MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #414 from Delta-Sierra/master 

update threat actor galaxy
pull/419/head
Alexandre Dulaunoy 2019-06-12 13:48:10 +02:00 committed by GitHub
parent 8c69da1fd9 5a3d7e816f
commit 0ebe2c50a7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 171 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

196
clusters/threat-actor.json
View File

@ -157,7 +157,9 @@
{
"meta": {
"refs": [
"https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf"
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf",
"https://www.symantec.com/connect/blogs/inside-back-door-attack",
"https://attack.mitre.org/groups/G0031/"
]
},
"related": [
@ -498,7 +500,11 @@
"refs": [
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html",
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf",
"https://www.cfr.org/interactive/cyber-operations/apt-17"
"https://www.cfr.org/interactive/cyber-operations/apt-17",
"https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/",
"https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware",
"https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
"https://www.recordedfuture.com/hidden-lynx-analysis/"
],
"synonyms": [
"APT 17",
@ -1137,7 +1143,9 @@
"country": "CN",
"refs": [
"https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/",
"https://www.cfr.org/interactive/cyber-operations/hellsing"
"https://www.cfr.org/interactive/cyber-operations/hellsing",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/",
"https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html"
],
"synonyms": [
"Goblin Panda",
@ -1400,10 +1408,15 @@
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/sneaky-panda"
"https://www.cfr.org/interactive/cyber-operations/sneaky-panda",
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
"https://attack.mitre.org/groups/G0066/"
],
"synonyms": [
"Sneaky Panda"
"Sneaky Panda",
"Elderwood",
"Elderwood Gang",
"SIG22"
]
},
"related": [
@ -2474,7 +2487,16 @@
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
"http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
"https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
"https://www.cfr.org/interactive/cyber-operations/crouching-yeti"
"https://www.cfr.org/interactive/cyber-operations/crouching-yeti",
"https://ssu.gov.ua/sbu/control/uk/publish/article?art_id=170951&cat_i=39574",
"https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA",
"https://dragos.com/wp-content/uploads/CrashOverride-01.pdf",
"https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html",
"https://www.riskiq.com/blog/labs/energetic-bear/",
"https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
"https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat",
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672",
"https://attack.mitre.org/groups/G0035/"
],
"synonyms": [
"Dragonfly",
@ -2628,7 +2650,18 @@
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf",
"https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf",
"https://attack.mitre.org/groups/G0008/"
"https://attack.mitre.org/groups/G0008/",
"https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
"https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/",
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
"http://blog.morphisec.com/fin7-attacks-restaurant-industry",
"https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
"http://blog.morphisec.com/fin7-attack-modifications-revealed",
"http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
"https://attack.mitre.org/groups/G0046/"
],
"synonyms": [
"Carbanak",
@ -2735,7 +2768,8 @@
"https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623",
"https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html",
"https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf",
"https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html"
"https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html",
"https://attack.mitre.org/groups/G0085/"
],
"synonyms": [
"FIN4"
@ -3218,11 +3252,13 @@
"refs": [
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"https://attack.mitre.org/wiki/Groups",
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
"http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
"https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor",
"http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor",
"https://www.cfr.org/interactive/cyber-operations/moafee"
"https://www.cfr.org/interactive/cyber-operations/moafee",
"https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
"https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
"https://www.phnompenhpost.com/national/kingdom-targeted-new-malware",
"https://attack.mitre.org/groups/G0017/"
],
"synonyms": [
"Moafee"
@ -3427,7 +3463,8 @@
"attribution-confidence": "50",
"country": "RU",
"refs": [
"https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/"
"https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/",
"https://attack.mitre.org/groups/G0036/"
]
},
"related": [
@ -3468,7 +3505,12 @@
"description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.",
"meta": {
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf",
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
"https://attack.mitre.org/groups/G0037/"
],
"synonyms": [
"Skeleton Spider"
]
},
"related": [
@ -3886,12 +3928,18 @@
"country": "US",
"refs": [
"https://en.wikipedia.org/wiki/Equation_Group",
"https://www.cfr.org/interactive/cyber-operations/equation-group"
"https://www.cfr.org/interactive/cyber-operations/equation-group",
"https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/",
"https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0",
"https://en.wikipedia.org/wiki/Stuxnet",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf",
"https://attack.mitre.org/groups/G0020/"
],
"synonyms": [
"Tilded Team",
