misp-galaxy/clusters/mitre-enterprise-attack-int...

972 lines
48 KiB
JSON
Raw Normal View History

2018-02-21 16:28:11 +01:00
{
2018-04-04 12:54:04 +02:00
"name": "Enterprise Attack -intrusion Set",
"type": "mitre-enterprise-attack-intrusion-set",
"description": "Name of ATT&CK Group",
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775",
"authors": [
"MITRE"
],
"values": [
{
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. (Citation: Kaspersky Poseidon Group)",
"value": "Poseidon Group - G0033",
"meta": {
"synonyms": [
"Poseidon Group"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0033",
"https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/"
]
},
"uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446"
},
{
"description": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. Group5 has used two commonly available remote access tools (RATs), njRAT and NanoCore, as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)",
"value": "Group5 - G0043",
"meta": {
"synonyms": [
"Group5"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0043",
"https://citizenlab.org/2016/08/group5-syria/"
]
},
"uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40"
},
{
"description": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control. (Citation: Bizeul 2014) (Citation: Villeneuve 2014)",
"value": "PittyTiger - G0011",
"meta": {
"synonyms": [
"PittyTiger"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0011",
"http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html"
]
},
"uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647"
},
{
"description": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. (Citation: FireEye admin@338)",
"value": "admin@338 - G0018",
"meta": {
"synonyms": [
"admin@338"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0018",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
]
},
"uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756"
},
{
"description": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). (Citation: ESET RTM Feb 2017)",
"value": "RTM - G0048",
"meta": {
"synonyms": [
"RTM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0048",
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf"
]
},
"uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f"
},
{
"description": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)",
"value": "APT16 - G0023",
"meta": {
"synonyms": [
"APT16"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0023",
"https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html"
]
},
"uuid": "d6e88e18-81e8-4709-82d8-973095da1e70"
},
{
"description": "is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)\n\nContributors: Alan Neville, @abnev",
"value": "Sowbug - G0054",
"meta": {
"synonyms": [
"Sowbug"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0054",
"https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments"
]
},
"uuid": "d1acfbb3-647b-4723-9154-800ec119006e"
},
{
"description": "APT28 is a threat group that has been attributed to the Russian government. (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28) January 2017 (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee in April 2016. (Citation: Crowdstrike DNC June 2016)",
"value": "APT28 - G0007",
"meta": {
"synonyms": [
"APT28",
"Sednit",
"Sofacy",
"Pawn Storm",
"Fancy Bear",
"STRONTIUM",
"Tsar Team",
"Threat Group-4127",
"TG-4127"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0007",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf",
"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"
]
},
"uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
},
{
"description": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. Though both this group and Axiom use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"value": "Winnti Group - G0044",
"meta": {
"synonyms": [
"Winnti Group",
"Blackfly"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0044",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/games-are-over/70991/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf"
]
},
"uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff"
},
{
"description": "Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to Deep Panda. (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine)",
"value": "Deep Panda - G0009",
"meta": {
"synonyms": [
"Deep Panda",
"Shell Crew",
"WebMasters",
"KungFu Kittens",
"PinkPanther",
"Black Vine"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0009",
"https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/",
"https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/",
"https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/the-black-vine-cyberespionage-group.pdf"
]
},
"uuid": "a653431d-6a5e-4600-8ad3-609b5af57064"
},
{
"description": "Molerats is a politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States. (Citation: DustySky) (Citation: DustySky)2",
"value": "Molerats - G0021",
"meta": {
"synonyms": [
"Molerats",
"Operation Molerats",
"Gaza Cybergang"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0021"
]
},
"uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411"
},
{
"description": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda. (Citation: Symantec Strider Blog) (Citation: Kaspersky ProjectSauron Blog)",
"value": "Strider - G0041",
"meta": {
"synonyms": [
"Strider",
"ProjectSauron"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0041",
"http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets",
"https://securelist.com/faq-the-projectsauron-apt/75533/"
]
},
"uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656"
},
{
"description": "Sandworm Team is a cyber espionage group that has operated since approximately 2009 and has been attributed to Russia. (Citation: iSIGHT Sandworm 2014)",
"value": "Sandworm Team - G0034",
"meta": {
"synonyms": [
"Sandworm Team",
"Quedagh"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0034",
