.secureworks.com/research/threat-profiles/cobalt-illusion" ], "synonyms": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "Newscaster", "APT35" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0dda99f0-4701-48ca-9774-8504922e92d3", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "35ee9bf3-264b-4411-8a8f-b58cec8f35e4", "type": "uses" }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3d333250-30e4-4a82-9edc-756c68afc529", "type": "uses" }, { "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "494ab9f0-36e0-4b06-b10d-57285b040a06", "type": "uses" }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" }, { "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, { "dest-uuid": "7acb15b6-fe2c-4319-b136-6ab36ff0b2d4", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "baf60e1a-afe5-4d31-830f-1b1ba2351884", "type": "uses" }, { "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ed730f20-0e44-48b9-85f8-0e2adeb76867", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "value": "Magic Hound - G0059" }, { "description": "[Stolen Pencil](https://attack.mitre.org/groups/G0086) is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)", "meta": { "external_id": "G0086", "refs": [ "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", "https://attack.mitre.org/groups/G0086" ], "synonyms": [ "Stolen Pencil" ] }, "related": [ { "dest-uuid": "0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "type": "revoked-by" } ], "uuid": "7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", "value": "Stolen Pencil - G0086" }, { "description": "[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)", "meta": { "external_id": "G0078", "refs": [ "https://attack.mitre.org/groups/G0078", "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" ], "synonyms": [ "Gorgon Group" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", "type": "uses" }, { "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" }, { "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "1f21da59-6a13-455b-afd0-d58d0a5a7d27", "value": "Gorgon Group - G0078" }, { "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)", "meta": { "external_id": "G0097", "refs": [ "https://attack.mitre.org/groups/G0097", "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/" ], "synonyms": [ "Bouncing Golf" ] }, "related": [ { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "type": "uses" } ], "uuid": "049cef3b-22d5-4be6-b50c-9839c7a34fdd", "value": "Bouncing Golf - G0097" }, { "description": "[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.(Citation: Google EXOTIC LILY March 2022)", "meta": { "external_id": "G1011", "refs": [ "https://attack.mitre.org/groups/G1011", "https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" ], "synonyms": [ "EXOTIC LILY" ] }, "related": [ { "dest-uuid": "04378e79-4387-468a-a8f7-f974b8254e44", "type": "uses" }, { "dest-uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "99fdf3b4-96ef-4ab9-b191-fc683441cad0", "type": "uses" }, { "dest-uuid": "a51eb150-93b1-484b-a503-e51453b127a4", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" } ], "uuid": "129f2f77-1ab2-4c35-bd5e-21260cee92af", "value": "EXOTIC LILY - G1011" }, { "description": "[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)", "meta": { "external_id": "G0131", "refs": [ "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/", "https://attack.mitre.org/groups/G0131", "https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html", "https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/", "https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf", "https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", "https://www.secureworks.com/research/threat-profiles/bronze-huntley", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf?", "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" ], "synonyms": [ "Tonto Team", "Earth Akhlut", "BRONZE HUNTLEY", "CactusPete", "Karma Panda" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "65ffc206-d7c1-45b3-b543-f6b726e7840d", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", "type": "uses" } ], "uuid": "c5b81590-6814-4d2a-8baa-15c4b6c7f960", "value": "Tonto Team - G0131" }, { "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2018 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments. By early 2020, [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) started capitalizing on the new trend of stealing data and further extorting the victim to pay for their data to not get publicly leaked.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)(Citation: CrowdStrike Evolution of Pinchy Spider July 2021)", "meta": { "external_id": "G0115", "refs": [ "https://attack.mitre.org/groups/G0115", "https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/", "https://www.secureworks.com/blog/revil-the-gandcrab-connection", "https://www.secureworks.com/research/revil-sodinokibi-ransomware", "https://www.secureworks.com/research/threat-profiles/gold-southfield" ], "synonyms": [ "GOLD SOUTHFIELD", "Pinchy Spider" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "type": "uses" }, { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "type": "uses" }, { "dest-uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" } ], "uuid": "c77c5576-ca19-42ed-a36f-4b4486a84133", "value": "GOLD SOUTHFIELD - G0115" }, { "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a cybercriminal group that has been active since at least 2022 targeting customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. During campaigns [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques and attempted to bypass popular endpoint security tools.(Citation: CrowdStrike Scattered Spider Profile)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "meta": { "external_id": "G1015", "refs": [ "https://attack.mitre.org/groups/G1015", "https://www.crowdstrike.com/adversaries/scattered-spider/", "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/", "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/" ], "synonyms": [ "Scattered Spider", "Roasted 0ktapus" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", "type": "uses" } ], "uuid": "44d37b89-a739-4810-9111-0d2617a8939b", "value": "Scattered Spider - G1015" }, { "description": "[Operation Wocao](https://attack.mitre.org/groups/G0116) described activities carried out by a China-based cyber espionage adversary. [Operation Wocao](https://attack.mitre.org/groups/G0116) targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. [Operation Wocao](https://attack.mitre.org/groups/G0116) used similar TTPs and tools to APT20, suggesting a possible overlap.(Citation: FoxIT Wocao December 2019)", "meta": { "external_id": "G0116", "refs": [ "https://attack.mitre.org/groups/G0116", "https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" ], "synonyms": [ "Operation Wocao" ] }, "related": [], "uuid": "28f04ed3-8e91-4805-b1f6-869020517871", "value": "Operation Wocao - G0116" }, { "description": "[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://attack.mitre.org/groups/G0117) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020)", "meta": { "external_id": "G0117", "refs": [ "https://attack.mitre.org/groups/G0117", "https://us-cert.cisa.gov/ncas/alerts/aa20-259a", "https://www.clearskysec.com/fox-kitten/", "https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf", "https://www.crowdstrike.com/blog/who-is-pioneer-kitten/", "https://www.dragos.com/threat/parisite/" ], "synonyms": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", "type": "uses" }, { "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", "type": "uses" }, { "dest-uuid": "3298ce88-1628-43b1-87d9-0b5336b193d7", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "77ca1aa3-280c-4b67-abaa-e8fb891a8f83", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "c21dd6f1-1364-4a70-a1f7-783080ec34ee", "value": "Fox Kitten - G0117" }, { "description": "[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021. [Volt Typhoon](https://attack.mitre.org/groups/G1017) typically focuses on espionage and information gathering and has targeted critical infrastructure organizations in the US including Guam. [Volt Typhoon](https://attack.mitre.org/groups/G1017) has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.(Citation: Microsoft Volt Typhoon May 2023)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)", "meta": { "external_id": "G1017", "refs": [ "https://attack.mitre.org/groups/G1017", "https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF", "https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/", "https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" ], "synonyms": [ "Volt Typhoon", "BRONZE SILHOUETTE" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "208884f1-7b83-4473-ac22-4e1cf6c41471", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "810d8072-afb6-4a56-9ee7-86379ac4a6f3", "type": "uses" }, { "dest-uuid": "866d0d6d-02c6-42bd-aa2f-02907fdc0969", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" }, { "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", "type": "uses" } ], "uuid": "174279b4-399f-4ddb-966e-5efedd1dd5f2", "value": "Volt Typhoon - G1017" }, { "description": "[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that has been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware. Following U.S. sanctions and an indictment in 2019, [Indrik Spider](https://attack.mitre.org/groups/G0119) changed their tactics and diversified their toolset.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)", "meta": { "external_id": "G0119", "refs": [ "https://attack.mitre.org/groups/G0119", "https://home.treasury.gov/news/press-releases/sm845", "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/", "https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/" ], "synonyms": [ "Indrik Spider", "Evil Corp" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "46cbafbc-8907-42d3-9002-5327c26f8927", "type": "uses" }, { "dest-uuid": "5d2be8b9-d24c-4e98-83bf-2f5f79477163", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "a7b5df47-73bb-4d47-b701-869f185633a6", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "type": "uses" }, { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", "type": "uses" }, { "dest-uuid": "fa766a65-5136-4ff3-8429-36d08eaa0100", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "01e28736-2ffc-455b-9880-ed4d1407ae07", "value": "Indrik Spider - G0119" }, { "description": "[Silent Librarian](https://attack.mitre.org/groups/G0122) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent Librarian](https://attack.mitre.org/groups/G0122) are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Malwarebytes Silent Librarian October 2020)", "meta": { "external_id": "G0122", "refs": [ "https://attack.mitre.org/groups/G0122", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/", "https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment", "https://www.justice.gov/usao-sdny/press-release/file/1045781/download", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian", "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities", "https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again" ], "synonyms": [ "Silent Librarian", "TA407", "COBALT DICKENS" ] }, "related": [ { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "type": "uses" }, { "dest-uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26", "type": "uses" }, { "dest-uuid": "19401639-28d0-4c3c-adcc-bc2ba22f6421", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "76551c52-b111-4884-bc47-ff3e728f0156", "type": "uses" }, { "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", "type": "uses" }, { "dest-uuid": "84ae8255-b4f4-4237-b5c5-e717405a9701", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" } ], "uuid": "90784c1e-4aba-40eb-9adf-7556235e6384", "value": "Silent Librarian - G0122" }, { "description": "[Volatile Cedar](https://attack.mitre.org/groups/G0123) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://attack.mitre.org/groups/G0123) has been operating since 2012 and is motivated by political and ideological interests.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)", "meta": { "external_id": "G0123", "refs": [ "https://attack.mitre.org/groups/G0123", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf", "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" ], "synonyms": [ "Volatile Cedar", "Lebanese Cedar" ] }, "related": [ { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "6a21e3a4-5ffe-4581-af9a-6a54c7536f44", "type": "uses" }, { "dest-uuid": "751b77e6-af1f-483b-93fe-eddf17f92a64", "type": "uses" }, { "dest-uuid": "bed04f7d-e48a-4e76-bd0f-4c57fe31fc46", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b2e34388-6938-4c59-a702-80dc219e15e3", "value": "Volatile Cedar - G0123" }, { "description": "[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019) ", "meta": { "external_id": "G0129", "refs": [ "https://attack.mitre.org/groups/G0129", "https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european", "https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader", "https://www.secureworks.com/research/bronze-president-targets-ngos" ], "synonyms": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03acae53-9b98-46f6-b204-16b930839055", "type": "uses" }, { "dest-uuid": "11f29a39-0942-4d62-92b6-fe236cf3066e", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "84771bc3-f6a0-403e-b144-01af70e5fda0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a3e1e6c5-9c74-4fc0-a16c-a9d228c17829", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "420ac20b-f2b9-42b8-aa1a-6d4b72895ca4", "value": "Mustang Panda - G0129" }, { "description": "\n[Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)", "meta": { "external_id": "G0133", "refs": [ "https://attack.mitre.org/groups/G0133", "https://securelist.com/octopus-infested-seas-of-central-asia/88200/", "https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html", "https://www.securityweek.com/russia-linked-hackers-target-diplomatic-entities-central-asia", "https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" ], "synonyms": [ "Nomadic Octopus", "DustSquad" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "fed4f0a2-4347-4530-b0f5-6dfd49b29172", "value": "Nomadic Octopus - G0133" }, { "description": "[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily targeted entities in the telecommunications, technology, and government sectors.