misp-galaxy/elements/adversary-groups.json
2016-03-02 08:18:55 +01:00

317 lines
16 KiB
JSON

{
"version" : 1,
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"authors": ["Alexandre Dulaunoy", "Florian Roth", "Various"],
"type": "Adversary Groups",
"groups" : ["Comment Crew","Putter Panda","Sofacy","APT 29","Turla Group","Energetic Bear","Sandworm","Anunak","TeamSpy Crew","BuhTrap","Putter Panda","UPS","IXESHE","APT 16","Aurora Panda","Wekby","Axiom","Shell Crew","Naikon","Lotus Blossom","Hurricane Panda","Emissary Panda","Stone Panda","Nightshade Panda","Hellsing","Night Dragon","Mirage","Anchor Panda","NetTraveler","Ice Fog","HiddenLynx","Beijing Group","Pirate Panda","Radio Panda","Dagger Panda","Samurai Panda","Impersonating Panda","Violin Panda","Toxic Panda","Temper Panda","Flying Kitten","Viking Jackal","Cutting Kitten","Rebel Jackal","Stalker Panda","Berserk Bear","Dizzy Panda","Predator Panda","Pitty Panda","Wet Panda","Union Panda","Wolf Spider","Boulder Bear","Lotus Panda","Shark Spider","Silent Chollima","Viceroy Tiger","Pizzo Spider","Corsair Jackal"],
"details" : [
{
"group": "Comment Crew",
"description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",
"refs": ["https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf"],
"country": "CN",
"synonyms": ["Comment Panda","PLA Unit 61398", "APT 1","Advanced Persistent Threat 1","Byzantine Candor","Group 3","TG-8223"]
},
{
"group": "Stalker Panda",
"country": "CN"
},
{
"group": "Wet Panda",
"country": "CN"
},
{
"group": "Predator Panda",
"country": "CN"
},
{
"group": "Union Panda",
"country": "CN"
},
{
"group": "Eloquent Panda",
"country": "CN"
},
{
"group": "Dizzy Panda",
"synonyms": ["LadyBoyle"]
},
{
"group": "Putter Panda",
"refs": ["http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"],
"country": "CN",
"synonyms": ["PLA Unit 61486", "APT 2", "Group 36","APT-2","MSUpdater","4HCrew","SULPHUR"]
},
{
"group": "UPS",
"refs": ["https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html"],
"country": "CN",
"synonyms": ["Gothic Panda","TG-0110","APT 3","Group 6"]
},
{
"group": "IXESHE",
"refs": ["http://www.crowdstrike.com/blog/whois-numbered-panda/"],
"country": "CN",
"synonyms": ["Numbered Panda", "TG-2754", "BeeBus", "Group 22", "DynCalc", "Crimson Iron"]
},
{
"group": "APT 16",
"refs": ["https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html"],
"country": "CN"
},
{
"group": "Aurora Panda",
"refs": ["http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"],
"country": "CN",
"synonyms": ["APT 17", "Deputy Dog", "Group 8"]
},
{
"group": "Wekby",
"refs": ["https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828"],
"country": "CN",
"synonyms": ["Dynamite Panda", "TG-0416", "APT 18", "SCANDIUM"]
},
{
"group": "Axiom",
"refs": ["http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/"],
"country": "CN",
"synonyms": ["Winnti Group", "Tailgater Team","Group 72","Group72","Tailgater","Ragebeast"]
},
{
"group": "Shell Crew",
"refs": ["http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf"],
"country": "CN",
"synonyms": ["Deep Panda", "WebMasters", "APT 19", "KungFu Kittens", "Black Vine", "Group 13", "PinkPanther", "Sh3llCr3w"]
},
{
"group": "Naikon",
"refs": ["https://securelist.com/analysis/publications/69953/the-naikon-apt/"],
"country": "CN",
"synonyms": ["PLA Unit 78020", "APT 30", "Override Panda", "Camerashy"]
},
{
"group": "Lotus Blossom",
"refs": ["https://securelist.com/blog/research/70726/the-spring-dragon-apt/"],
"country": "CN",
"synonyms": ["Spring Dragon","ST Group"]
},
{
"group": "Lotus Panda",
"country": "CN",
"synonyms": ["Elise"]
},
{
"group": "Hurricane Panda",
"refs": ["http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"],
"country": "CN"
},
{
"group": "Emissary Panda",
"refs": ["http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/"],
"country": "CN",
"synonyms": ["TG-3390","APT 27","TEMP.Hippo","Group 35","HIPPOTeam","APT27"]
},
{
"group": "Stone Panda",
"country": "CN",
"synonyms": ["APT10","APT 10","menuPass","happyyongzi","POTASSIUM"]
},
{
"group": "Nightshade Panda",
"refs": ["https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/"],