"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"
]
},
"uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192"
},
{
"description": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. (Citation: FireEye FIN6 April 2016)",
"value": "FIN6 - G0037",
"meta": {
"synonyms": [
"FIN6"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0037",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
]
},
"uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb"
},
{
"description": "Dust Storm is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)",
"value": "Dust Storm - G0031",
"meta": {
"synonyms": [
"Dust Storm"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0031",
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op%20Dust%20Storm%20Report.pdf"
]
},
"uuid": "ae41895a-243f-4a65-b99b-d85022326c31"
},
{
"description": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)",
"value": "Cleaver - G0003",
"meta": {
"synonyms": [
"Cleaver",
"TG-2889",
"Threat Group 2889"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0003",
"https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance%20Operation%20Cleaver%20Report.pdf",
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
]
},
"uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063"
},
{
"description": "APT12 is a threat group that has been attributed to China. (Citation: Meyers Numbered Panda)",
"value": "APT12 - G0005",
"meta": {
"synonyms": [
"APT12",
"IXESHE",
"DynCalc",
"Numbered Panda",
"DNSCALC"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0005",
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
]
},
"uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb"
},
{
"description": "is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"value": "NEODYMIUM - G0055",
"meta": {
"synonyms": [
"NEODYMIUM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0055",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf"
]
},
"uuid": "025bdaa9-897d-4bad-afa6-013ba5734653"
},
{
"description": "APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways. (Citation: FireEye APT34 Dec 2017)",
"value": "APT34 - G0057",
"meta": {
"synonyms": [
"APT34"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0057",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
]
},
"uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6"
},
{
"description": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. (Citation: Haq 2014)",
"value": "Moafee - G0002",
"meta": {
"synonyms": [
"Moafee"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0002",
"https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html"
]
},
"uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f"
},
{
"description": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017)",
"value": "Threat Group-3390 - G0027",
"meta": {
"synonyms": [
"Threat Group-3390",
"TG-3390",
"Emissary Panda",
"BRONZE UNION"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0027",
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://www.secureworks.com/research/bronze-union"
]
},
"uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c"
},
{
"description": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)",
"value": "DragonOK - G0017",
"meta": {
"synonyms": [
"DragonOK"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0017",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
]
},
"uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a"
},
{
"description": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the Peoples Liberation Army (PLA) General Staff Departments (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)",
"value": "APT1 - G0006",
"meta": {
"synonyms": [
"APT1",
"Comment Crew",
"Comment Group",
"Comment Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0006",
"https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
]
},
"uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662"
},
{
"description": "FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)",
"value": "FIN10 - G0051",
"meta": {
"synonyms": [
"FIN10"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0051",
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf"
]
},
"uuid": "fbe9387f-34e6-4828-ac28-3080020c597b"
},
{
"description": "OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2015. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook OilRig Dec 2017) Reporting on OilRig may loosely overlap with APT34, but may not wholly align due to companies tracking groups in different ways. (Citation: FireEye APT34 Dec 2017)\n\nContributors: Robert Falcone, Bryan Lee",
"value": "OilRig - G0049",
"meta": {
"synonyms": [
"OilRig"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0049",
"http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/",
"http://www.clearskysec.com/oilrig/",
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
"http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/",
"https://pan-unit42.github.io/playbook%20viewer/",
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html"
]
},
"uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d"
},
{
"description": "is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, Rocket Kitten, resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)",
"value": "Charming Kitten - G0058",
"meta": {
"synonyms": [
"Charming Kitten"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0058",
"http://www.clearskysec.com/wp-content/uploads/2017/12/Charming%20Kitten%202017.pdf"
]
},
"uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0"
},
{
"description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)\n\nContributors: Walker Johnson",
"value": "FIN5 - G0053",
"meta": {
"synonyms": [
"FIN5"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0053",
"https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html",
"https://www.youtube.com/watch?v=fevGZs0EQu8",
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?"