(Citation: CrowdStrike AQUATIC PANDA December 2021)", "meta": { "external_id": "G0143", "refs": [ "https://attack.mitre.org/groups/G0143", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" ], "synonyms": [ "Aquatic Panda" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "64b52e7d-b2c4-4a02-9372-08a463f5dc11", "value": "Aquatic Panda - G0143" }, { "description": "[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)", "meta": { "external_id": "G0134", "refs": [ "https://adversary.crowdstrike.com/en-US/adversary/mythic-leopard/", "https://attack.mitre.org/groups/G0134", "https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html", "https://securelist.com/transparent-tribe-part-1/98127/", "https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", "https://www.secureworks.com/research/threat-profiles/copper-fieldstone" ], "synonyms": [ "Transparent Tribe", "COPPER FIELDSTONE", "APT36", "Mythic Leopard", "ProjectM" ] }, "related": [ { "dest-uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", "type": "uses" }, { "dest-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", "type": "uses" }, { "dest-uuid": "5864e59f-eb4c-43ad-83b2-b5e4fae056c9", "type": "uses" }, { "dest-uuid": "6c2550d5-a01a-4bbb-a004-6ead348ba623", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", "type": "uses" } ], "uuid": "e44e0985-bc65-4a8f-b578-211c858128e3", "value": "Transparent Tribe - G0134" }, { "description": "[Ferocious Kitten](https://attack.mitre.org/groups/G0137) is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)", "meta": { "external_id": "G0137", "refs": [ "https://attack.mitre.org/groups/G0137", "https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" ], "synonyms": [ "Ferocious Kitten" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "532c6004-b1e8-415b-9516-f7c14ba783b1", "type": "uses" }, { "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "type": "uses" }, { "dest-uuid": "77eae145-55db-4519-8ae5-77b0c7215d69", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" } ], "uuid": "6566aac9-dad8-4332-ae73-20c23bad7f02", "value": "Ferocious Kitten - G0137" }, { "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)", "meta": { "external_id": "G1004", "refs": [ "https://attack.mitre.org/groups/G1004", "https://unit42.paloaltonetworks.com/lapsus-group/", "https://www.bbc.com/news/technology-60953527", "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" ], "synonyms": [ "LAPSUS$", "DEV-0537" ] }, "related": [ { "dest-uuid": "0a241b6c-7bb2-48f9-98f7-128145b4d27f", "type": "uses" }, { "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3", "type": "uses" }, { "dest-uuid": "315f51f0-6b03-4c1e-bfb2-84740afb8e21", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, { "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "6a5d222a-a7e0-4656-b110-782c33098289", "type": "uses" }, { "dest-uuid": "6ee2dc99-91ad-4534-a7d8-a649358c331f", "type": "uses" }, { "dest-uuid": "70857657-bd0b-4695-ad3e-b13f92cac1b4", "type": "uses" }, { "dest-uuid": "70910fbd-58dc-4c1c-8c48-814d11fcd022", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", "type": "uses" }, { "dest-uuid": "7ad38ef1-381a-406d-872a-38b136eb5ecc", "type": "uses" }, { "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", "type": "uses" }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "type": "uses" }, { "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "type": "uses" }, { "dest-uuid": "9664ad0e-789e-40ac-82e2-d7b17fbe8fb3", "type": "uses" }, { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "type": "uses" }, { "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b24e2a20-3b3d-4bf0-823b-1ed765398fb0", "type": "uses" }, { "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161", "type": "uses" }, { "dest-uuid": "c2f59d25-87fe-44aa-8f83-e8e59d077bf5", "type": "uses" }, { "dest-uuid": "c9e0c59e-162e-40a4-b8b1-78fab4329ada", "type": "uses" }, { "dest-uuid": "cc723aff-ec88-40e3-a224-5af9fd983cc4", "type": "uses" }, { "dest-uuid": "cf1c2504-433f-4c4e-a1f8-91de45a0318c", "type": "uses" }, { "dest-uuid": "cff94884-3b1c-4987-a70b-6d5643c621c3", "type": "uses" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "uses" }, { "dest-uuid": "f303a39a-6255-4b89-aecc-18c4d8ca7163", "type": "uses" } ], "uuid": "d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7", "value": "LAPSUS$ - G1004" }, { "description": "[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)", "meta": { "external_id": "G0099", "refs": [ "https://attack.mitre.org/groups/G0099", "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" ], "synonyms": [ "APT-C-36", "Blind Eagle" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "c4d50cdf-87ce-407d-86d8-862883485842", "value": "APT-C-36 - G0099" }, { "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", "meta": { "external_id": "G0088", "refs": [ "https://attack.mitre.org/groups/G0088", "https://dragos.com/resource/xenotime/", "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/", "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html" ], "synonyms": [ "TEMP.Veles", "XENOTIME" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "6d4a7fb3-5a24-42be-ae61-6728a2b581f6", "type": "uses" }, { "dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", "type": "uses" }, { "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "9538b1a4-4120-4e2d-bf59-3b11fcab05a4", "value": "TEMP.Veles - G0088" }, { "description": "[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)", "meta": { "external_id": "G0051", "refs": [ "https://attack.mitre.org/groups/G0051", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" ], "synonyms": [ "FIN10" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" }, { "dest-uuid": "6c74fda2-bb04-40bd-a166-8c2d4b952d33", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "value": "FIN10 - G0051" }, { "description": "[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)", "meta": { "external_id": "G0005", "refs": [ "http://www.crowdstrike.com/blog/whois-numbered-panda/", "https://attack.mitre.org/groups/G0005", "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [ "APT12", "IXESHE", "DynCalc", "Numbered Panda", "DNSCALC" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "48146604-6693-4db1-bd94-159744726514", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "83a766f8-1501-4b3a-a2de-2e2849e8dfc1", "type": "uses" }, { "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "type": "uses" }, { "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", "type": "uses" }, { "dest-uuid": "48146604-6693-4db1-bd94-159744726514", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "48146604-6693-4db1-bd94-159744726514", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { "dest-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", "value": "APT12 - G0005" }, { "description": "[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: FireEye APT30)(Citation: Baumgartner Golovkin Naikon 2015)", "meta": { "external_id": "G0013", "refs": [ "https://attack.mitre.org/groups/G0013", "https://securelist.com/the-naikon-apt/69953/", "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" ], "synonyms": [ "APT30" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "type": "uses" }, { "dest-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "type": "uses" }, { "dest-uuid": "8b880b41-5139-4807-baa9-309690218719", "type": "uses" }, { "dest-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "type": "uses" }, { "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "type": "uses" }, { "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "value": "APT30 - G0013" }, { "description": "[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation Army (PLA) General Staff Department\u2019s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)", "meta": { "external_id": "G0006", "refs": [ "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", "https://attack.mitre.org/groups/G0006", "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ], "synonyms": [ "APT1", "Comment Crew", "Comment Group", "Comment Panda" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", "type": "uses" }, { "dest-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", "type": "uses" }, { "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", "type": "uses" }, { "dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", "type": "uses" }, { "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", "type": "uses" }, { "dest-uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", "type": "uses" }, { "dest-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", "type": "uses" }, { "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "value": "APT1 - G0006" }, { "description": "[Axiom](https://attack.mitre.org/groups/G0001) is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between [Axiom](https://attack.mitre.org/groups/G0001) and [Winnti Group](https://attack.mitre.org/groups/G0044) but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.(Citation: Kaspersky Winnti April 2013)(Citation: Kaspersky Winnti June 2015)(Citation: Novetta Winnti April 2015)", "meta": { "external_id": "G0001", "refs": [ "http://blogs.cisco.com/security/talos/threat-spotlight-group-72", "https://attack.mitre.org/groups/G0001", "https://securelist.com/games-are-over/70991/", "https://securelist.com/winnti-more-than-just-a-game/37029/", "https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", "https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" ], "synonyms": [ "Axiom", "Group 72" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "197ef1b9-e764-46c3-b96c-23f77985dc81", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "type": "uses" }, { "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", "type": "uses" }, { "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", "type": "uses" }, { "dest-uuid": "810d8072-afb6-4a56-9ee7-86379ac4a6f3", "type": "uses" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "uses" }, { "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "type": "uses" }, { "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", "type": "uses" }, { "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "b83e166d-13d7-4b52-8677-dff90c548fd7", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "e0033c16-a07e-48aa-8204-7c3ca669998c", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "eec23884-3fa1-4d8a-ac50-6f104d51e235", "type": "uses" }, { "dest-uuid": "fb28627c-d6ea-4c35-b138-ab5e96ae5445", "type": "uses" }, { "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "value": "Axiom - G0001" }, { "description": "[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)", "meta": { "external_id": "G0100", "refs": [ "https://attack.mitre.org/groups/G0100", "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies", "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/" ], "synonyms": [ "Inception", "Inception Framework", "Cloud Atlas" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "53486bc7-7748-4716-8190-e4f1fde04c53", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "8caa18af-4758-4fd3-9600-e8af579e89ed", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" } ], "uuid": "ead23196-d7b6-4ce6-a124-4ab4b67d81bd", "value": "Inception - G0100" }, { "description": "[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as [Uroburos](https://attack.mitre.org/software/S0022).(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)", "meta": { "external_id": "G0010", "refs": [ "http://www.secureworks.com/research/threat-profiles/iron-hunter", "https://attack.mitre.org/groups/G0010", "https://blog.talosintelligence.com/2021/09/tinyturla.html", "https://securelist.com/introducing-whitebear/81638/", "https://securelist.com/the-epic-turla-operation/65545/", "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/", "https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf", "https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" ], "synonyms": [ "Turla", "IRON HUNTER", "Group 88", "Belugasturgeon", "Waterbug", "WhiteBear", "Snake", "Krypton", "Venomous Bear" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "09fcc02f-f9d4-43fa-8609-5e5e186b7103", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "0f2c410d-d740-4ed9-abb1-b8f4a7faf6c3", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "1b20efbf-8063-4fc3-a07d-b575318a301b", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2a7c1bb7-cd12-456e-810d-ab3bf8457bab", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2cf7dec3-66fc-423f-b2c7-58f1de243b4e", "type": "uses" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "39cc9f64-cf74-4a48-a4d8-fe98c54a02e0", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "677569f9-a8b0-459e-ab24-7f18091fa7bf", "type": "uses" }, { "dest-uuid": "6836813e-8ec8-4375-b459-abb388cb1a35", "type": "uses" }, { "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", "type": "uses" }, { "dest-uuid": "6ba1d7ae-d60b-43e6-9f08-a8b787e9d9cb", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "925a6c52-5cf0-4fec-99de-b0d6917d8593", "type": "uses" }, { "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "ae797531-3219-49a4-bccf-324ad7a4c7b2", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b1595ddd-a783-482a-90e1-8afc8d48467e", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", "type": "uses" }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "type": "uses" }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" }, { "dest-uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "type": "uses" }, { "dest-uuid": "d18cb958-f4ad-4fb3-bb4f-e8994d206550", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "uses" }, { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", "type": "uses" }, { "dest-uuid": "dcac85c1-6485-4790-84f6-de5e6f6b91dd", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" }, { "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c097471c-2405-4393-b6d7-afbcb5f0cd11", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "value": "Turla - G0010" }, { "description": "[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)", "meta": { "external_id": "G0050", "refs": [ "https://attack.mitre.org/groups/G0050", "https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf", "https://www.cybereason.com/blog/operation-cobalt-kitty-apt", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/", "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" ], "synonyms": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "02c5abff-30bf-4703-ab92-1f6072fae939", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "08e844a8-371f-4fe3-9d1f-e056e64a7fde", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "09cd431f-eaf4-4d2a-acaf-2a7acfe7ed58", "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", "type": "uses" }, { "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", "type": "uses" }, { "dest-uuid": "341e222a-a6e3-4f6f-b69c-831d792b1580", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8c1d01ff-fdc0-4586-99bd-c248e0761af5", "type": "uses" }, { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", "type": "uses" }, { "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eac3d77f-2b7b-4599-ba74-948dc16633ad", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", "type": "uses" }, { "dest-uuid": "f2857333-11d4-45bf-b064-2c28d8525be5", "type": "uses" }, { "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" }, { "dest-uuid": "7e5a571f-dee2-4cae-a960-f8ab8a8fb1cf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "value": "APT32 - G0050" }, { "description": "[TA505](https://attack.mitre.org/groups/G0092) is a cyber criminal group that has been active since at least 2014. [TA505](https://attack.mitre.org/groups/G0092) is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving [Clop](https://attack.mitre.org/software/S0611).(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: NCC Group TA505)(Citation: Korean FSI TA505 2020)", "meta": { "external_id": "G0092", "refs": [ "https://attack.mitre.org/groups/G0092", "https://research.nccgroup.com/2020/11/18/ta505-a-brief-history-of-their-time/", "https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/", "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=", "https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505", "https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" ], "synonyms": [ "TA505", "Hive0065" ] }, "related": [ { "dest-uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "05318127-5962-444b-b900-a9dcfe0ff6e9", "type": "uses" }, { "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", "type": "uses" }, { "dest-uuid": "099ecff2-41b8-436d-843c-038a9aa9aa69", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "43155329-3edf-47a6-9a14-7dac899b01e4", "type": "uses" }, { "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", "type": "uses" }, { "dest-uuid": "4bc31b94-045b-4752-8920-aebaebdb6470", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "92b03a94-7147-4952-9d5a-b4d24da7487c", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "aae22730-e571-4d17-b037-65f2a3e26213", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "cad3ba95-8c89-4146-ab10-08daa813f9de", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f01e2711-4b48-4192-a2e8-5f56c945ca19", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", "type": "uses" }, { "dest-uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080", "type": "uses" } ], "uuid": "7eda3dd8-b09b-4705-8090-c2ad9fb8c14d", "value": "TA505 - G0092" }, { "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", "meta": { "external_id": "G0007", "refs": [ "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", "https://attack.mitre.org/groups/G0007", "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www.justice.gov/file/1080281/download", "https://www.justice.gov/opa/page/file/1098481/download", "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign", "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf", "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" ], "synonyms": [ "APT28", "SNAKEMACKEREL", "Swallowtail", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "40597f16-0963-4249-bf4c-ac93b7fb9807", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "45242287-2964-4a3e-9373-159fad4d8195", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "50d6688b-0985-4f3d-8cbe-0c796b30703b", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { "dest-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", "type": "uses" }, { "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "type": "uses" }, { "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "type": "uses" }, { "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "890c9858-598c-401d-a4d5-c67ebcdd703a", "type": "uses" }, { "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "type": "uses" }, { "dest-uuid": "8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5", "type": "uses" }, { "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", "type": "uses" }, { "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "99164b38-1775-40bc-b77b-a2373b14540a", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "type": "uses" }, { "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b865dded-0553-4962-a44b-6fe7863effed", "type": "uses" }, { "dest-uuid": "bc0f5e80-91c0-4e04-9fbb-e4e332c85dae", "type": "uses" }, { "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", "type": "uses" }, { "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", "type": "uses" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", "type": "uses" }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", "type": "uses" }, { "dest-uuid": "eb125d40-0b2d-41ac-a71a-3229241c2cd3", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "type": "uses" }, { "dest-uuid": "ed7efd4d-ce28-4a19-a8e6-c58011eb2c7a", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f005e783-57d4-4837-88ad-dbe7faee1c51", "type": "uses" }, { "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", "type": "uses" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "uses" }, { "dest-uuid": "f7c0689c-4dbd-489b-81be-7cb7c7079ade", "type": "uses" }, { "dest-uuid": "f91162cc-1686-4ff8-8115-bf3f61a4cc7a", "type": "uses" }, { "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "type": "uses" }, { "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", "type": "uses" }, { "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "value": "APT28 - G0007" }, { "description": "[Equation](https://attack.mitre.org/groups/G0020) is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)", "meta": { "external_id": "G0020", "refs": [ "https://attack.mitre.org/groups/G0020", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf" ], "synonyms": [ "Equation" ] }, "related": [ { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "791481f8-e96a-41be-b089-a088763083d4", "type": "uses" }, { "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", "type": "uses" }, { "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "uses" }, { "dest-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", "value": "Equation - G0020" }, { "description": "[Moafee](https://attack.mitre.org/groups/G0002) is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group [DragonOK](https://attack.mitre.org/groups/G0017). (Citation: Haq 2014)", "meta": { "external_id": "G0002", "refs": [ "https://attack.mitre.org/groups/G0002", "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" ], "synonyms": [ "Moafee" ] }, "related": [ { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", "value": "Moafee - G0002" }, { "description": "[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: APT15 Intezer June 2018)(Citation: Microsoft NICKEL December 2021)", "meta": { "external_id": "G0004", "refs": [ "https://attack.mitre.org/groups/G0004", "https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" ], "synonyms": [ "Ke3chang", "APT15", "Mirage", "Vixen Panda", "GREF", "Playful Dragon", "RoyalAPT", "NICKEL" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, { "dest-uuid": "4b6ec280-7bbb-48ff-ae59-b189520ebe83", "type": "uses" }, { "dest-uuid": "4d7bf2ac-f953-4907-b114-be44dc174d67", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "768dce68-8d0d-477a-b01d-0eea98b963a1", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "77eae145-55db-4519-8ae5-77b0c7215d69", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "c1b68a96-3c48-49ea-a6c0-9b27359f9c19", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "uses" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "value": "Ke3chang - G0004" }, { "description": "[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)", "meta": { "external_id": "G0003", "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", "https://attack.mitre.org/groups/G0003", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" ], "synonyms": [ "Cleaver", "Threat Group 2889", "TG-2889" ] }, "related": [ { "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "271e6d40-e191-421a-8f87-a8102452c201", "type": "uses" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4", "type": "uses" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "type": "uses" }, { "dest-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93", "type": "uses" }, { "dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213", "type": "uses" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234", "type": "uses" }, { "dest-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "value": "Cleaver - G0003" }, { "description": "[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)", "meta": { "external_id": "G0040", "refs": [ "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf", "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", "https://attack.mitre.org/groups/G0040", "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", "https://securelist.com/the-dropping-elephant-actor/75328/", "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/", "https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" ], "synonyms": [ "Patchwork", "Hangover Group", "Dropping Elephant", "Chinastrats", "MONSOON", "Operation Hangover" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, { "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "231a81cd-4e24-590b-b084-1a4715b30d67", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "34b3f738-bd64-40e5-a112-29b0542bc8bf", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c13d9621-aca7-436b-ab3d-3a95badb3d00", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" }, { "dest-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "value": "Patchwork - G0040" }, { "description": "[Carbanak](https://attack.mitre.org/groups/G0008) is a cybercriminal group that has used [Carbanak](https://attack.mitre.org/software/S0030) malware to target financial institutions since at least 2013. [Carbanak](https://attack.mitre.org/groups/G0008) may be linked to groups tracked separately as [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN7](https://attack.mitre.org/groups/G0046) that have also used [Carbanak](https://attack.mitre.org/software/S0030) malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secureworks GOLD NIAGARA Threat Profile)(Citation: Secureworks GOLD KINGSWOOD Threat Profile)", "meta": { "external_id": "G0008", "refs": [ "https://attack.mitre.org/groups/G0008", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/", "https://www.secureworks.com/research/threat-profiles/gold-kingswood?filter=item-financial-gain", "https://www.secureworks.com/research/threat-profiles/gold-niagara" ], "synonyms": [ "Carbanak", "Anunak" ] }, "related": [ { "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "type": "uses" }, { "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a4aba29f-fb91-50d9-bdf9-2b184922a200", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "value": "Carbanak - G0008" }, { "description": "[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle East and Europe.(Citation: Lab52 WIRTE Apr 2019)(Citation: Kaspersky WIRTE November 2021)", "meta": { "external_id": "G0090", "refs": [ "https://attack.mitre.org/groups/G0090", "https://lab52.io/blog/wirte-group-attacking-the-middle-east/", "https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" ], "synonyms": [ "WIRTE" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "73d08401-005f-4e1f-90b9-8f45d120879f", "type": "uses" }, { "dest-uuid": "9020f5c7-efde-4125-a4f1-1b70f1274ddd", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "f8cb7b36-62ef-4488-8a6d-a7033e3271c1", "value": "WIRTE - G0090" }, { "description": "[HEXANE](https://attack.mitre.org/groups/G1001) is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. [HEXANE](https://attack.mitre.org/groups/G1001)'s TTPs appear similar to [APT33](https://attack.mitre.org/groups/G0064) and [OilRig](https://attack.mitre.org/groups/G0049) but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)", "meta": { "external_id": "G1001", "refs": [ "https://attack.mitre.org/groups/G1001", "https://dragos.com/resource/hexane/", "https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf", "https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns", "https://www.clearskysec.com/siamesekitten/", "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" ], "synonyms": [ "HEXANE", "Lyceum", "Siamesekitten", "Spirlin" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "197ef1b9-e764-46c3-b96c-23f77985dc81", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "type": "uses" }, { "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", "type": "uses" }, { "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8a2867f9-e8fc-4bf1-a860-ef6e46311900", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "99854cc8-f202-4e03-aa0a-4f8a4af93229", "type": "uses" }, { "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "aea6d6b8-d832-4c90-a1bb-f52c6684db6c", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "b8d48deb-450c-44f6-a934-ac8765aa89cb", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "cc723aff-ec88-40e3-a224-5af9fd983cc4", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e7863f5d-cb6a-4f81-8804-0a635eec160a", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" } ], "uuid": "f29b7c5e-2439-42ad-a86f-9f8984fafae3", "value": "HEXANE - G1001" }, { "description": "[Frankenstein](https://attack.mitre.org/groups/G0101) is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019) ", "meta": { "external_id": "G0101", "refs": [ "https://attack.mitre.org/groups/G0101", "https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" ], "synonyms": [ "Frankenstein" ] }, "related": [], "uuid": "6b1b551c-d770-4f95-8cfc-3cd253c4c04e", "value": "Frankenstein - G0101" }, { "description": "[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.(Citation: Bizeul 2014)(Citation: Villeneuve 2014)", "meta": { "external_id": "G0011", "refs": [ "https://airbus-cyber-security.com/the-eye-of-the-tiger/", "https://attack.mitre.org/groups/G0011", "https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html" ], "synonyms": [ "PittyTiger" ] }, "related": [ { "dest-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", "type": "uses" }, { "dest-uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "4d37813c-b8e9-4e58-a758-03168d8aa189", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", "value": "PittyTiger - G0011" }, { "description": "[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)", "meta": { "external_id": "G0023", "refs": [ "https://attack.mitre.org/groups/G0023", "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" ], "synonyms": [ "APT16" ] }, "related": [ { "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "type": "uses" }, { "dest-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", "type": "uses" }, { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "uses" }, { "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", "type": "uses" }, { "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", "value": "APT16 - G0023" }, { "description": "[APT17](https://attack.mitre.org/groups/G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)", "meta": { "external_id": "G0025", "refs": [ "https://attack.mitre.org/groups/G0025", "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" ], "synonyms": [ "APT17", "Deputy Dog" ] }, "related": [ { "dest-uuid": "271e6d40-e191-421a-8f87-a8102452c201", "type": "uses" }, { "dest-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4", "type": "uses" }, { "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", "type": "uses" }, { "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "type": "uses" }, { "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "value": "APT17 - G0025" }, { "description": "[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)", "meta": { "external_id": "G0026", "refs": [ "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/", "https://attack.mitre.org/groups/G0026", "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ], "synonyms": [ "APT18", "TG-0416", "Dynamite Panda", "Threat Group-0416" ] }, "related": [ { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "uses" }, { "dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "type": "uses" }, { "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3d95a1f-bba2-44ce-9af7-37866cd63fd0", "type": "uses" }, { "dest-uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2fb07fa4-0d7f-43c7-8ff4-b28404313fe7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "value": "APT18 - G0026" }, { "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)\n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Unit 42 SolarStorm December 2020)", "meta": { "external_id": "G0016", "refs": [ "http://www.secureworks.com/research/threat-profiles/iron-hemlock", "https://attack.mitre.org/groups/G0016", "https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/", "https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF", "https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/", "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/", "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services", "https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise", "https://www.mandiant.com/resources/blog/unc3524-eye-spy-email", "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/", "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", "https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf", "https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise", "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", "https://www.secureworks.com/research/threat-profiles/iron-ritual", "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf", "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/", "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", "https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/" ], "synonyms": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "StellarParticle", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", "type": "uses" }, { "dest-uuid": "09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "11f8d7eb-1927-4806-9267-3a11d4d4d6be", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1cec9319-743b-4840-bb65-431547bce82a", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2c5281dd-b5fd-4531-8aea-c1bf8a0f8756", "type": "uses" }, { "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "type": "uses" }, { "dest-uuid": "2f8229dc-da94-41c6-89ba-b5b6c32f6b7d", "type": "uses" }, { "dest-uuid": "32f49626-87f4-4d6c-8f59-a0dca953fe26", "type": "uses" }, { "dest-uuid": "3a4197ae-ec63-4162-907b-9a073d1157e4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3d52e51e-f6db-4719-813c-48002a99f43a", "type": "uses" }, { "dest-uuid": "3d57dcc4-be99-4613-9482-d5218f5ec13e", "type": "uses" }, { "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "47124daf-44be-4530-9c63-038bc64318dd", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4816d361-f82b-4a18-aa05-b215e7cf9200", "type": "uses" }, { "dest-uuid": "4efc3e00-72f2-466a-ab7c-8a7dc6603b19", "type": "uses" }, { "dest-uuid": "54a01db0-9fab-4d5f-8209-53cef8425f4a", "type": "uses" }, { "dest-uuid": "54ca26f3-c172-4231-93e5-ccebcac2161f", "type": "uses" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "5c747acd-47f0-4c5a-b9e5-213541fc01e0", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "type": "uses" }, { "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "type": "uses" }, { "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", "type": "uses" }, { "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "type": "uses" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "6dbdc657-d8e0-4f2f-909b-7251b3e72c6d", "type": "uses" }, { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "type": "uses" }, { "dest-uuid": "72911fe3-f085-40f7-b4f2-f25a4221fe44", "type": "uses" }, { "dest-uuid": "7b211ac6-c815-4189-93a9-ab415deca926", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "7de1f7ac-5d0c-4c9c-8873-627202205331", "type": "uses" }, { "dest-uuid": "7decb26c-715c-40cf-b7e0-026f7d7cc215", "type": "uses" }, { "dest-uuid": "7e7c2fba-7cca-486c-9582-4c1bb2851961", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "8861073d-d1b8-4941-82ce-dce621d398f0", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8f104855-e5b7-4077-b1f5-bc3103b41abe", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "954a1639-f2d6-407d-aef3-4917622ca493", "type": "uses" }, { "dest-uuid": "959f3b19-2dc8-48d5-8942-c66813a5101a", "type": "uses" }, { "dest-uuid": "95e2cbae-d82c-4f7b-b63c-16462015d35d", "type": "uses" }, { "dest-uuid": "96eca9b9-b37f-42f1-96dc-a2c441403194", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "979adb5a-dc30-48f0-9e3d-9a26d866928c", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "type": "uses" }, { "dest-uuid": "a009cb25-4801-4116-9105-80a91cf15c1b", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "a8839c95-029f-44cf-8f3d-a3cf2039e927", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84", "type": "uses" }, { "dest-uuid": "b7010785-699f-412f-ba49-524da6033c76", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "bdad6f3b-de88-42fa-9295-d29b5271808e", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf48e7f8-752c-4ce8-bf8f-748edacd8fa6", "type": "uses" }, { "dest-uuid": "c26f1c05-b861-4970-94dc-2f7f921a3074", "type": "uses" }, { "dest-uuid": "ca9d3402-ada3-484d-876a-d717bd6e05f2", "type": "uses" }, { "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d4dc46e3-5ba5-45b9-8204-010867cacfcb", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", "type": "uses" }, { "dest-uuid": "d94b3ae9-8059-4989-8e9f-ea0f601f80a7", "type": "uses" }, { "dest-uuid": "dca670cf-eeec-438f-8185-fd959d9ef211", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e33e4603-afab-402d-b2a1-248d435b5fe0", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "type": "uses" }, { "dest-uuid": "e74de37c-a829-446c-937d-56a44f0e9306", "type": "uses" }, { "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "uses" }, { "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "value": "APT29 - G0016" }, { "description": "[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has primarily targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)", "meta": { "external_id": "G1002", "refs": [ "https://attack.mitre.org/groups/G1002", "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html", "https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" ], "synonyms": [ "BITTER", "T-APT-17" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "97cfbdc6-504d-41e9-a46c-78a9f806ff0d", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b8902400-e6c5-4ba2-95aa-2d35b442b118", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "7f848c02-4d1e-4808-a4ae-4670681370a9", "value": "BITTER - G1002" }, { "description": "[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://attack.mitre.org/groups/G0012) has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)", "meta": { "external_id": "G0012", "refs": [ "https://attack.mitre.org/groups/G0012", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf", "https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWxPuf", "https://securelist.com/darkhotels-attacks-in-2015/71713/", "https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/", "https://www.microsoft.com/security/blog/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/", "https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" ], "synonyms": [ "Darkhotel", "DUBNIUM" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "91541e7e-b969-40c6-bbd8-1b5352ec2938", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f52ab8b8-71f2-5a88-946f-853dc3441efe", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", "value": "Darkhotel - G0012" }, { "description": "[Evilnum](https://attack.mitre.org/groups/G0120) is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)", "meta": { "external_id": "G0120", "refs": [ "https://attack.mitre.org/groups/G0120", "https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" ], "synonyms": [ "Evilnum" ] }, "related": [ { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "7cdfccda-2950-4167-981a-60872ff5d0db", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "1f0f9a14-11aa-49aa-9174-bcd0eaa979de", "value": "Evilnum - G0120" }, { "description": "[Molerats](https://attack.mitre.org/groups/G0021) is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)", "meta": { "external_id": "G0021", "refs": [ "http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf", "https://attack.mitre.org/groups/G0021", "https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/", "https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf", "https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf", "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" ], "synonyms": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03ea629c-517a-41e3-94f8-c7e5368cf8f4", "type": "uses" }, { "dest-uuid": "0ba9281c-93fa-4b29-8e9e-7ef918c7b13a", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "3ae6097d-d700-46c6-8b21-42fc0bcb48fa", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "type": "uses" }, { "dest-uuid": "8a59f456-79a0-4151-9f56-9b1a67332af2", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f7c2e501-73b1-400f-a5d9-2e2e07b7dfde", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", "value": "Molerats - G0021" }, { "description": "[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://attack.mitre.org/software/S0012), as well as some non-public backdoors. (Citation: FireEye admin@338)", "meta": { "external_id": "G0018", "refs": [ "https://attack.mitre.org/groups/G0018", "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" ], "synonyms": [ "admin@338" ] }, "related": [ { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "ac4bce1f-b3ec-4c44-bd36-b6cc986b319b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "value": "admin@338 - G0018" }, { "description": "[APT19](https://attack.mitre.org/groups/G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. (Citation: FireEye APT19) Some analysts track [APT19](https://attack.mitre.org/groups/G0073) and [Deep Panda](https://attack.mitre.org/groups/G0009) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China's Espionage Jul 2016) (Citation: FireEye APT Groups) (Citation: Unit 42 C0d0so0 Jan 2016)", "meta": { "external_id": "G0073", "refs": [ "https://attack.mitre.org/groups/G0073", "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/", "https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://www.fireeye.com/current-threats/apt-groups.html#apt19" ], "synonyms": [ "APT19", "Codoso", "C0d0so0", "Codoso Team", "Sunshop Group" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" } ], "uuid": "fe8796a4-2a02-41a0-9d27-7aa1e995feb6", "value": "APT19 - G0073" }, { "description": "[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim's infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)", "meta": { "external_id": "G0103", "refs": [ "https://attack.mitre.org/groups/G0103", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" ], "synonyms": [ "Mofang" ] }, "related": [ { "dest-uuid": "115f88dd-0618-4389-83cb-98d33ae81848", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "5763217a-05b6-4edd-9bca-057e47b5e403", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "88489675-d216-4884-a98f-49a89fcc1643", "value": "Mofang - G0103" }, { "description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n", "meta": { "external_id": "G0096", "refs": [ "https://attack.mitre.org/groups/G0096", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://www.group-ib.com/blog/colunmtk-apt41/", "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" ], "synonyms": [ "APT41", "Wicked Panda" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1b7b1806-7746-41a1-a35d-e48dae25ddba", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "type": "uses" }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "uses" }, { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "6c575670-d14c-4c7f-9b9d-fd1b363e255d", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "8787e86d-8475-4f13-acea-d33eb83b6105", "type": "uses" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "uses" }, { "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "9b19d6b4-cfcb-492f-8ca8-8449e7331573", "type": "uses" }, { "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "type": "uses" }, { "dest-uuid": "cfc75b0d-e579-40ae-ad07-a1ce00d49a6c", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "type": "uses" }, { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ec9e00dd-0313-4d5b-8105-c20aa47abffc", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f244b8dd-af6c-4391-a497-fc03627ce995", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "18854f55-ac7c-4634-bd9a-352dd07613b7", "value": "APT41 - G0096" }, { "description": "[LazyScripter](https://attack.mitre.org/groups/G0140) is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.(Citation: MalwareBytes LazyScripter Feb 2021)", "meta": { "external_id": "G0140", "refs": [ "https://attack.mitre.org/groups/G0140", "https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" ], "synonyms": [ "LazyScripter" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2f7f03bb-f367-4a5a-ad9b-310a12a48906", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" }, { "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "type": "uses" }, { "dest-uuid": "df9b350b-d4f9-4e79-a826-75cc75fbc1eb", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "abc5a1d4-f0dc-49d1-88a1-4a80e478bb03", "value": "LazyScripter - G0140" }, { "description": "Operation [Sharpshooter](https://attack.mitre.org/groups/G0104) is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and [Lazarus Group](https://attack.mitre.org/groups/G0032) have been noted, definitive links have not been established.(Citation: McAfee Sharpshooter December 2018)", "meta": { "external_id": "G0104", "refs": [ "https://attack.mitre.org/groups/G0104", "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" ], "synonyms": [ "Sharpshooter" ] }, "related": [], "uuid": "5e78ae92-3ffd-4b16-bf62-e798529d73f1", "value": "Sharpshooter - G0104" }, { "description": "[Strider](https://attack.mitre.org/groups/G0041) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.(Citation: Symantec Strider Blog)(Citation: Kaspersky ProjectSauron Blog)", "meta": { "external_id": "G0041", "refs": [ "http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets", "https://attack.mitre.org/groups/G0041", "https://securelist.com/faq-the-projectsauron-apt/75533/", "https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" ], "synonyms": [ "Strider", "ProjectSauron" ] }, "related": [ { "dest-uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3731fbcd-0e43-47ae-ae6c-d15e510f0d42", "type": "uses" }, { "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "type": "uses" }, { "dest-uuid": "dfebc3b7-d19d-450b-81c7-6dafe4184c04", "type": "uses" }, { "dest-uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" }, { "dest-uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", "value": "Strider - G0041" }, { "description": "[DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec 2018)", "meta": { "external_id": "G0105", "refs": [ "https://attack.mitre.org/groups/G0105", "https://securelist.com/darkvishnya/89169/" ], "synonyms": [ "DarkVishnya" ] }, "related": [ { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "813636db-3939-4a45-bea9-6113e970c029", "value": "DarkVishnya - G0105" }, { "description": "[POLONIUM](https://attack.mitre.org/groups/G1005) is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess [POLONIUM](https://attack.mitre.org/groups/G1005) has coordinated their operations with multiple actors affiliated with Iran\u2019s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.(Citation: Microsoft POLONIUM June 2022)", "meta": { "external_id": "G1005", "refs": [ "https://attack.mitre.org/groups/G1005", "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" ], "synonyms": [ "POLONIUM" ] }, "related": [ { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "750eb92a-7fdf-451e-9592-1d42357018f1", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "d23de441-f9cf-4802-b1ff-f588a11a896b", "type": "uses" } ], "uuid": "5f3d0238-d058-44a9-8812-3dd1b6741a8c", "value": "POLONIUM - G1005" }, { "description": "[Taidoor](https://attack.mitre.org/groups/G0015) has been deprecated, as the only technique it was linked to was deprecated in ATT&CK v7.", "meta": { "external_id": "G0015", "refs": [ "https://attack.mitre.org/groups/G0015" ], "synonyms": [ "Taidoor" ] }, "related": [ { "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46", "value": "Taidoor - G0015" }, { "description": "[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)", "meta": { "external_id": "G0061", "refs": [ "https://attack.mitre.org/groups/G0061", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor", "https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf", "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" ], "synonyms": [ "FIN8", "Syssphinx" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0c52f5bc-557d-4083-bd27-66d7cdb794bb", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3553b49d-d4ae-4fb6-ab17-0adbc520c888", "type": "uses" }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "uses" }, { "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "54895630-efd2-4608-9c24-319de972a9eb", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, { "dest-uuid": "7c0f17c9-1af6-4628-9cbd-9e45482dd605", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "a78ae9fe-71cd-4563-9213-7b6260bd9a73", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826", "value": "FIN8 - G0061" }, { "description": "[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address \"rocke@live.cn\" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)", "meta": { "external_id": "G0106", "refs": [ "https://attack.mitre.org/groups/G0106", "https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" ], "synonyms": [ "Rocke" ] }, "related": [ { "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", "type": "uses" }, { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" }, { "dest-uuid": "633a100c-b2c9-41bf-9be5-905c1b16c825", "type": "uses" }, { "dest-uuid": "806a49c4-970d-43f9-9acc-ac0ee11e6662", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" } ], "uuid": "44102191-3a31-45f8-acbe-34bdb441d5ad", "value": "Rocke - G0106" }, { "description": "[DragonOK](https://attack.mitre.org/groups/G0017) is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, [DragonOK](https://attack.mitre.org/groups/G0017) is thought to have a direct or indirect relationship with the threat group [Moafee](https://attack.mitre.org/groups/G0002). (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)", "meta": { "external_id": "G0017", "refs": [ "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", "https://attack.mitre.org/groups/G0017", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" ], "synonyms": [ "DragonOK" ] }, "related": [ { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", "value": "DragonOK - G0017" }, { "description": "[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.(Citation: Symantec Orangeworm April 2018)", "meta": { "external_id": "G0071", "refs": [ "https://attack.mitre.org/groups/G0071", "https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" ], "synonyms": [ "Orangeworm" ] }, "related": [ { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", "type": "uses" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "type": "uses" }, { "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", "type": "uses" }, { "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" } ], "uuid": "5636b7b3-d99b-4edd-aa05-ee649c1d4ef1", "value": "Orangeworm - G0071" }, { "description": "[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore\u2019s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)", "meta": { "external_id": "G0107", "refs": [ "https://attack.mitre.org/groups/G0107", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore" ], "synonyms": [ "Whitefly" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "b74f909f-8e52-4b69-b770-162bf59a1b4e", "value": "Whitefly - G0107" }, { "description": "[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its infection chain that tries to mimic that of [Sidewinder](https://attack.mitre.org/groups/G0121), a suspected Indian threat group.