"country": "CN",
"synonyms": ["APT 9","Flowerlady/Flowershow","Flowerlady","Flowershow"]
},
{
"group": "Hellsing",
"refs": ["https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/"],
"country": "CN",
"synonyms": ["Goblin Panda","Cycldek"]
},
{
"group": "Night Dragon",
"refs": ["https://kc.mcafee.com/corporate/index?page=content&id=KB71150"],
"country": "CN"
},
{
"group": "Mirage",
"refs": ["https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html"],
"country": "CN",
"synonyms": ["Vixen Panda","Ke3Chang","GREF", "Playful Dragon"]
},
{
"group": "Anchor Panda",
"refs": ["http://www.crowdstrike.com/blog/whois-anchor-panda/"],
"synonyms": ["APT14","APT 14","QAZTeam","ALUMINUM"],
"country": "CN"
},
{
"group": "NetTraveler",
"refs": ["https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/"],
"country": "CN"
},
{
"group": "Ice Fog",
"refs": ["https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/"],
"country": "CN",
"synomyns": ["IceFog","Dagger Panda"]
},
{
"group": "Pitty Panda",
"country": "CN",
"synonyms": ["PittyTiger", "MANGANESE"]
},
{
"group": "HiddenLynx",
"refs": ["http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf"],
"country": "CN"
},
{
"group": "Beijing Group",
"country": "CN"
},
{
"group": "Radio Panda",
"country": "CN"
},
{
"group": "Dagger Panda",
"country": "CN"
},
{
"group": "Samurai Panda",
"refs": ["http://www.crowdstrike.com/blog/whois-samurai-panda/"],
"country": "CN",
"synonyms": ["PLA Navy","APT4","APT 4"]
},
{
"group": "Impersonating Panda",
"country": "CN"
},
{
"group": "Violin Panda",
"synonyms": ["APT20","APT 20","TH3Bug"],
"country": "CN"
},
{
"group": "Toxic Panda",
"country": "CN"
},
{
"group": "Temper Panda",
"refs": ["https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html"],
"country": "CN",
"synonyms": ["Admin338","Team338","MAGNESIUM","admin@338"]
},
{
"group": "Pirate Panda",
"synonyms": [ "APT23", "KeyBoy" ],
"country": "CN"
},
{
"group": "Flying Kitten",
"synonyms": ["SaffronRose","AjaxSecurityTeam"],
"country": "IR"
},
{
"group": "Cutting Kitten",
"synonyms": ["ITSecTeam"],
"country": "IR"
},
{
"group": "Rebel Jackal",
"synonyms": ["FallagaTeam"],
"country": "TN"
},
{
"group": "Viking Jackal",
"synonyms": ["Vikingdom"],
"country": "AE"
},
{
"group": "Sofacy",
"description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
"refs": ["https://en.wikipedia.org/wiki/Sofacy_Group"],
"country": "RU",
"synonyms": ["APT 28", "APT28", "Pawn Storm", "Fancy Bear", "Sednit"]
},
{
"group": "APT 29",
"refs": ["https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/"],
"country": "RU",
"synonyms": ["Dukes", "Group 100", "Cozy Duke", "CozyDuke", "EuroAPT", "CozyBear", "CozyCar", "Cozer", "Office Monkeys", "OfficeMonkeys", "APT29"]
},
{
"group": "Turla Group",
"country": "RU",
"synonyms": ["Turla", "Snake", "Venomous Bear", "Group 88"]
},
{
"group": "Energetic Bear",
"country": "RU",
"synonyms": ["Dragonfly", "Crouching Yeti", "Group 24", "Havex", "CrouchingYeti"]
},
{
"group": "Sandworm",
"refs": ["http://www.isightpartners.com/2014/10/cve-2014-4114/"],
"country": "RU",
"synonyms": ["Sandworm Team"]
},
{
"group": "Anunak",
"description": "Groups targeting financial organizations or people with significant financial assets.",
"country": "RU",
"synonyms": ["Carbanak"]
},
{
"group": "TeamSpy Crew",
"refs": ["https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/"],
"country": "RU",
"synonyms": ["TeamSpy","Team Bear"]
},
{
"group": "BuhTrap",
"refs": ["http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/"],
"country": "RU",
"synonyms": [""]
},
{
"group": "Berserk Bear",
"country": "RU"
},
{
"group": "Wolf Spider",
"country": "RO"
},
{
"group": "Boulder Bear",
"country": "RU"
},
{
"group": "Shark Spider",
"country": "RU"
},
{
"group": "Silent Chollima",
"synonyms": ["OperationTroy"],
"country": "KP"
},
{
"group": "Viceroy Tiger",
"country": "IN",
"synonyms": ["Appin","OperationHangover"]
},
{
"group": "Pizzo Spider",
"country": "US",
"synonyms": ["DD4BC","Ambiorx"]
},
{
"group": "Corsair Jackal",
"country": "TN",
"synonyms": ["TunisianCyberArmy"]
}
]
}