"Lamberts",
"EQGRP"
"EQGRP",
"Longhorn"
]
},
"related": [
@ -3939,7 +3987,10 @@
"description": "Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution"
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution",
"https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf",
"https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/",
"https://attack.mitre.org/groups/G0047/"
]
},
"related": [
@ -4296,7 +4347,9 @@
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html",
"https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf",
"http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf"
"http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf",
"https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
"https://attack.mitre.org/groups/G0061"
]
},
"related": [
@ -4339,9 +4392,10 @@
],
"cfr-type-of-incident": "Espionage",
"refs": [
"https://securelist.com/blog/research/66108/el-machete/",
"https://securelist.com/el-machete/66108/",
"https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html",
"https://www.cfr.org/interactive/cyber-operations/machete"
"https://www.cfr.org/interactive/cyber-operations/machete",
"https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html"
],
"synonyms": [
"Machete"
@ -5014,11 +5068,14 @@
"value": "Magnetic Spider"
},
{
"description": "Arbors ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the groups activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors.\nNamed Trochilus, this new RAT was part of Group 27s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim.\nThis collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf"
"https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf",
"https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml",
"https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
]
},
"uuid": "73e4728a-955e-426a-b144-8cb95131f2ca",
@ -5773,15 +5830,25 @@
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
"https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
"https://securelist.com/luckymouse-ndisproxy-driver/87914/"
"https://securelist.com/luckymouse-ndisproxy-driver/87914/",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf",
"https://www.cfr.org/interactive/cyber-operations/iron-tiger",
"https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
"https://attack.mitre.org/groups/G0027/"
],
"synonyms": [
"Emissary Panda",
"APT27",
"APT 27",
"Threat Group 3390",
"Bronze Union",
"ZipToken",
"Iron Tiger"
"Iron Tiger",
"TG-3390",
"TEMP.Hippo",
"Group 35",
"ZipToken"
]
},
"related": [
@ -5861,7 +5928,14 @@
"description": "Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.",
"meta": {
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/"
"https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/",
"https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/",
"https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/",
"https://attack.mitre.org/groups/G0078/"
],
"synonyms": [
"Gorgon Group",
"Subaat"
]
},
"uuid": "e47c2c4d-706b-4098-92a2-b93e7103e131",
@ -6910,7 +6984,79 @@
},
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
"value": "BlackTech"
},
{
"description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.",
"meta": {
"refs": [
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?",
"https://attack.mitre.org/groups/G0053/"
]
},
"uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70",
"value": "FIN5"
},
{
"description": "FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.",
"meta": {
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf",
"https://attack.mitre.org/groups/G0051/"
]
},
"uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79",
"value": "FIN10"
},
{
"description": "Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information.\nAttacks on the Dalai Lamas Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomats office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)",
"meta": {
"refs": [
"http://www.nartv.org/mirror/ghostnet.pdf",
"https://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf",
"https://en.wikipedia.org/wiki/GhostNet"
],
"synonyms": [
"Snooping Dragon"
]
},
"uuid": "cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d",
"value": "GhostNet"
},
{
"description": "IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the droppers stealth and persistence; the Gozi ISFB parts add the banking Trojans capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.",
"meta": {
"refs": [
"https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/",
"https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/",
"https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/",
"https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation"
]
},
"uuid": "7803b380-8c4c-11e9-90a1-f3880ab3aaa0",
"value": "GozNym"
},
{
"description": "A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal.\nThe operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android malware.\nThe threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian opposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after regime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a group linked to Lebanon did the same in the past",
"meta": {
"refs": [
"https://www.securityweek.com/iranian-actor-group5-targeting-syrian-opposition",
"https://attack.mitre.org/groups/G0043/"
]
},
"uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af",
"value": "Group5"
},
{
"description": "McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks.\nAdvanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them.\nThe Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 1517.",
"meta": {
"refs": [
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/",
"https://attack.mitre.org/groups/G0072/"
]
},
"uuid": "2d82a18e-8c53-11e9-b0ec-536b62fa3d86",
"value": "Honeybee"
}
],
"version": 111
"version": 113
}