(Citation: MalwareBytes SideCopy Dec 2021)", "meta": { "external_id": "G1008", "refs": [ "https://attack.mitre.org/groups/G1008", "https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" ], "synonyms": [ "SideCopy" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "36801ffb-5c85-4c50-9121-6122e389366d", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3e4e2c79-2b27-4245-a5c1-5586a3cbd8f5", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "8982a661-d84c-48c0-b4ec-1db29c6cf3bc", "type": "uses" }, { "dest-uuid": "c877e33f-1df6-40d6-b1e7-ce70f16f4979", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", "type": "uses" } ], "uuid": "03be849d-b5a2-4766-9dda-48976bae5710", "value": "SideCopy - G1008" }, { "description": "[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People\u2019s Liberation Army\u2019s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, [Naikon](https://attack.mitre.org/groups/G0019) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015) \n\nWhile [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)", "meta": { "external_id": "G0019", "refs": [ "http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf", "https://attack.mitre.org/groups/G0019", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", "https://securelist.com/the-naikon-apt/69953/" ], "synonyms": [ "Naikon" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "type": "uses" }, { "dest-uuid": "22b17791-45bf-45c0-9322-ff1a0af5cf2b", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "29231689-5837-4a7a-aafc-1b65b3f50cc7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "type": "uses" }, { "dest-uuid": "3161d76a-e2b2-4b97-9906-24909b735386", "type": "uses" }, { "dest-uuid": "34f1d81d-fe88-4f97-bd3b-a3164536255d", "type": "uses" }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "8c553311-0baa-4146-997a-f79acef3d831", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "value": "Naikon - G0019" }, { "description": "[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank's Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017) ", "meta": { "external_id": "G0091", "refs": [ "https://attack.mitre.org/groups/G0091", "https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://securelist.com/the-silence/83009/" ], "synonyms": [ "Silence", "Whisper Spider" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", "type": "uses" }, { "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" } ], "uuid": "d13c8a7f-740b-4efa-a232-de7d6bb05321", "value": "Silence - G0091" }, { "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)\n\nIn 2017, MITRE developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)", "meta": { "external_id": "G0022", "refs": [ "http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html", "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf", "https://attack.mitre.org/groups/G0022", "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", "https://www.recordedfuture.com/chinese-mss-behind-apt3/" ], "synonyms": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "70e52b04-2a0c-4cea-9d18-7149f1df9dc5", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d144c83e-2302-4947-9e24-856fbf7949ae", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "type": "uses" }, { "dest-uuid": "d144c83e-2302-4947-9e24-856fbf7949ae", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "value": "APT3 - G0022" }, { "description": "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", "meta": { "external_id": "G0082", "refs": [ "https://attack.mitre.org/groups/G0082", "https://content.fireeye.com/apt/rpt-apt38", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf", "https://securelist.com/lazarus-under-the-hood/77908/", "https://us-cert.cisa.gov/ncas/alerts/aa20-239a", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/", "https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and", "https://www.secureworks.com/research/threat-profiles/nickel-gladstone" ], "synonyms": [ "APT38", "NICKEL GLADSTONE", "BeagleBoyz", "Bluenoroff", "Stardust Chollima" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "1cfcb312-b8d7-47a4-b560-4b16cc677292", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2acf44aa-542f-4366-b4eb-55ef5747759c", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "8f504411-cb96-4dac-a537-8d2bb7679c59", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d0613359-5781-4fd2-b5be-c269270be1f6", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e221eb77-1502-4129-af1d-fe1ad55e7ec6", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e928333f-f3df-4039-9b8b-556c2add0e42", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" } ], "uuid": "00f67a77-86a4-4adf-be26-1a54fc713340", "value": "APT38 - G0082" }, { "description": "[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)", "meta": { "external_id": "G0062", "refs": [ "https://attack.mitre.org/groups/G0062", "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts" ], "synonyms": [ "TA459" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "62a64fd3-aaf7-4d09-a375-d6f8bb118481", "value": "TA459 - G0062" }, { "meta": { "external_id": "G0042", "refs": [ "https://attack.mitre.org/groups/G0042" ] }, "related": [ { "dest-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "type": "revoked-by" }, { "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "18d473a5-831b-47a5-97a1-a32156299825", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", "value": "MONSOON - G0042" }, { "description": "[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.(Citation: ClearSky CopyKittens March 2017)(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)", "meta": { "external_id": "G0052", "refs": [ "http://www.clearskysec.com/copykitten-jpost/", "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", "https://attack.mitre.org/groups/G0052", "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" ], "synonyms": [ "CopyKittens" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "value": "CopyKittens - G0052" }, { "description": "[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)", "meta": { "external_id": "G0072", "refs": [ "https://attack.mitre.org/groups/G0072", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" ], "synonyms": [ "Honeybee" ] }, "related": [], "uuid": "ebb73863-fa44-4617-b4cb-b9ed3414eb87", "value": "Honeybee - G0072" }, { "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", "meta": { "external_id": "G0064", "refs": [ "https://attack.mitre.org/groups/G0064", "https://www.brighttalk.com/webcast/10703/275683", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" ], "synonyms": [ "APT33", "HOLMIUM", "Elfin" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", "type": "uses" }, { "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "8d7bd4f5-3a89-4453-9c82-2c8894d5655e", "type": "uses" }, { "dest-uuid": "8dbadf80-468c-4a62-b817-4e4d8b606887", "type": "uses" }, { "dest-uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", "type": "uses" }, { "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "type": "uses" }, { "dest-uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "uses" }, { "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" }, { "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", "value": "APT33 - G0064" }, { "description": "APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways. (Citation: FireEye APT34 Dec 2017)", "meta": { "external_id": "G0057", "refs": [ "https://attack.mitre.org/groups/G0057" ] }, "related": [ { "dest-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "type": "revoked-by" }, { "dest-uuid": "73a521f6-3bc7-11e8-9e30-df7c90e50dda", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "value": "APT34 - G0057" }, { "description": "[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)", "meta": { "external_id": "G0043", "refs": [ "https://attack.mitre.org/groups/G0043", "https://citizenlab.ca/2016/08/group5-syria/" ], "synonyms": [ "Group5" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", "value": "Group5 - G0043" }, { "description": "[FIN5](https://attack.mitre.org/groups/G0053) is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)", "meta": { "external_id": "G0053", "refs": [ "https://attack.mitre.org/groups/G0053", "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", "https://www.youtube.com/watch?v=fevGZs0EQu8", "https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html" ], "synonyms": [ "FIN5" ] }, "related": [ { "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", "type": "uses" }, { "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "value": "FIN5 - G0053" }, { "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)", "meta": { "external_id": "G0035", "refs": [ "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", "https://attack.mitre.org/groups/G0035", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks", "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", "https://www.cisa.gov/uscert/ncas/alerts/aa20-296a#revisions", "https://www.dragos.com/threat/dymalloy/", "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet", "https://www.justice.gov/opa/pr/four-russian-government-employees-charged-two-historical-hacking-campaigns-targeting-critical", "https://www.mandiant.com/resources/ukraine-crisis-cyber-threats", "https://www.secureworks.com/research/mcmd-malware-analysis", "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" ], "synonyms": [ "Dragonfly", "TEMP.Isotope", "DYMALLOY", "Berserk Bear", "TG-4192", "Crouching Yeti", "IRON LIBERTY", "Energetic Bear" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "6ee2dc99-91ad-4534-a7d8-a649358c331f", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "type": "uses" }, { "dest-uuid": "8982a661-d84c-48c0-b4ec-1db29c6cf3bc", "type": "uses" }, { "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "975737f1-b10d-476f-8bda-3ec26ea57172", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "uses" }, { "dest-uuid": "e196b5c5-8118-4a1c-ab8a-936586ce3db5", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "value": "Dragonfly - G0035" }, { "description": "[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", "meta": { "external_id": "G0067", "refs": [ "https://attack.mitre.org/groups/G0067", "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", "https://securelist.com/operation-daybreak/75100/", "https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/", "https://www.crowdstrike.com/adversaries/ricochet-chollima/", "https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" ], "synonyms": [ "APT37", "InkySquid", "ScarCruft", "Reaper", "Group123", "TEMP.Reaper", "Ricochet Chollima" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", "type": "uses" }, { "dest-uuid": "0af0ca99-357d-4ba1-805f-674fdfb7bef9", "type": "uses" }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", "type": "uses" }, { "dest-uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", "type": "uses" }, { "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", "type": "uses" }, { "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", "type": "uses" }, { "dest-uuid": "8bd47506-29ae-44ea-a5c1-c57e8a1ab6b0", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ff73aa03-0090-4464-83ac-f89e233c02bc", "type": "uses" }, { "dest-uuid": "bb446dc2-4fee-4212-8b2c-3ffa2917e338", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", "value": "APT37 - G0067" }, { "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", "meta": { "external_id": "G0037", "refs": [ "https://attack.mitre.org/groups/G0037", "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report", "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" ], "synonyms": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "1cdbbcab-903a-414d-8eb0-439a97343737", "type": "uses" }, { "dest-uuid": "1d24cdee-9ea2-4189-b08e-af110bf2435d", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "432555de-63bf-4f2a-a3fa-f720a4561078", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", "type": "uses" }, { "dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a020a61c-423f-4195-8c46-ba1d21abba37", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "c9b99d03-ff11-4a48-95f0-82660d582c25", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "d9f7383c-95ec-4080-bbce-121c9384457b", "type": "uses" }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "value": "FIN6 - G0037" }, { "description": "[GCMAN](https://attack.mitre.org/groups/G0036) is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)", "meta": { "external_id": "G0036", "refs": [ "https://attack.mitre.org/groups/G0036", "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" ], "synonyms": [ "GCMAN" ] }, "related": [ { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d93889de-b4bc-4a29-9ce7-d67717c140a0", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f", "value": "GCMAN - G0036" }, { "description": "[BlackOasis](https://attack.mitre.org/groups/G0063) is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017) A group known by Microsoft as [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)", "meta": { "external_id": "G0063", "refs": [ "https://attack.mitre.org/groups/G0063", "https://securelist.com/apt-trends-report-q2-2017/79332/", "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/", "https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/" ], "synonyms": [ "BlackOasis" ] }, "related": [ { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "da49b9f1-ca99-443f-9728-0a074db66850", "value": "BlackOasis - G0063" }, { "description": "[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)", "meta": { "external_id": "G0087", "refs": [ "https://attack.mitre.org/groups/G0087", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://home.treasury.gov/news/press-releases/sm1127", "https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764", "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", "https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf", "https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt", "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" ], "synonyms": [ "APT39", "ITG07", "Chafer", "Remix Kitten" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "565275d5-fcc3-4b66-b4e7-928e4cac6b8c", "type": "uses" }, { "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a705b085-1eae-455e-8f4d-842483d814eb", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "cc89ecbd-3d33-4a41-bcca-001e702d18fd", "type": "uses" }, { "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfa03c7d-79ed-4ce2-b9d1-ddc9dbf56ad2", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "44e43fad-ffcb-4210-abcf-eaaed9735f80", "value": "APT39 - G0087" }, { "description": "[SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)", "meta": { "external_id": "G0083", "refs": [ "https://attack.mitre.org/groups/G0083", "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise", "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" ], "synonyms": [ "SilverTerrier" ] }, "related": [ { "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", "type": "uses" }, { "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", "type": "uses" }, { "dest-uuid": "cb741463-f0fe-42e0-8d45-bc7e8335f5ae", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "type": "uses" } ], "uuid": "76565741-3452-4069-ab08-80c0ea95bbeb", "value": "SilverTerrier - G0083" }, { "description": "[GALLIUM](https://attack.mitre.org/groups/G0093) is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. Security researchers have identified [GALLIUM](https://attack.mitre.org/groups/G0093) as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)(Citation: Unit 42 PingPull Jun 2022)", "meta": { "external_id": "G0093", "refs": [ "https://attack.mitre.org/groups/G0093", "https://unit42.paloaltonetworks.com/pingpull-gallium/", "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers", "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "synonyms": [ "GALLIUM", "Operation Soft Cell" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3a0f6128-0a01-421d-8eca-e57d8671b1f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337", "type": "uses" }, { "dest-uuid": "63c4511b-2d6e-4bb2-b582-e2e99a8a467d", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "type": "uses" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "06a11b7e-2a36-47fe-8d3e-82c265df3258", "value": "GALLIUM - G0093" }, { "description": "[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)", "meta": { "external_id": "G0039", "refs": [ "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks", "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", "https://attack.mitre.org/groups/G0039" ], "synonyms": [ "Suckfly" ] }, "related": [ { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "5abb12e7-5066-4f84-a109-49a037205c76", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "5abb12e7-5066-4f84-a109-49a037205c76", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "value": "Suckfly - G0039" }, { "description": "[FIN4](https://attack.mitre.org/groups/G0085) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) [FIN4](https://attack.mitre.org/groups/G0085) is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)", "meta": { "external_id": "G0085", "refs": [ "https://attack.mitre.org/groups/G0085", "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html", "https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf", "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" ], "synonyms": [ "FIN4" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0cf55441-b176-4332-89e7-2c4c7799d0ff", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "a2029942-0a85-4947-b23c-ca434698171d", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "d0b3393b-3bec-4ba3-bda9-199d30db47b6", "value": "FIN4 - G0085" }, { "description": "[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)\n\n[menuPass](https://attack.mitre.org/groups/G0045) has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)", "meta": { "external_id": "G0045", "refs": [ "http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/", "http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf", "https://attack.mitre.org/groups/G0045", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage", "https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", "https://www.justice.gov/opa/page/file/1122671/download", "https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion", "https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" ], "synonyms": [ "menuPass", "Cicada", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "292eb0c5-b8e8-4af6-9e8f-0fda6b4528d3", "type": "uses" }, { "dest-uuid": "29ba5a15-3b7b-4732-b817-65ea8f6468e6", "type": "uses" }, { "dest-uuid": "2cd950a6-16c4-404a-aa01-044322395107", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "434ba392-ebdc-488b-b1ef-518deea65774", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7c58fff0-d206-4db1-96b1-e3a9e0e320b9", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "94d6d788-07bb-4dcc-b62f-e02626b00108", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "type": "uses" }, { "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "type": "uses" }, { "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "type": "uses" }, { "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", "type": "uses" }, { "dest-uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "type": "uses" }, { "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", "type": "uses" }, { "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "56b37b05-72e7-4a89-ba8a-61ce45269a8c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "value": "menuPass - G0045" }, { "description": "[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)", "meta": { "external_id": "G0054", "refs": [ "https://attack.mitre.org/groups/G0054", "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" ], "synonyms": [ "Sowbug" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "1ca3b039-404e-4132-88c2-4e41235cd2f5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "value": "Sowbug - G0054" }, { "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)", "meta": { "external_id": "G0046", "refs": [ "http://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://attack.mitre.org/groups/G0046", "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://www.mandiant.com/resources/evolution-of-fin7", "https://www.secureworks.com/research/threat-profiles/gold-niagara" ], "synonyms": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider" ] }, "related": [ { "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01327cde-66c4-4123-bf34-5f258d59457b", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fc1842-f9e4-47cf-8cb8-5c61becad142", "type": "uses" }, { "dest-uuid": "065196de-d7e8-4888-acfb-b2134022ba1b", "type": "uses" }, { "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, { "dest-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42fe883a-21ea-4cfb-b94a-78b6476dcc83", "type": "uses" }, { "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", "type": "uses" }, { "dest-uuid": "56d10a7f-bb42-4267-9b4c-63abb9c06010", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "uses" }, { "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8fc6c9e7-a162-4ca4-a488-f1819e9a7b06", "type": "uses" }, { "dest-uuid": "91541e7e-b969-40c6-bbd8-1b5352ec2938", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b18eae87-b469-4e14-b454-b171b416bc18", "type": "uses" }, { "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", "type": "uses" }, { "dest-uuid": "bd369cd9-abb8-41ce-b5bb-fff23ee86c00", "type": "uses" }, { "dest-uuid": "bd7a9e13-69fa-4243-a5e5-04326a63f9f2", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f2877f7f-9a4c-4251-879f-1224e3006bee", "type": "uses" }, { "dest-uuid": "f559f945-eb8b-48b1-904c-68568deebed3", "type": "uses" }, { "dest-uuid": "f59508a6-3615-47c3-b493-6676e1a39a87", "type": "uses" }, { "dest-uuid": "f74a5069-015d-4404-83ad-5ca01056c0dc", "type": "uses" }, { "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "value": "FIN7 - G0046" }, { "description": "[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)", "meta": { "external_id": "G0084", "refs": [ "https://attack.mitre.org/groups/G0084", "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" ], "synonyms": [ "Gallmaker" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" } ], "uuid": "2fd2be6a-d3a2-4a65-b499-05ea2693abee", "value": "Gallmaker - G0084" }, { "description": "[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://attack.mitre.org/software/S0148)). (Citation: ESET RTM Feb 2017)", "meta": { "external_id": "G0048", "refs": [ "https://attack.mitre.org/groups/G0048", "https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" ], "synonyms": [ "RTM" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "uses" }, { "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", "value": "RTM - G0048" }, { "description": "[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)\n\n[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", "meta": { "external_id": "G0094", "refs": [ "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/", "https://attack.mitre.org/groups/G0094", "https://blog.alyac.co.kr/2234", "https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf", "https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/", "https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/", "https://global.ahnlab.com/global/upload/download/techreport/%5BAnalysis_Report%5DOperation%20Kabar%20Cobra.pdf", "https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/", "https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/", "https://us-cert.cisa.gov/ncas/alerts/aa20-301a", "https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite", "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" ], "synonyms": [ "Kimsuky", "STOLEN PENCIL", "Thallium", "Black Banshee", "Velvet Chollima" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "143c0cbb-a297-4142-9624-87ffc778980b", "type": "uses" }, { "dest-uuid": "16cdd21f-da65-4e4f-bc04-dd7d198c7b26", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "28b97733-ef07-4414-aaa5-df50b2d30cc5", "type": "uses" }, { "dest-uuid": "295721d2-ee20-4fa3-ade3-37f4146b4570", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "5256c0f8-9108-4c92-8b09-482dfacdcd94", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "60c4b628-4807-4b0b-bbf5-fdac8643c337", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "6e561441-8431-4773-a9b8-ccf28ef6a968", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "76551c52-b111-4884-bc47-ff3e728f0156", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7d77a07d-02fe-4e88-8bd9-e9c008c01bf0", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8bdfe255-e658-4ddd-a11c-b854762e451d", "type": "uses" }, { "dest-uuid": "8c4aef43-48d5-49aa-b2af-c0cd58d30c3d", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "937e4772-8441-4e4a-8bf0-8d447d667e23", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "98034fef-d9fb-4667-8dc4-2eab6231724c", "type": "uses" }, { "dest-uuid": "9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "uses" }, { "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1b7830a-fced-4be3-a99c-f495af9d9e1b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "edadea33-549c-4ed1-9783-8f5a5853cbdf", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f4b843c1-7e92-4701-8fed-ce82f8be2636", "type": "uses" }, { "dest-uuid": "f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "0ec2f388-bf0f-4b5c-97b1-fc736d26c25f", "value": "Kimsuky - G0094" }, { "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", "meta": { "external_id": "G0049", "refs": [ "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", "http://www.clearskysec.com/oilrig/", "https://attack.mitre.org/groups/G0049", "https://pan-unit42.github.io/playbook_viewer/", "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens", "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" ], "synonyms": [ "OilRig", "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "type": "uses" }, { "dest-uuid": "29be378d-262d-4e99-b00d-852d573628e6", "type": "uses" }, { "dest-uuid": "2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "type": "uses" }, { "dest-uuid": "4b346d12-7f91-48d2-8f06-b26ffa0d825b", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", "type": "uses" }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "a6937325-9321-4e2e-bb2b-3ed2d40b2a9d", "type": "uses" }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", "type": "uses" }, { "dest-uuid": "bf147104-abf9-4221-95d1-e81585859441", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "type": "uses" }, { "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d336b553-5da9-46ca-98a8-0b23f49fb447", "type": "uses" }, { "dest-uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df4cd566-ff2f-4d08-976d-8c86e95782de", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "type": "uses" }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" }, { "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "value": "OilRig - G0049" }, { "description": "[NEODYMIUM](https://attack.mitre.org/groups/G0055) is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called [PROMETHIUM](https://attack.mitre.org/groups/G0056) due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)", "meta": { "external_id": "G0055", "refs": [ "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf", "https://attack.mitre.org/groups/G0055", "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/" ], "synonyms": [ "NEODYMIUM" ] }, "related": [ { "dest-uuid": "47b5007a-3fb1-466a-9578-629e6e735493", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "type": "uses" }, { "dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "47b5007a-3fb1-466a-9578-629e6e735493", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", "value": "NEODYMIUM - G0055" }, { "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)", "meta": { "external_id": "G0056", "refs": [ "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf", "https://attack.mitre.org/groups/G0056", "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" ], "synonyms": [ "PROMETHIUM", "StrongPity" ] }, "related": [ { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1cec9319-743b-4840-bb65-431547bce82a", "type": "uses" }, { "dest-uuid": "20945359-3b39-4542-85ef-08ecb4e1c174", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "34b3f738-bd64-40e5-a112-29b0542bc8bf", "type": "uses" }, { "dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "8868cb5b-d575-4a60-acb2-07d37389a2fd", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" }, { "dest-uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", "value": "PROMETHIUM - G0056" }, { "description": "[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)", "meta": { "external_id": "G0065", "refs": [ "https://attack.mitre.org/groups/G0065", "https://us-cert.cisa.gov/ncas/alerts/aa21-200a", "https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies", "https://www.crowdstrike.com/blog/two-birds-one-stone-panda/", "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html", "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", "https://www.secureworks.com/research/threat-profiles/bronze-mohawk" ], "synonyms": [ "Leviathan", "MUDCARP", "Kryptonite Panda", "Gadolinium", "BRONZE MOHAWK", "TEMP.Jumper", "APT40", "TEMP.Periscope" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", "type": "uses" }, { "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", "type": "uses" }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "type": "uses" }, { "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "type": "uses" }, { "dest-uuid": "274770e0-2612-4ccf-a678-ef8e7bad365d", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "57d83eac-a2ea-42b0-a7b2-c80c55157790", "type": "uses" }, { "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "uses" }, { "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "type": "uses" }, { "dest-uuid": "65013dd2-bc61-43e3-afb5-a14c4fa7437a", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", "type": "uses" }, { "dest-uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", "type": "uses" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9c99724c-a483-4d60-ad9d-7f004e42e8e8", "type": "uses" }, { "dest-uuid": "9e7452df-5144-4b6e-b04a-b66dd4016747", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "type": "uses" }, { "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" }, { "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e", "value": "Leviathan - G0065" }, { "description": "[Rancor](https://attack.mitre.org/groups/G0075) is a threat group that has led targeted campaigns against the South East Asia region. [Rancor](https://attack.mitre.org/groups/G0075) uses politically-motivated lures to entice victims to open malicious documents. (Citation: Rancor Unit42 June 2018)", "meta": { "external_id": "G0075", "refs": [ "https://attack.mitre.org/groups/G0075", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" ], "synonyms": [ "Rancor" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "21c0b55b-5ff3-4654-a05e-e3fc1ee1ce1b", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "type": "uses" }, { "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "f40eb8ce-2a74-4e56-89a1-227021410142", "value": "Rancor - G0075" }, { "description": "[Machete](https://attack.mitre.org/groups/G0095) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://attack.mitre.org/groups/G0095) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)", "meta": { "external_id": "G0095", "refs": [ "https://attack.mitre.org/groups/G0095", "https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/", "https://securelist.com/el-machete/66108/", "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html", "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" ], "synonyms": [ "Machete", "APT-C-43", "El Machete" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "35cd1d01-1ede-44d2-b073-a264d727bc04", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "38863958-a201-4ce1-9dbe-539b0b6804e0", "value": "Machete - G0095" }, { "description": "[Elderwood](https://attack.mitre.org/groups/G0066) is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)", "meta": { "external_id": "G0066", "refs": [ "http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html", "https://attack.mitre.org/groups/G0066", "https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China" ], "synonyms": [ "Elderwood", "Elderwood Gang", "Beijing Group", "Sneaky Panda" ] }, "related": [ { "dest-uuid": "039814a0-88de-46c5-a4fb-b293db21880a", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", "type": "uses" }, { "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", "type": "uses" }, { "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "da754aeb-a86d-4874-b388-d1d2028a56be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", "type": "uses" }, { "dest-uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", "type": "uses" }, { "dest-uuid": "da754aeb-a86d-4874-b388-d1d2028a56be", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484", "value": "Elderwood - G0066" }, { "description": "[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as \"living off the land\" techniques. (Citation: Symantec Thrip June 2018)", "meta": { "external_id": "G0076", "refs": [ "https://attack.mitre.org/groups/G0076", "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "synonyms": [ "Thrip" ] }, "related": [ { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "8d9e758b-735f-4cbc-ba7c-32cd15138b2a", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "fb8d023d-45be-47e9-bc51-f56bcae6435b", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "d69e568e-9ac8-4c08-b32c-d93b43ba9172", "value": "Thrip - G0076" }, { "description": "[PLATINUM](https://attack.mitre.org/groups/G0068) is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. (Citation: Microsoft PLATINUM April 2016)", "meta": { "external_id": "G0068", "refs": [ "https://attack.mitre.org/groups/G0068", "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ], "synonyms": [ "PLATINUM" ] }, "related": [ { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", "type": "uses" }, { "dest-uuid": "154e97b5-47ef-415a-99a6-2157f1b50339", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", "type": "uses" }, { "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f5946b5e-9408-485f-a7f7-b5efc88909b6", "type": "uses" }, { "dest-uuid": "154e97b5-47ef-415a-99a6-2157f1b50339", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "f9c06633-dcff-48a1-8588-759e7cec5694", "value": "PLATINUM - G0068" }, { "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Talos MuddyWater Jan 2022)", "meta": { "external_id": "G0069", "refs": [ "https://attack.mitre.org/groups/G0069", "https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html", "https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", "https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies", "https://www.cisa.gov/uscert/ncas/alerts/aa22-055a", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf", "https://www.cybercom.mil/Media/News/Article/2897570/iranian-intel-cyber-suite-of-malware-uses-open-source-tools/", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html", "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", "https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" ], "synonyms": [ "MuddyWater", "Earth Vetala", "MERCURY", "Static Kitten", "Seedworm", "TEMP.Zagros" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "03c6e0ea-96d3-4b23-9afb-05055663cf4b", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", "type": "uses" }, { "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "73c4711b-407a-449d-b269-e3b1531fe7a9", "type": "uses" }, { "dest-uuid": "79a47ad0-fc3b-4821-9f01-a026b1ddba21", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e100ca4-e639-48d9-9a9d-8ad84aa7b448", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "80c815bb-b24a-4b9c-9d73-ff4c075a278d", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "842976c7-f9c8-41b2-8371-41dc64fbe261", "type": "uses" }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c19d19ae-dd58-4584-8469-966bbeaa80e3", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "c4810609-7da6-48ec-8057-1b70a7814db0", "type": "uses" }, { "dest-uuid": "c726e0a2-a57a-4b7b-a973-d0f013246617", "type": "uses" }, { "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e355fc84-6f3c-4888-8e0a-d7fa9c378532", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "ff41b9b6-4c1d-407b-a7e2-835109c8dbc5", "type": "uses" }, { "dest-uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", "value": "MuddyWater - G0069" }, { "description": "[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)", "meta": { "external_id": "G0077", "refs": [ "https://attack.mitre.org/groups/G0077", "https://www.dragos.com/blog/20180802Raspite.html", "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" ], "synonyms": [ "Leafminer", "Raspite" ] }, "related": [ { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1ecfdab8-7d59-4c98-95d4-dc41970f57fc", "type": "uses" }, { "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "6add2ab5-2711-4e9d-87c8-7a0be8531530", "type": "uses" }, { "dest-uuid": "7007935a-a8a7-4c0b-bd98-4e85be8ed197", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "999c4e6e-b8dc-4b4f-8d6e-1b829f29997e", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "32bca8ff-d900-4877-aa65-d70baa041b74", "value": "Leafminer - G0077" }, { "description": "[DarkHydrus](https://attack.mitre.org/groups/G0079) is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. (Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit 42 Playbook Dec 2017)", "meta": { "external_id": "G0079", "refs": [ "https://attack.mitre.org/groups/G0079", "https://pan-unit42.github.io/playbook_viewer/", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" ], "synonyms": [ "DarkHydrus" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "uses" } ], "uuid": "6b9ebeb5-20bf-48b0-afb7-988d769a2f01", "value": "DarkHydrus - G0079" }, { "description": "[BlackTech](https://attack.mitre.org/groups/G0098) is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. [BlackTech](https://attack.mitre.org/groups/G0098) has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)", "meta": { "external_id": "G0098", "refs": [ "https://attack.mitre.org/groups/G0098", "https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt", "https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape", "https://www.reuters.com/article/us-taiwan-cyber-china/taiwan-says-china-behind-cyberattacks-on-government-agencies-emails-idUSKCN25F0JK" ], "synonyms": [ "BlackTech", "Palmerworm" ] }, "related": [ { "dest-uuid": "19401639-28d0-4c3c-adcc-bc2ba22f6421", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "592260fb-dd5c-4a30-8d99-106a0485be0d", "type": "uses" }, { "dest-uuid": "76ac7989-c5cc-42e2-93e3-d6c476f01ace", "type": "uses" }, { "dest-uuid": "77eae145-55db-4519-8ae5-77b0c7215d69", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b2d134a1-7bd5-4293-94d4-8fc978cb1cd7", "type": "uses" }, { "dest-uuid": "b57f419e-8b12-49d3-886b-145383725dcd", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e7cbc1de-1f79-48ee-abfd-da1241c65a15", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f3f1fbed-7e29-49cb-8579-4a378f858deb", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "6fe8a2a1-a1b0-4af8-953d-4babd329f8f8", "value": "BlackTech - G0098" }, { "description": "[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)", "meta": { "external_id": "G1018", "refs": [ "https://attack.mitre.org/groups/G1018", "https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/", "https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" ], "synonyms": [ "TA2541" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "4327aff5-f194-440c-b499-4d9730cc1eab", "type": "uses" }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "uses" }, { "dest-uuid": "6a5947f3-1a36-4653-8734-526df3e1d28d", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "7bd9c723-2f78-4309-82c5-47cad406572b", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8f8cd191-902c-4e83-bf20-b57c8c4640e9", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b200542e-e877-4395-875b-cf1a44537ca4", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "bdb27a1d-1844-42f1-a0c0-826027ae0326", "type": "uses" }, { "dest-uuid": "bf176076-b789-408e-8cba-7275e81c0ada", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d906e6f7-434c-44c0-b51a-ed50af8f7945", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", "type": "uses" }, { "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", "type": "uses" } ], "uuid": "467271fd-47c0-4e90-a3f9-d84f5cf790d0", "value": "TA2541 - G1018" }, { "description": "[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)", "meta": { "external_id": "G1016", "refs": [ "https://attack.mitre.org/groups/G1016", "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d", "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" ], "synonyms": [ "FIN13", "Elephant Beetle" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "uses" }, { "dest-uuid": "1644e709-12d2-41e5-a60f-3470991f5011", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "34ab90a3-05f6-4259-8f21-621081fdaba5", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "5282dd9a-d26d-4e16-88b7-7c0f4553daf4", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "type": "uses" }, { "dest-uuid": "6151cbea-819b-455a-9fa6-99a1cc58797d", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "851e071f-208d-4c79-adc6-5974c85c78f3", "type": "uses" }, { "dest-uuid": "8cdeb020-e31e-4f88-a582-f53dcfbda819", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "ac9e6b22-11bf-45d7-9181-c1cb08360931", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "f4c1826f-a322-41cd-9557-562100848c84", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "fd66436e-4d33-450e-ac4c-f7810f1c85f4", "value": "FIN13 - G1016" }, { "description": "[UNC2452](https://attack.mitre.org/groups/G0118) is a suspected Russian state-sponsored threat group responsible for the 2020 SolarWinds software supply chain intrusion.(Citation: FireEye SUNBURST Backdoor December 2020) Victims of this campaign include government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East.(Citation: FireEye SUNBURST Backdoor December 2020) The group also compromised at least one think tank by late 2019.(Citation: Volexity SolarWinds)", "meta": { "external_id": "G0118", "refs": [ "https://attack.mitre.org/groups/G0118", "https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/", "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/", "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" ], "synonyms": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ] }, "related": [ { "dest-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "type": "revoked-by" } ], "uuid": "dc5e2999-ca1a-47d4-8d12-a6984b138a1b", "value": "UNC2452 - G0118" }, { "description": "[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)", "meta": { "external_id": "G0127", "refs": [ "https://attack.mitre.org/groups/G0127", "https://unit42.paloaltonetworks.com/ta551-shathak-icedid/", "https://unit42.paloaltonetworks.com/valak-evolution/", "https://www.secureworks.com/research/threat-profiles/gold-cabin" ], "synonyms": [ "TA551", "GOLD CABIN", "Shathak" ] }, "related": [ { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "118f61a5-eb3e-4fb6-931f-2096647f4ecd", "type": "uses" }, { "dest-uuid": "1492d0f8-7e14-4af3-9239-bc3fe10d3407", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "5147ef15-1cae-4707-8ea1-bee8d98b7f1d", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "ade37ada-14af-4b44-b36c-210eec255d53", "type": "uses" }, { "dest-uuid": "b97f1d35-4249-4486-a6b5-ee60ccf24fab", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "edc5e045-5401-42bb-ad92-52b5b2ee0de9", "type": "uses" } ], "uuid": "94873029-f950-4268-9cfd-5032e15cb182", "value": "TA551 - G0127" }, { "description": "[CURIUM](https://attack.mitre.org/groups/G1012) is an Iranian threat group first reported in November 2021 that has invested in building a relationship with potential targets via social media over a period of months to establish trust and confidence before sending malware. Security researchers note [CURIUM](https://attack.mitre.org/groups/G1012) has demonstrated great patience and persistence by chatting with potential targets daily and sending benign files to help lower their security consciousness.(Citation: Microsoft Iranian Threat Actor Trends November 2021)", "meta": { "external_id": "G1012", "refs": [ "https://attack.mitre.org/groups/G1012", "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" ], "synonyms": [ "CURIUM" ] }, "related": [ { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "b1ccd744-3f78-4a0e-9bb2-2002057f7928", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" } ], "uuid": "3ea7add5-5b8f-45d8-b1f1-905d2729d62a", "value": "CURIUM - G1012" }, { "description": "[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)", "meta": { "external_id": "G0121", "refs": [ "https://attack.mitre.org/groups/G0121", "https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf", "https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/", "https://securelist.com/apt-trends-report-q1-2018/85280/" ], "synonyms": [ "Sidewinder", "T-APT-04", "Rattlesnake" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "232a7e42-cd6e-4902-8fe9-2960f529dd4d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "8982a661-d84c-48c0-b4ec-1db29c6cf3bc", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "3fc023b2-c5cc-481d-9c3e-70141ae1a87e", "value": "Sidewinder - G0121" }, { "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", "meta": { "external_id": "G0112", "refs": [ "https://attack.mitre.org/groups/G0112", "https://objective-see.com/blog/blog_0x3B.html", "https://objective-see.com/blog/blog_0x3D.html", "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf" ], "synonyms": [ "Windshift", "Bahamut" ] }, "related": [ { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "0d1f9f5b-11ea-42c3-b5f4-63cce0122541", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "type": "uses" }, { "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "type": "uses" }, { "dest-uuid": "6ffad4be-bfe0-424f-abde-4d9a84a800ad", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b1c95426-2550-4621-8028-ceebf28b3a47", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "uses" }, { "dest-uuid": "bb4387ab-7a51-468b-bf5f-a9a8612f0303", "type": "uses" }, { "dest-uuid": "c6421411-ae61-42bb-9098-73fddb315002", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "type": "uses" }, { "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "d8940e76-f9c1-4912-bea6-e21c251370b6", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "type": "uses" }, { "dest-uuid": "e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "type": "uses" }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" }, { "dest-uuid": "e422b6fa-4739-46b9-992e-82f1b350c780", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "uses" }, { "dest-uuid": "fcb11f06-ce0e-490b-bcc1-04a1623579f0", "type": "uses" } ], "uuid": "afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "value": "Windshift - G0112" }, { "description": "[Metador](https://attack.mitre.org/groups/G1013) is a suspected cyber espionage group that was first reported in September 2022. [Metador](https://attack.mitre.org/groups/G1013) has targeted a limited number of telecommunication companies, internet service providers, and universities in the Middle East and Africa. Security researchers named the group [Metador](https://attack.mitre.org/groups/G1013) based on the \"I am meta\" string in one of the group's malware samples and the expectation of Spanish-language responses from C2 servers.(Citation: SentinelLabs Metador Sept 2022)", "meta": { "external_id": "G1013", "refs": [ "https://assets.sentinelone.com/sentinellabs22/metador#page=1", "https://attack.mitre.org/groups/G1013" ], "synonyms": [ "Metador" ] }, "related": [ { "dest-uuid": "3be1fb7a-0f7e-415e-8e3a-74a80d596e68", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "df350889-4de9-44e5-8cb3-888b8343e97c", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "bfc5ddb3-4dfb-4278-8928-020e1b3feddd", "value": "Metador - G1013" }, { "description": "[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)", "meta": { "external_id": "G0114", "refs": [ "https://attack.mitre.org/groups/G0114", "https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" ], "synonyms": [ "Chimera" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "type": "uses" }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "066b057c-944e-4cfc-b654-e3dfba04b926", "type": "uses" }, { "dest-uuid": "0c4b4fda-9062-47da-98b9-ceae2dcf052a", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "1996eef1-ced3-4d7f-bf94-33298cabbf72", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "1e9eb839-294b-48cc-b0d3-c45555a2a004", "type": "uses" }, { "dest-uuid": "21875073-b0ee-49e3-9077-1e2a885359af", "type": "uses" }, { "dest-uuid": "25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "47f2d673-ca62-47e9-929b-1b0be9657611", "type": "uses" }, { "dest-uuid": "4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "uses" }, { "dest-uuid": "4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "uses" }, { "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "type": "uses" }, { "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "type": "uses" }, { "dest-uuid": "6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "uses" }, { "dest-uuid": "692074ae-bb62-4a5e-a735-02cb6bde458c", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "a01bf75f-00b2-4568-a58f-565ff9bf202b", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "type": "uses" }, { "dest-uuid": "b2d03cea-aec1-45ca-9744-9ee583c1e1cc", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "type": "uses" }, { "dest-uuid": "bc76d0a4-db11-4551-9ac4-01a469cfb161", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "uses" }, { "dest-uuid": "c256da91-6dd5-40b2-beeb-ee3b22ab3d27", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d4b96d2c-1032-4b22-9235-2b5b649d0605", "type": "uses" }, { "dest-uuid": "d511a6f6-4a33-41d5-bc95-c343875d1377", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "eb062747-2193-45de-8fa2-e62549c37ddf", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "8c1f0187-0826-4320-bddc-5f326cfcfe2c", "value": "Chimera - G0114" }, { "description": "[Gelsemium](https://attack.mitre.org/groups/G0141) is a cyberespionage group that has been active since at least 2014, targeting governmental institutions, electronics manufacturers, universities, and religious organizations in East Asia and the Middle East.