misp-circl-feed/feeds/circl/stix-2.1/57f63e22-0560-49d8-a3b8-42e5950d210f.json

476 lines
21 KiB
JSON
Raw Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--57f63e22-0560-49d8-a3b8-42e5950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-12T10:35:20.000Z",
"modified": "2018-01-12T10:35:20.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "grouping",
"spec_version": "2.1",
"id": "grouping--57f63e22-0560-49d8-a3b8-42e5950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-12T10:35:20.000Z",
"modified": "2018-01-12T10:35:20.000Z",
"name": "OSINT - ThreatConnect reviews activity targeting Bellingcat, a key contributor in the MH17 investigation. (Belling the BEAR)",
"context": "suspicious-activity",
"object_refs": [
"x-misp-attribute--57f640ba-8dd0-4668-9822-4003950d210f",
"indicator--57f642fe-24bc-436f-a546-4dd0950d210f",
"indicator--57f642ff-74d8-4620-8450-4cc4950d210f",
"indicator--57f642ff-40a4-49d1-a713-4f15950d210f",
"indicator--57f642ff-6790-4eea-93bf-4636950d210f",
"observed-data--57f642ff-2da0-4c7e-9097-450a950d210f",
"domain-name--57f642ff-2da0-4c7e-9097-450a950d210f",
"indicator--57f642ff-ac84-464b-af31-49a2950d210f",
"indicator--57f64300-8c48-4f74-bdac-4baf950d210f",
"indicator--57f64300-35b8-4264-bce3-41fe950d210f",
"indicator--57f64300-fb5c-4e06-ad7e-4416950d210f",
"indicator--57f64300-09d4-4c0c-829b-47cb950d210f",
"indicator--57f64300-c650-4b52-a163-434b950d210f",
"indicator--57f64301-b990-4d93-afba-4bdd950d210f",
"indicator--57f64301-8778-4ef8-a2cd-4e95950d210f",
"indicator--57f64301-91e0-4be9-975a-40e6950d210f",
"indicator--57f64301-abec-41d3-aff6-46e9950d210f",
"indicator--57f64301-8b58-49d7-8722-449d950d210f",
"observed-data--57f6435b-2448-47d1-92ab-4002950d210f",
"url--57f6435b-2448-47d1-92ab-4002950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"osint:source-type=\"blog-post\"",
"osint:source-type=\"technical-report\""
]
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--57f640ba-8dd0-4668-9822-4003950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:16:57.000Z",
"modified": "2016-10-06T12:16:57.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Since posting about the DNC hack, each time we published a blog post on a BEAR-based topic we thought it was going to be our last. But like the Death Star\u2019s gravitational pull, the story keeps drawing us back in as new information comes to light. Following our post on DCLeaks as a Russian influence operation, Bellingcat founder Eliot Higgins reached out to us. Bellingcat, a group of citizen investigative journalists, has published articles critical of Russia and has been a key contributor to the international investigation of the shootdown of Malaysian Airlines Flight 17 (MH17) over Ukraine in 2014.\r\n\r\nHiggins shared data with ThreatConnect that indicates Bellingcat has come under sustained targeting by Russian threat actors, which allowed us to identify a 2015 spearphishing campaign that is consistent with FANCY BEAR\u2019s tactics, techniques, and procedures. We also analyzed a February 2016 attack by CyberBerkut \u2014 a group claiming to be pro-Russian Ukrainian hacktivists but also a suspected front for Moscow \u2014 against Russia-based Bellingcat contributor Ruslan Leviev, where CyberBerkut defaced the Bellingcat website and leaked Leviev\u2019s personal details. As evidenced by these efforts and the attack on the World Anti-Doping Agency, organizations that negatively impact Russia\u2019s image can expect Russian cyber operations intended to retaliate publicly or privately, influence, or otherwise maliciously affect them. The Diamond Model below summarizes the activity that Bellingcat experienced"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f642fe-24bc-436f-a546-4dd0950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:38.000Z",
"modified": "2016-10-06T12:26:38.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[domain-name:value = 'mxx.evrosatory.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:38Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f642ff-74d8-4620-8450-4cc4950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:39.000Z",
"modified": "2016-10-06T12:26:39.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '46.22.208.204']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f642ff-40a4-49d1-a713-4f15950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:39.000Z",
"modified": "2016-10-06T12:26:39.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[email-message:from_ref.value = 'andre_roy@mail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f642ff-6790-4eea-93bf-4636950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:39.000Z",
"modified": "2016-10-06T12:26:39.000Z",
"description": "Nameserver",
"pattern": "[domain-name:value = 'carbon2u.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"domain\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57f642ff-2da0-4c7e-9097-450a950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-01-12T10:35:20.000Z",
"modified": "2018-01-12T10:35:20.000Z",
"first_observed": "2018-01-12T10:35:20Z",
"last_observed": "2018-01-12T10:35:20Z",
"number_observed": 1,
"object_refs": [
"domain-name--57f642ff-2da0-4c7e-9097-450a950d210f"
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\""
]
},
{
"type": "domain-name",
"spec_version": "2.1",
"id": "domain-name--57f642ff-2da0-4c7e-9097-450a950d210f",
"value": "accounts.servicegoogle.com"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f642ff-ac84-464b-af31-49a2950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:39.000Z",
"modified": "2016-10-06T12:26:39.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '155.254.36.155']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:39Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64300-8c48-4f74-bdac-4baf950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:40.000Z",
"modified": "2016-10-06T12:26:40.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[email-message:from_ref.value = 'theforeignnews@gmail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64300-35b8-4264-bce3-41fe950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:40.000Z",
"modified": "2016-10-06T12:26:40.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[domain-name:value = 'cata501836.earth.orderbox-dns.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64300-fb5c-4e06-ad7e-4416950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:40.000Z",
"modified": "2016-10-06T12:26:40.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[domain-name:value = 'mxx.us-westmail-undeliversystem.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64300-09d4-4c0c-829b-47cb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:40.000Z",
"modified": "2016-10-06T12:26:40.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[domain-name:value = 'mx1.servicetransfermail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64300-c650-4b52-a163-434b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:40.000Z",
"modified": "2016-10-06T12:26:40.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.153.32.53']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64301-b990-4d93-afba-4bdd950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:41.000Z",
"modified": "2016-10-06T12:26:41.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[domain-name:value = 'accounts.google.com.rnil.am']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64301-8778-4ef8-a2cd-4e95950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:41.000Z",
"modified": "2016-10-06T12:26:41.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '198.105.122.187']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64301-91e0-4be9-975a-40e6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:41.000Z",
"modified": "2016-10-06T12:26:41.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[domain-name:value = 'mx6.set132.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64301-abec-41d3-aff6-46e9950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:41.000Z",
"modified": "2016-10-06T12:26:41.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[email-message:from_ref.value = 'emmer.brown@mail.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"email-src\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--57f64301-8b58-49d7-8722-449d950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:26:41.000Z",
"modified": "2016-10-06T12:26:41.000Z",
"description": "Imported via the Freetext Import Tool",
"pattern": "[domain-name:value = 'server.mx4.set132.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-10-06T12:26:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--57f6435b-2448-47d1-92ab-4002950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-10-06T12:28:11.000Z",
"modified": "2016-10-06T12:28:11.000Z",
"first_observed": "2016-10-06T12:28:11Z",
"last_observed": "2016-10-06T12:28:11Z",
"number_observed": 1,
"object_refs": [
"url--57f6435b-2448-47d1-92ab-4002950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--57f6435b-2448-47d1-92ab-4002950d210f",
"value": "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/"
}
]
}