]
},
"uuid": "85403903-15e0-4f9f-9be4-a259ecad4022"
},
{
"description": "Taidoor is a threat group that has operated since at least 2009 and has primarily targeted the Taiwanese government. (Citation: TrendMicro Taidoor)",
"value": "Taidoor - G0015",
"meta": {
"synonyms": [
"Taidoor"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0015",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp%20the%20taidoor%20campaign.pdf"
]
},
"uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46"
},
{
"description": "Night Dragon is a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)",
"value": "Night Dragon - G0014",
"meta": {
"synonyms": [
"Night Dragon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0014",
"http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf"
]
},
"uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8"
},
{
"description": "Naikon is a threat group that has focused on targets around the South China Sea. (Citation: Baumgartner Naikon 2015) The group has been attributed to the Chinese Peoples Liberation Armys (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020). (Citation: CameraShy) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
"value": "Naikon - G0019",
"meta": {
"synonyms": [
"Naikon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0019",
"https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf",
"http://cdn2.hubspot.net/hubfs/454298/Project%20CAMERASHY%20ThreatConnect%20Copyright%202015.pdf",
"https://securelist.com/the-naikon-apt/69953/"
]
},
"uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050"
},
{
"description": "Ke3chang is a threat group attributed to actors operating out of China. (Citation: Villeneuve et al 2014)",
"value": "Ke3chang - G0004",
"meta": {
"synonyms": [
"Ke3chang"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0004",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf"
]
},
"uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c"
},
{
"description": "APT32 is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists, and has extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017)",
"value": "APT32 - G0050",
"meta": {
"synonyms": [
"APT32",
"OceanLotus Group"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0050",
"https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html",
"https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/"
]
},
"uuid": "247cb30b-955f-42eb-97a5-a89fef69341e"
},
{
"description": "Patchwork is a threat group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Much of the code used by this group was copied and pasted from online forums. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)",
"value": "Patchwork - G0040",
"meta": {
"synonyms": [
"Patchwork",
"Dropping Elephant",
"Chinastrats"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0040",
"https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling%20Patchwork.pdf",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries"
]
},
"uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0"
},
{
"description": "APT30 is a threat group suspected to be associated with the Chinese government. (Citation: FireEye APT30) While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)",
"value": "APT30 - G0013",
"meta": {
"synonyms": [
"APT30"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0013",
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://securelist.com/the-naikon-apt/69953/"
]
},
"uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd"
},
{
"description": "MONSOON is the name of an espionage campaign that apparently started in December 2015 and was ongoing as of July 2016. It is believed that the actors behind MONSOON are the same actors behind Operation Hangover. While attribution is unclear, the campaign has targeted victims with military and political interests in the Indian Subcontinent. (Citation: Forcepoint Monsoon) Operation Hangover has been reported as being Indian in origin, and can be traced back to 2010. (Citation: Operation Hangover May 2013)",
"value": "MONSOON - G0042",
"meta": {
"synonyms": [
"MONSOON",
"Operation Hangover"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0042",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf",
"http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling%20an%20Indian%20Cyberattack%20Infrastructure.pdf"
]
},
"uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772"
},
{
"description": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)",
"value": "APT17 - G0025",
"meta": {
"synonyms": [
"APT17",
"Deputy Dog"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0025",
"https://www2.fireeye.com/rs/fireye/images/APT17%20Report.pdf"
]
},
"uuid": "090242d7-73fc-4738-af68-20162f7a5aae"
},
{
"description": "FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware. It is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017)",
"value": "FIN7 - G0046",
"meta": {
"synonyms": [
"FIN7"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0046",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7%20spear%20phishing.html",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
]
},
"uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc"
},
{
"description": "APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\n (Citation: APT3 Adversary Emulation Plan)",
"value": "APT3 - G0022",
