{ "Event": { "analysis": "2", "date": "2017-08-11", "extends_uuid": "", "info": "OSINT - APT28 Targets Hospitality Sector, Presents Threat to Travelers", "publish_timestamp": "1502460110", "published": true, "threat_level_id": "3", "timestamp": "1502460096", "uuid": "598db7fd-47a8-45f8-9414-408b02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#12e000", "local": false, "name": "misp-galaxy:threat-actor=\"Sofacy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:microsoft-activity-group=\"STRONTIUM\"", "relationship_type": "" }, { "colour": "#001899", "local": false, "name": "estimative-language:likelihood-probability=\"likely\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"ETERNALBLUE\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1502460096", "to_ids": true, "type": "filename", "uuid": "598db84e-d5bc-4fc7-a9e7-43d002de0b81", "value": "Hotel_Reservation_Form.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1502460096", "to_ids": true, "type": "md5", "uuid": "598db84f-48cc-4420-a5b5-4c7a02de0b81", "value": "9b10685b774a783eabfecdb6119a8aa3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1502460096", "to_ids": true, "type": "md5", "uuid": "598db84f-f9a4-42a3-b8ed-4ec902de0b81", "value": "1421419d1be31f1f9ea60e8ed87277db" }, { "category": "Network activity", "comment": "(C2) domains", "deleted": false, "disable_correlation": false, "timestamp": "1502460096", "to_ids": true, "type": "domain", "uuid": "598db84f-fbcc-473b-890f-4f3b02de0b81", "value": "mvband.net" }, { "category": "Network activity", "comment": "(C2) domains", "deleted": false, "disable_correlation": false, "timestamp": "1502460096", "to_ids": true, "type": "domain", "uuid": "598db84f-f2bc-4f0b-baf7-4adc02de0b81", "value": "mvtband.net" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1502460096", "to_ids": false, "type": "link", "uuid": "598db870-f50c-441d-85e2-4f2f02de0b81", "value": "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1502460096", "to_ids": false, "type": "text", "uuid": "598db880-780c-4b6e-ab6d-447102de0b81", "value": "FireEye has moderate confidence that a campaign targeting the hospitality sector is attributed to Russian actor APT28. We believe this activity, which dates back to at least July 2017, was intended to target travelers to hotels throughout Europe and the Middle East. The actor has used several notable techniques in these incidents such as sniffing passwords from Wi-Fi traffic, poisoning the NetBIOS Name Service, and spreading laterally via the EternalBlue exploit.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 1421419d1be31f1f9ea60e8ed87277db", "deleted": false, "disable_correlation": false, "timestamp": "1502460097", "to_ids": true, "type": "sha256", "uuid": "598db8c1-09e8-4253-b562-464802de0b81", "value": "8c47961181d9929333628af20bdd750021e925f40065374e6b876e3b8afbba57" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 1421419d1be31f1f9ea60e8ed87277db", "deleted": false, "disable_correlation": false, "timestamp": "1502460097", "to_ids": true, "type": "sha1", "uuid": "598db8c1-8360-4ac9-85e3-47db02de0b81", "value": "f9fd3f1d8da4ffd6a494228b934549d09e3c59d1" }, { "category": "External analysis", "comment": "- Xchecked via VT: 1421419d1be31f1f9ea60e8ed87277db", "deleted": false, "disable_correlation": false, "timestamp": "1502460097", "to_ids": false, "type": "link", "uuid": "598db8c1-cc68-411c-ab76-41bb02de0b81", "value": "https://www.virustotal.com/file/8c47961181d9929333628af20bdd750021e925f40065374e6b876e3b8afbba57/analysis/1500378259/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 9b10685b774a783eabfecdb6119a8aa3", "deleted": false, "disable_correlation": false, "timestamp": "1502460097", "to_ids": true, "type": "sha256", "uuid": "598db8c1-f310-4028-9f76-4e3602de0b81", "value": "a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 9b10685b774a783eabfecdb6119a8aa3", "deleted": false, "disable_correlation": false, "timestamp": "1502460097", "to_ids": true, "type": "sha1", "uuid": "598db8c1-d750-4c50-8a1b-473702de0b81", "value": "f293a2bfb728060c54efeeb03c5323893b5c80df" }, { "category": "External analysis", "comment": "- Xchecked via VT: 9b10685b774a783eabfecdb6119a8aa3", "deleted": false, "disable_correlation": false, "timestamp": "1502460097", "to_ids": false, "type": "link", "uuid": "598db8c1-5024-4a0c-bc3d-4f9b02de0b81", "value": "https://www.virustotal.com/file/a4a455db9f297e2b9fe99d63c9d31e827efb2cda65be445625fa64f4fce7f797/analysis/1501657253/" } ] } }