From c2ea505459b86a11ae17362d358b14a72e90ef47 Mon Sep 17 00:00:00 2001 From: Nex Date: Mon, 17 Sep 2018 16:11:18 +0200 Subject: [PATCH 1/8] Merged Transparent Tribe in C-Major --- clusters/threat-actor.json | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a0031f0..2a9cf3c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2717,14 +2717,23 @@ "value": "Deadeye Jackal" }, { - "description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro.", + "description": "Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.", "meta": { + "cfr-suspected-state-sponsor": "Pakistan", + "cfr-target-category": [ + "Civil society", + "Military", + "Government" + ], "country": "PK", "refs": [ - "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf" + "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf", + "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", + "https://www.amnesty.org/en/documents/asa33/8366/2018/en/" ], "synonyms": [ - "C-Major" + "C-Major", + "Transparent Tribe" ] }, "uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905", @@ -2865,16 +2874,6 @@ "uuid": "18d473a5-831b-47a5-97a1-a32156299825", "value": "Dropping Elephant" }, - { - "description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.", - "meta": { - "refs": [ - "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" - ] - }, - "uuid": "0b36d80d-5966-4c91-945b-1ac85552aa7b", - "value": "Operation Transparent Tribe" - }, { "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.", "meta": { From be0dd94c905ef8f1ce096a4c2e46733614eefd6a Mon Sep 17 00:00:00 2001 From: Nex Date: Mon, 17 Sep 2018 16:26:14 +0200 Subject: [PATCH 2/8] Synced country codes with suspected state sponsor --- clusters/threat-actor.json | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a0031f0..1527d78 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -338,6 +338,7 @@ "Private sector" ], "cfr-type-of-incident": "Espionage", + "country": "KP", "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", @@ -2833,6 +2834,7 @@ "Military" ], "cfr-type-of-incident": "Espionage", + "country": "IN", "refs": [ "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", @@ -3029,6 +3031,7 @@ "Military" ], "cfr-type-of-incident": "Espionage", + "country": "US", "refs": [ "https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/", "https://www.cfr.org/interactive/cyber-operations/project-sauron" @@ -3802,6 +3805,7 @@ "Civil society" ], "cfr-type-of-incident": "Espionage", + "country": "VN", "refs": [ "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", @@ -4462,6 +4466,7 @@ "Private sector" ], "cfr-type-of-incident": "Espionage", + "country": "ES", "refs": [ "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/", "https://www.cfr.org/interactive/cyber-operations/careto" @@ -4820,6 +4825,7 @@ "Government" ], "cfr-type-of-incident": "Espionage", + "country": "IR", "refs": [ "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", "https://www.cfr.org/interactive/cyber-operations/muddywater" @@ -5261,6 +5267,7 @@ "Private sector" ], "cfr-type-of-incident": "Espionage", + "country": "IR", "mode-of-operation": "IT network limited, information gathering against industrial orgs", "refs": [ "https://dragos.com/adversaries.html", @@ -5412,7 +5419,8 @@ "cfr-target-category": [ "Government", "Civil society" - ] + ], + "country": "CN" }, "uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b", "value": "RANCOR" @@ -5497,7 +5505,8 @@ "cfr-target-category": [ "Government", "Private sector" - ] + ], + "country": "CN" }, "uuid": "3f3ff6de-a6a7-11e8-92b4-3743eb1c7762" }, @@ -5587,7 +5596,8 @@ "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Private sector" - ] + ], + "country": "CN" }, "uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", "related": [ @@ -5628,7 +5638,8 @@ "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Civil society" - ] + ], + "country": "CN" }, "uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896", "related": [ @@ -5655,7 +5666,8 @@ "cfr-type-of-incident": "Espionage", "cfr-target-category": [ "Civil society" - ] + ], + "country": "CN" }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339" }, @@ -5699,7 +5711,8 @@ "cfr-target-category": [ "Government", "Civil society" - ] + ], + "country": "PK" }, "uuid": "f82b352e-a9f8-11e8-8be8-fbcf6eddd58c" }, From ee7f60939781ebe6c81b5564833e0f8f0016bece Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 18 Sep 2018 11:16:00 +0200 Subject: [PATCH 3/8] Removed duplicates --- clusters/threat-actor.json | 26 ++++---------------------- 1 file changed, 4 insertions(+), 22 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0e33ec7..84c8d6c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5025,16 +5025,6 @@ "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "value": "APT35" }, - { - "description": "Kaspersky Lab has been tracking a series of attacks utilizing unknown malware since early 2017. The attacks appear to be geopolitically motivated and target high profile organizations. The objective of the attacks is clearly espionage – they involve gaining access to top legislative, executive and judicial bodies around the world.", - "meta": { - "refs": [ - "https://securelist.com/operation-parliament-who-is-doing-what/85237/" - ] - }, - "uuid": "20f2d3a4-3ee7-11e8-8e78-837fd23517e0", - "value": "Operation