(Citation: ESET Gelsemium June 2021)", "meta": { "external_id": "G0141", "refs": [ "https://attack.mitre.org/groups/G0141", "https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" ], "synonyms": [ "Gelsemium" ] }, "uuid": "99910207-1741-4da1-9b5d-537410186b51", "value": "Gelsemium - G0141" }, { "description": "[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between [LuminousMoth](https://attack.mitre.org/groups/G1014) and [Mustang Panda](https://attack.mitre.org/groups/G0129) based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)", "meta": { "external_id": "G1014", "refs": [ "https://attack.mitre.org/groups/G1014", "https://securelist.com/apt-luminousmoth/103332/", "https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" ], "synonyms": [ "LuminousMoth" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "10ffac09-e42d-4f56-ab20-db94c67d76ff", "type": "uses" }, { "dest-uuid": "19401639-28d0-4c3c-adcc-bc2ba22f6421", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "31fe0ba2-62fd-4fd9-9293-4043d84f7fe9", "type": "uses" }, { "dest-uuid": "32901740-b42c-4fdd-bc02-345b5dc57082", "type": "uses" }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "type": "uses" }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "84ae8255-b4f4-4237-b5c5-e717405a9701", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "a7881f21-e978-4fe4-af56-92c9416a2616", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "type": "uses" }, { "dest-uuid": "cabe189c-a0e3-4965-a473-dcff00f17213", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" } ], "uuid": "b7f627e2-0817-4cd5-8d50-e75f8aa85cc6", "value": "LuminousMoth - G1014" }, { "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)", "meta": { "external_id": "G1019", "refs": [ "https://attack.mitre.org/groups/G1019", "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" ], "synonyms": [ "MoustachedBouncer" ] }, "related": [ { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "114fed8b-7eed-4136-8b9c-411c5c7fff4b", "type": "uses" }, { "dest-uuid": "1fefb062-feda-484a-8f10-0cebf65e20e3", "type": "uses" }, { "dest-uuid": "359b00ad-9425-420b-bba5-6de8d600cbc0", "type": "uses" }, { "dest-uuid": "43c9bc06-715b-42db-972f-52d25c09a20c", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "91c57ed3-7c32-4c68-b388-7db00cb8dac6", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e1445afd-c359-45ed-8f27-626dc4d5e157", "type": "uses" } ], "uuid": "7251b44b-6072-476c-b8d9-a6e32c355b28", "value": "MoustachedBouncer - G1019" }, { "description": "[CostaRicto](https://attack.mitre.org/groups/G0132) is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. [CostaRicto](https://attack.mitre.org/groups/G0132)'s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.(Citation: BlackBerry CostaRicto November 2020)", "meta": { "external_id": "G0132", "refs": [ "https://attack.mitre.org/groups/G0132", "https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" ], "synonyms": [ "CostaRicto" ] }, "related": [], "uuid": "bb82e0b0-6e9c-439f-970a-4c917a74c5f2", "value": "CostaRicto - G0132" }, { "description": "[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)", "meta": { "external_id": "G0142", "refs": [ "https://attack.mitre.org/groups/G0142", "https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html", "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html", "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" ], "synonyms": [ "Confucius", "Confucius APT" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "840a987a-99bd-4a80-a5c9-0cb2baa6cade", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "fde19a18-e502-467f-be14-58c71b4e7f4b", "type": "uses" }, { "dest-uuid": "feae299d-e34f-4fc9-8545-486d0905bd41", "type": "uses" } ], "uuid": "6eded342-33e5-4451-b6b2-e1c62863129f", "value": "Confucius - G0142" }, { "description": "The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://attack.mitre.org/software/S0377) through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)", "meta": { "external_id": "G0124", "refs": [ "https://attack.mitre.org/groups/G0124", "https://security.web.cern.ch/advisories/windigo/windigo.shtml", "https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" ], "synonyms": [ "Windigo" ] }, "related": [ { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "uses" }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", "type": "uses" } ], "uuid": "4e868dad-682d-4897-b8df-2dc98f46c68a", "value": "Windigo - G0124" }, { "description": "[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)", "meta": { "external_id": "G0125", "refs": [ "https://attack.mitre.org/groups/G0125", "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" ], "synonyms": [ "HAFNIUM", "Operation Exchange Marauder" ] }, "related": [ { "dest-uuid": "00f90846-cbd1-4fc5-9233-df5c2bf2a662", "type": "uses" }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "045d0922-2310-4e60-b5e4-3302302cb3c5", "type": "uses" }, { "dest-uuid": "04fd5427-79c7-44ea-ae13-11b24778ff1c", "type": "uses" }, { "dest-uuid": "0dda99f0-4701-48ca-9774-8504922e92d3", "type": "uses" }, { "dest-uuid": "132d5b37-aac5-4378-a8dc-3127b18a73dc", "type": "uses" }, { "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "type": "uses" }, { "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "uses" }, { "dest-uuid": "69f897fd-12a9-4c89-ad6a-46d2f3c38262", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7610cada-1499-41a4-b3dd-46467b68d177", "type": "uses" }, { "dest-uuid": "774ad5bb-2366-4c13-a8a9-65e50b292e7c", "type": "uses" }, { "dest-uuid": "79da0971-3147-4af6-a4f5-e8cd447cd795", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "988976ff-beeb-4fb5-b07d-ca7437ea66e8", "type": "uses" }, { "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", "type": "uses" }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "type": "uses" }, { "dest-uuid": "b4694861-542c-48ea-9eb1-10d356e7140a", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "uses" }, { "dest-uuid": "edf91964-b26e-4b4a-9600-ccacd7d7df24", "type": "uses" }, { "dest-uuid": "fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "uses" }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "uses" } ], "uuid": "2688b13e-8e71-405a-9c40-0dee94bddf87", "value": "HAFNIUM - G0125" }, { "description": "[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)", "meta": { "external_id": "G0126", "refs": [ "https://attack.mitre.org/groups/G0126", "https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/", "https://www.zscaler.com/blogs/security-research/return-higaisa-apt" ], "synonyms": [ "Higaisa" ] }, "related": [ { "dest-uuid": "005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "uses" }, { "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "type": "uses" }, { "dest-uuid": "0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "uses" }, { "dest-uuid": "5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", "type": "uses" }, { "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c325b232-d5bc-4dde-a3ec-71f3db9e8adc", "type": "uses" }, { "dest-uuid": "cbb66055-0325-4111-aca0-40547b6ad5b0", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "type": "uses" }, { "dest-uuid": "e64c62cf-9cd7-4a14-94ec-cdaac43ab44b", "type": "uses" }, { "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" }, { "dest-uuid": "f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "uses" } ], "uuid": "54dfec3e-6464-4f74-9d69-b7c817b7e5a3", "value": "Higaisa - G0126" }, { "description": "[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)", "meta": { "external_id": "G0128", "refs": [ "https://attack.mitre.org/groups/G0128", "https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/", "https://research.checkpoint.com/2021/the-story-of-jian/" ], "synonyms": [ "ZIRCONIUM", "APT31" ] }, "related": [ { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "type": "uses" }, { "dest-uuid": "24bfaeba-cb0d-4525-b3dc-507c77ecec41", "type": "uses" }, { "dest-uuid": "2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "uses" }, { "dest-uuid": "2d3f5b3c-54ca-4f4d-bb1f-849346d31230", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "365be77f-fc0e-42ee-bac8-4faf806d9336", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "type": "uses" }, { "dest-uuid": "be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "type": "uses" }, { "dest-uuid": "bf1b6176-597c-4600-bfcd-ac989670f96b", "type": "uses" }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "uses" }, { "dest-uuid": "cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "type": "uses" }, { "dest-uuid": "cca0ccb6-a068-4574-a722-b1556f86833a", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "ef67e13e-5598-4adc-bdb2-998225874fa9", "type": "uses" }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "uses" } ], "uuid": "4283ae19-69c7-4347-a35e-b56f08eb660b", "value": "ZIRCONIUM - G0128" }, { "description": "[BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)", "meta": { "external_id": "G0135", "refs": [ "https://attack.mitre.org/groups/G0135", "https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" ], "synonyms": [ "BackdoorDiplomacy" ] }, "related": [ { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "2fee9321-3e71-4cf4-af24-d4d40d355b34", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "350f12cf-fd3b-4dad-b323-14b943090df4", "type": "uses" }, { "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", "type": "uses" }, { "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "type": "uses" }, { "dest-uuid": "5d0d3609-d06d-49e1-b9c9-b544e0c618cb", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b63970b7-ddfb-4aee-97b1-80d335e033a8", "type": "uses" }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "uses" }, { "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" }, { "dest-uuid": "f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "uses" } ], "uuid": "9735c036-8ebe-47e9-9c77-b0ae656dab93", "value": "BackdoorDiplomacy - G0135" }, { "description": "[IndigoZebra](https://attack.mitre.org/groups/G0136) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)", "meta": { "external_id": "G0136", "refs": [ "https://attack.mitre.org/groups/G0136", "https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/", "https://securelist.com/apt-trends-report-q2-2017/79332/", "https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html" ], "synonyms": [ "IndigoZebra" ] }, "related": [ { "dest-uuid": "21583311-6321-4891-8a37-3eb4e57b0fb1", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "type": "uses" }, { "dest-uuid": "919a056e-5104-43b9-ad55-2ac929108b71", "type": "uses" }, { "dest-uuid": "a2fdce72-04b2-409a-ac10-cc1695f4fce0", "type": "uses" }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "e5603ea8-4c36-40e7-b7af-a077d24fedc1", "value": "IndigoZebra - G0136" }, { "description": "[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://attack.mitre.org/groups/G0138)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021)\n\n[Andariel](https://attack.mitre.org/groups/G0138) is considered a sub-set of [Lazarus Group](https://attack.mitre.org/groups/G0032), and has been attributed to North Korea's Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019)\n\nNorth Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups.", "meta": { "external_id": "G0138", "refs": [ "http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf", "http://www.issuemakerslab.com/research3/", "https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/", "https://attack.mitre.org/groups/G0138", "https://home.treasury.gov/news/press-releases/sm774", "https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do", "https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html" ], "synonyms": [ "Andariel", "Silent Chollima" ] }, "related": [ { "dest-uuid": "0dda99f0-4701-48ca-9774-8504922e92d3", "type": "uses" }, { "dest-uuid": "232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "uses" }, { "dest-uuid": "2e34237d-8574-43f6-aace-ae2915de8597", "type": "uses" }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "uses" }, { "dest-uuid": "44c75271-0e4d-496f-ae0a-a6d883a42a65", "type": "uses" }, { "dest-uuid": "7807d3a4-a885-4639-a786-c1ed41484970", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "baf60e1a-afe5-4d31-830f-1b1ba2351884", "type": "uses" }, { "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "type": "uses" }, { "dest-uuid": "c2e147a9-d1a8-4074-811a-d8789202d916", "type": "uses" }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "39d6890e-7f23-4474-b8ef-e7b0343c5fc8", "value": "Andariel - G0138" }, { "description": "[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)", "meta": { "external_id": "G0139", "refs": [ "https://attack.mitre.org/groups/G0139", "https://blog.aquasec.com/container-security-tnt-container-attack", "https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera", "https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf", "https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/", "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/", "https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/", "https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/", "https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf", "https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/" ], "synonyms": [ "TeamTNT" ] }, "related": [ { "dest-uuid": "0470e792-32f8-46b0-a351-652bc35e9336", "type": "uses" }, { "dest-uuid": "09b130a2-a77e-4af0-a361-f46f9aad1345", "type": "uses" }, { "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "type": "uses" }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "type": "uses" }, { "dest-uuid": "19bf235b-8620-4997-b5b4-94e0659ed7c3", "type": "uses" }, { "dest-uuid": "1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "uses" }, { "dest-uuid": "1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "uses" }, { "dest-uuid": "212306d8-efa4-44c9-8c2d-ed3d2e224aa0", "type": "uses" }, { "dest-uuid": "2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "uses" }, { "dest-uuid": "2bce5b30-7014-4a5d-ade7-12913fe6ac36", "type": "uses" }, { "dest-uuid": "2db31dcd-54da-405d-acef-b9129b816ed6", "type": "uses" }, { "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "type": "uses" }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "type": "uses" }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "uses" }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "type": "uses" }, { "dest-uuid": "3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "uses" }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "uses" }, { "dest-uuid": "3ee16395-03f0-4690-a32e-69ce9ada0f9e", "type": "uses" }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "type": "uses" }, { "dest-uuid": "40a1b8ec-7295-416c-a6b1-68181d86f120", "type": "uses" }, { "dest-uuid": "40f5caa0-4cb7-4117-89fc-d421bb493df3", "type": "uses" }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "type": "uses" }, { "dest-uuid": "4a5b7ade-8bb5-4853-84ed-23f262002665", "type": "uses" }, { "dest-uuid": "5372c5fe-f424-4def-bcd5-d3a8e770f07b", "type": "uses" }, { "dest-uuid": "5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "uses" }, { "dest-uuid": "55bb4471-ff1f-43b4-88c1-c9384ec47abf", "type": "uses" }, { "dest-uuid": "56e0d8b8-3e25-49dd-9050-3aa252f5aa92", "type": "uses" }, { "dest-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", "type": "uses" }, { "dest-uuid": "60b508a1-6a5e-46b1-821a-9f7b78752abf", "type": "uses" }, { "dest-uuid": "635cbe30-392d-4e27-978e-66774357c762", "type": "uses" }, { "dest-uuid": "6b57dc31-b814-4a03-8706-28bc20d739c4", "type": "uses" }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "uses" }, { "dest-uuid": "79dd477a-8226-4b3d-ad15-28623675f221", "type": "uses" }, { "dest-uuid": "7b50a1d3-4ca7-45d1-989d-a6503f04bfe1", "type": "uses" }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "type": "uses" }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "type": "uses" }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "type": "uses" }, { "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", "type": "uses" }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "uses" }, { "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", "type": "uses" }, { "dest-uuid": "9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "uses" }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "type": "uses" }, { "dest-uuid": "a9d4b653-6915-42af-98b2-5758c4ceee56", "type": "uses" }, { "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", "type": "uses" }, { "dest-uuid": "b0c74ef9-c61e-4986-88cb-78da98a355ec", "type": "uses" }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "uses" }, { "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "type": "uses" }, { "dest-uuid": "cba37adb-d6fb-4610-b069-dd04c0643384", "type": "uses" }, { "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "type": "uses" }, { "dest-uuid": "d157f9d2-d09a-4efa-bb2a-64963f94e253", "type": "uses" }, { "dest-uuid": "d1fcf083-a721-4223-aedf-bf8960798d62", "type": "uses" }, { "dest-uuid": "d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "uses" }, { "dest-uuid": "db8f5003-3b20-48f0-9b76-123e44208120", "type": "uses" }, { "dest-uuid": "deb98323-e13f-4b0c-8d94-175379069062", "type": "uses" }, { "dest-uuid": "df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "uses" }, { "dest-uuid": "dfefe2ed-4389-4318-8762-f0272b350a1b", "type": "uses" }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "uses" }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "uses" } ], "uuid": "35d1b3be-49d4-42f1-aaa6-ef159c880bca", "value": "TeamTNT - G0139" } ], "version": 33 }