"meta": {
"synonyms": [
"APT3",
"Gothic Panda",
"Pirpi",
"UPS Team",
"Buckeye",
"Threat Group-0110",
"TG-0110"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0022",
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"https://www.recordedfuture.com/chinese-mss-behind-apt3/",
"https://www.fireeye.com/blog/threat-research/2014/11/operation%20doubletap.html",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://attack.mitre.org/w/img%20auth.php/6/6c/APT3%20Adversary%20Emulation%20Plan.pdf"
]
},
"uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9"
},
{
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)",
"value": "GCMAN - G0036",
"meta": {
"synonyms": [
"GCMAN"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0036",
"https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/"
]
},
"uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f"
},
{
"description": "Lazarus Group is a threat group that has been attributed to the North Korean government. (Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)",
"value": "Lazarus Group - G0032",
"meta": {
"synonyms": [
"Lazarus Group",
"HIDDEN COBRA",
"Guardians of Peace",
"ZINC",
"NICKEL ACADEMY"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0032",
"https://www.us-cert.gov/ncas/alerts/TA17-164A",
"https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf"
]
},
"uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a"
},
{
"description": "Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)",
"value": "Lotus Blossom - G0030",
"meta": {
"synonyms": [
"Lotus Blossom",
"Spring Dragon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0030",
"https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html"
]
},
"uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7"
},
{
"description": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)",
"value": "Equation - G0020",
"meta": {
"synonyms": [
"Equation"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0020",
"https://securelist.com/files/2015/02/Equation%20group%20questions%20and%20answers.pdf"
]
},
"uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9"
},
{
"description": "Darkhotel is a threat group that has been active since at least 2004. The group has conducted activity on hotel and business center WiFi and physical connections as well as peer-to-peer and file sharing networks. The actors have also conducted spearphishing. (Citation: Kaspersky Darkhotel)",
"value": "Darkhotel - G0012",
"meta": {
"synonyms": [
"Darkhotel"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0012",
"https://securelist.com/files/2014/11/darkhotel%20kl%2007.11.pdf"
]
},
"uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383"
},
{
"description": "Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. The group appeared to decrease activity following public exposure in 2014, and re-emerged in late 2015 through 2017. (Citation: Symantec Dragonfly) (Citation: Symantec Dragonfly) Sept 2017",
"value": "Dragonfly - G0035",
"meta": {
"synonyms": [
"Dragonfly",
"Energetic Bear"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0035",
"http://www.symantec.com/content/en/us/enterprise/media/security%20response/whitepapers/Dragonfly%20Threat%20Against%20Western%20Energy%20Suppliers.pdf"
]
},
"uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1"
},
{
"description": "Suckfly is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)",
"value": "Suckfly - G0039",
"meta": {
"synonyms": [
"Suckfly"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0039",
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
]
},
"uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d"
},
{
"description": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)",
"value": "Stealth Falcon - G0038",
"meta": {
"synonyms": [
"Stealth Falcon"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0038",
"https://citizenlab.org/2016/05/stealth-falcon/"
]
},
"uuid": "894aab42-3371-47b1-8859-a4a074c804c8"
},
{
"description": "BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)",
"value": "BRONZE BUTLER - G0060",
"meta": {
"synonyms": [
"BRONZE BUTLER",
"REDBALDKNIGHT",
"Tick"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0060",
"http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
]
},
"uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90"
},
{
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)",
"value": "Scarlet Mimic - G0029",
"meta": {
"synonyms": [
"Scarlet Mimic"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0029",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
]
},
"uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7"
},
{
"description": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)",
"value": "Threat Group-1314 - G0028",
"meta": {
"synonyms": [
"Threat Group-1314",
"TG-1314"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0028",
"http://www.secureworks.com/resources/blog/living-off-the-land/"
]
},
"uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983"
},
{
"description": "Turla is a threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. They are known for conducting watering hole and spearphishing campaigns. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017)",
"value": "Turla - G0010",
"meta": {
"synonyms": [
"Turla",
"Waterbug",
"WhiteBear"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0010",