Parliament" - }, { "description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.", "meta": { @@ -5389,16 +5379,6 @@ "uuid": "4af45fea-72d3-11e8-846c-d37699506c8d", "value": "LuckyMouse" }, - { - "description": "Symantec have been monitoring Thrip since 2013 when they uncovered a spying campaign being orchestrated from systems based in China. Since their initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. All of these tools, with the exception of Mimikatz (which is almost always used maliciously), have legitimate uses.", - "meta": { - "refs": [ - "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" - ] - }, - "uuid": "1533bc1a-745a-11e8-90e3-efa3e975fef3s", - "value": "Thrip" - }, { "description": "The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.", "meta": { @@ -5514,7 +5494,8 @@ "description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.", "meta": { "refs": [ - "https://www.cfr.org/interactive/cyber-operations/operation-parliament" + "https://www.cfr.org/interactive/cyber-operations/operation-parliament", + "https://securelist.com/operation-parliament-who-is-doing-what/85237/" ], "cfr-suspected-victims": [ "Palestine", @@ -5675,7 +5656,8 @@ "description": "This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.", "meta": { "refs": [ - "https://www.cfr.org/interactive/cyber-operations/thrip" + "https://www.cfr.org/interactive/cyber-operations/thrip", + "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets" ], "cfr-suspected-victims": [ "United States" From 1e502a494e36c840c3b60b10fa589552a10ce661 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 18 Sep 2018 11:18:42 +0200 Subject: [PATCH 4/8] Added additional name to C-Major --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0e33ec7..ce1570c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2730,11 +2730,13 @@ "refs": [ "http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf", "https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf", - "https://www.amnesty.org/en/documents/asa33/8366/2018/en/" + "https://www.amnesty.org/en/documents/asa33/8366/2018/en/", + "https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/" ], "synonyms": [ "C-Major", - "Transparent Tribe" + "Transparent Tribe", + "Mythic Leopard" ] }, "uuid": "acbb5cad-ffe7-4b0e-a57a-2dbc916e8905", From f0383758fcfb2c693c28d219d36a4569b6ca6c24 Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 18 Sep 2018 11:27:32 +0200 Subject: [PATCH 5/8] Added Bahamut to threat actors list --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0e33ec7..a9b4236 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5724,6 +5724,17 @@ ] }, "uuid": "abd89986-b1b0-11e8-b857-efe290264006" + }, + { + "value": "Bahamut", + "description": "Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.", + "meta": { + "refs": [ + "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", + "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" + ] + }, + "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7" } ], "version": 57 From 4ae0ccd192a1d3136cb46c717274fa97b105e77e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 19 Sep 2018 07:03:56 +0200 Subject: [PATCH 6/8] chg: [tool] Xbash added ref: https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/ --- clusters/tool.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/tool.json b/clusters/tool.json index 950ef71..240822a 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -5744,7 +5744,17 @@ ] }, "uuid": "641464a6-b690-11e8-976e-bffc9a17c6a4" + }, + { + "value": "Xbash", + "description": "Xbash is a malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks.", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" + ] + }, + "uuid": "10c981cc-4ef1-4719-8ed7-c5e4c2f6c7a3" } ], - "version": 87 + "version": 88 } From 6105522453dec9a86adce2c1ba08530aca9b9f09 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 19 Sep 2018 07:08:16 +0200 Subject: [PATCH 7/8] chg: [threat-actor] Iron Group added ref: https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/ --- clusters/threat-actor.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 507bd16..8aa0aec 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5719,7 +5719,18 @@ ] }, "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7" + }, + { + "value": "Iron Group", + "description": "Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.", + "meta": { + "refs": [ + "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" + ], + "synonyms": "Iron Cyber Group" + }, + "uuid": "6a0ea861-229a-45a6-98f5-228f69b43905" } ], - "version": 57 + "version": 59 } From 79146b9d1092ce9731f12de69c1e61a0c0628394 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 19 Sep 2018 07:35:35 +0200 Subject: [PATCH 8/8] fix: array in synonyms (MISP accepts it but not the schema ;-) --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8aa0aec..67325bd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5727,10 +5727,12 @@ "refs": [ "https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/" ], - "synonyms": "Iron Cyber Group" + "synonyms": [ + "Iron Cyber Group" + ] }, "uuid": "6a0ea861-229a-45a6-98f5-228f69b43905" } ], - "version": 59 + "version": 60 }