"https://securelist.com/the-epic-turla-operation/65545/",
"https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf"
]
},
"uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6"
},
{
"description": "APT29 is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)",
"value": "APT29 - G0016",
"meta": {
"synonyms": [
"APT29",
"The Dukes",
"Cozy Bear",
"CozyDuke"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0016",
"https://www.f-secure.com/documents/996508/1030745/dukes%20whitepaper.pdf",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"
]
},
"uuid": "899ce53f-13a0-479b-a0e4-67d46e241542"
},
{
"description": "menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017)",
"value": "menuPass - G0045",
"meta": {
"synonyms": [
"menuPass",
"Stone Panda",
"APT10",
"Red Apollo",
"CVNX"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0045",
"http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/",
"https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem",
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/apt10%20menupass%20grou.html"
]
},
"uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f"
},
{
"description": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLAs 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)",
"value": "Putter Panda - G0024",
"meta": {
"synonyms": [
"Putter Panda",
"APT2",
"MSUpdater"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0024",
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
]
},
"uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45"
},
{
"description": " (Citation: Axiom) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Axiom) Though both this group and Winnti Group use the malware Winnti, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)",
"value": "Axiom - G0001",
"meta": {
"synonyms": [
"Axiom",
"Group 72"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0001",
"http://www.novetta.com/wp-content/uploads/2014/11/Executive%20Summary-Final%201.pdf",
"https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/winnti-more-than-just-a-game-130410.pdf",
"https://securelist.com/games-are-over/70991/",
"http://www.novetta.com/wp-content/uploads/2015/04/novetta%20winntianalysis.pdf"
]
},
"uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973"
},
{
"description": "Magic Hound is an espionage campaign operating primarily in the Middle East that dates back to at least mid-2016. The group behind the campaign has primarily targeted organizations in the energy, government, and technology sectors that are either based or have business interests in Saudi Arabia. (Citation: Unit 42 Magic Hound Feb 2017)\n\nContributors: Bryan Lee",
"value": "Magic Hound - G0059",
"meta": {
"synonyms": [
"Magic Hound",
"Rocket Kitten",
"Operation Saffron Rose",
"Ajax Security Team",
"Operation Woolen-Goldfish",
"Newscaster",
"Cobalt Gypsy"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0059",
"https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/"
]
},
"uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13"
},
{
"description": "is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. has demonstrated similarity to another activity group called NEODYMIUM due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)",
"value": "PROMETHIUM - G0056",
"meta": {
"synonyms": [
"PROMETHIUM"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0056",
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft%20Security%20Intelligence%20Report%20Volume%2021%20English.pdf"
]
},
"uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c"
},
{
"description": "Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. (Citation: Kaspersky Carbanak) (Citation: FireEye FIN7 April 2017)\n\nContributors: Anastasios Pingios",
"value": "Carbanak - G0008",
"meta": {
"synonyms": [
"Carbanak",
"Anunak",
"Carbon Spider"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0008",
"https://securelist.com/files/2015/02/Carbanak%20APT%20eng.pdf",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html"
]
},
"uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c"
},
{
"description": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)",
"value": "APT18 - G0026",
"meta": {
"synonyms": [
"APT18",
"Threat Group-0416",
"TG-0416",
"Dynamite Panda"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0026",
"http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/"
]
},
"uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648"
},
{
"description": "CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)",
"value": "CopyKittens - G0052",
"meta": {
"synonyms": [
"CopyKittens"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0052",
"http://www.clearskysec.com/copykitten-jpost/",
"http://www.clearskysec.com/wp-content/uploads/2017/07/Operation%20Wilted%20Tulip.pdf",
"https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf"
]
},
"uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a"
},
{
"description": "Gamaredon Group is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. (Citation: Palo Alto Gamaredon Feb 2017)",
"value": "Gamaredon Group - G0047",
"meta": {
"synonyms": [
"Gamaredon Group"
],
"refs": [
"https://attack.mitre.org/wiki/Group/G0047",
"https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/"
]
},
"uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf"
}
]
}