From 0f7803b0911bb112d1ba454e5513d9e167761061 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 1 Apr 2022 16:00:27 +0200 Subject: [PATCH] update threat actors meta --- clusters/threat-actor.json | 228 +++++++++++++++++++++++++++++++++---- 1 file changed, 205 insertions(+), 23 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 96163460..f0d87661 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -668,10 +668,14 @@ "LEAD", "WICKED SPIDER", "WICKED PANDA", + "Wicked Panda", "BARIUM", "BRONZE ATLAS", "BRONZE EXPORT", - "Red Kelpie" + "Red Kelpie", + "G0044", + "G0096", + "TG-2633" ] }, "related": [ @@ -1068,7 +1072,13 @@ "ZipToken", "Iron Tiger", "BRONZE UNION", - "Lucky Mouse" + "Bronze Union", + "Lucky Mouse", + "LuckyMouse", + "Emissary Panda", + "G0027", + "ATK 15", + "ATK15" ] }, "related": [ @@ -1610,7 +1620,10 @@ "APT20", "APT 20", "TH3Bug", - "Twivy" + "Twivy", + "APT 8", + "APT8", + "G0116" ] }, "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40", @@ -1692,7 +1705,9 @@ "KeyBoy", "TropicTrooper", "Tropic Trooper", - "BRONZE HOBART" + "BRONZE HOBART", + "Bronze Hobart", + "G0081" ] }, "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", @@ -2015,9 +2030,16 @@ "APT 33", "Elfin", "MAGNALLIUM", + "Magnallium", "Refined Kitten", "HOLMIUM", - "COBALT TRINITY" + "Holmium", + "COBALT TRINITY", + "COBALT Trinity", + "TA 451", + "G0064", + "ATK 35", + "Group 83" ] }, "related": [ @@ -2228,7 +2250,18 @@ "APT35", "APT 35", "TEMP.Beanie", - "Ghambar" + "Ghambar", + "TA 453", + "NewsBeef", + "Charming Kitten", + "Phosphorus", + "G0003", + "G0059", + "COBALT illusion", + "Timberworm", + "C-Major", + "Newscaster", + "TunnelVision" ] }, "related": [ @@ -2301,6 +2334,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", @@ -2435,6 +2475,7 @@ "Fancy Bear", "Sednit", "SNAKEMACKEREL", + "Snakemackerel", "TsarTeam", "Tsar Team", "TG-4127", @@ -2443,10 +2484,20 @@ "TAG_0700", "Swallowtail", "IRON TWILIGHT", + "Iron Twilight", "Group 74", "SIG40", "Grizzly Steppe", - "apt_sofacy" + "apt_sofacy", + "TA 422", + "Strontium", + "G0007", + "ITG05", + "ATK 5", + "ATK5", + "Swallowtail", + "T-APT-12", + "APT-C-20" ] }, "related": [ @@ -2513,6 +2564,7 @@ "CozyDuke", "EuroAPT", "CozyBear", + "Cozy Bear", "CozyCar", "Cozer", "Office Monkeys", @@ -2524,8 +2576,15 @@ "SeaDuke", "Hammer Toss", "YTTRIUM", + "Yttrium", "Iron Hemlock", - "Grizzly Steppe" + "Grizzly Steppe", + "TA 421", + "CloudLook", + "G0016", + "ITG11", + "ATK7", + "ATK 7" ] }, "related": [ @@ -3166,7 +3225,20 @@ "Nickel Academy", "APT-C-26", "NICKEL GLADSTONE", - "COVELLITE" + "COVELLITE", + "Stardust Chollima", + "G0082", + "G0032", + "ITG03", + "Hive0080", + "CTG-6459", + "Lazarus", + "ATK 117", + "T-APT-15", + "Klipodenc", + "SectorA01", + "BeagleBoyz", + "NESTEGG" ] }, "related": [ @@ -3332,8 +3404,11 @@ "APT36", "APT 36", "TMP.Lapis", + "TEMP.Lapis", "Green Havildar", - "COPPER FIELDSTONE" + "COPPER FIELDSTONE", + "G0134", + "APT-C-56" ] }, "related": [ @@ -3431,7 +3506,14 @@ "Sarit", "Quilted Tiger", "APT-C-09", - "ZINC EMERSON" + "ZINC EMERSON", + "Confucius", + "ATK 11", + "TG-4410", + "G0040", + "G0089", + "Viceroy Tiger", + "Dropping Elephant" ] }, "related": [ @@ -3627,7 +3709,13 @@ "https://www.cfr.org/interactive/cyber-operations/apt-30" ], "synonyms": [ - "APT30" + "APT30", + "Naikon", + "Override Panda", + "G0019", + "G0013", + "BRONZE STERLING", + "CTG-5326" ] }, "related": [ @@ -3847,7 +3935,13 @@ "Helix Kitten", "APT 34", "APT34", - "IRN2" + "IRN2", + "TA 452", + "G0049", + "G0116", + "ITG13", + "ATK 40", + "Chrysene" ] }, "related": [ @@ -4513,7 +4607,11 @@ "Ocean Buffalo", "POND LOACH", "TIN WOODLAWN", - "BISMUTH" + "Tin Woodlawn", + "Woodlawn", + "BISMUTH", + "G0050", + "SectorF01" ] }, "related": [ @@ -4825,7 +4923,9 @@ "synonyms": [ "CactusPete", "Karma Panda", - "BRONZE HUNTLEY" + "BRONZE HUNTLEY", + "Bronze HUNTLEY", + "G0131" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", @@ -4879,7 +4979,11 @@ ], "synonyms": [ "APT22", - "BRONZE OLIVE" + "BRONZE OLIVE", + "Bronze Olive", + "Group 46", + "Suckfly", + "G0039" ] }, "uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842", @@ -4944,7 +5048,14 @@ "Hippo Team", "JerseyMikes", "Turbine Panda", - "BRONZE EXPRESS" + "BRONZE EXPRESS", + "Bronze Express", + "KungFu Kittens", + "WebMasters", + "Black Vine", + "Group 13", + "Shell Crew", + "PinkPanther" ] }, "related": [ @@ -5800,7 +5911,15 @@ "Red Eyes", "Ricochet Chollima", "ScarCruft", - "Venus 121" + "Venus 121", + "TEMP.Reaper", + "Thallium", + "G0067", + "ITG10", + "ATK 4", + "Hermit", + "Geumseong121", + "Hidden Cobra" ] }, "related": [ @@ -5886,8 +6005,16 @@ "APT 40", "APT40", "BRONZE MOHAWK", + "Bronze Mohawk", "GADOLINIUM", - "Kryptonite Panda" + "Gadolinium", + "Kryptonite Panda", + "G0065", + "ITG09", + "ATK29", + "Flaccid Rose", + "Nanhaishu", + "Mudcarp" ] }, "related": [ @@ -5915,6 +6042,15 @@ "Newscaster Team" ] }, + "related": [ + { + "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "value": "APT35" }, @@ -6079,6 +6215,7 @@ "Private sector" ], "cfr-type-of-incident": "Espionage", + "country": "RU", "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", "refs": [ "https://dragos.com/adversaries.html", @@ -6089,7 +6226,10 @@ "synonyms": [ "Dragonfly 2.0", "Dragonfly2", - "Berserker Bear" + "Berserker Bear", + "Berserk Bear", + "G0074", + "Dymalloy" ], "victimology": "Turkey, Europe, US" }, @@ -6531,6 +6671,12 @@ "refs": [ "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" + ], + "synonyms": [ + "G0112", + "Urpage", + "EHDevel", + "WindShift" ] }, "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7", @@ -7079,7 +7225,11 @@ "APT 39", "Chafer", "REMIX KITTEN", - "COBALT HICKMAN" + "Remix Kitten", + "COBALT HICKMAN", + "TA 454", + "G0087", + "ITG07" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", @@ -7381,9 +7531,13 @@ ], "synonyms": [ "APT 31", + "APT31", "ZIRCONIUM", + "Zirconium", "JUDGMENT PANDA", - "BRONZE VINEWOOD" + "Judgment Panda", + "BRONZE VINEWOOD", + "G0128" ] }, "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", @@ -7927,6 +8081,7 @@ { "description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.", "meta": { + "country": "CN", "refs": [ "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf" ], @@ -9225,7 +9380,34 @@ }, "uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", "value": "MosesStaff" + }, + { + "description": "The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.", + "meta": { + "country": "CN", + "refs": [ + "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers" + ] + }, + "uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b", + "value": "Avivore" + }, + { + "description": "The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.", + "meta": { + "country": "IN", + "refs": [ + "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf" + ], + "synonyms": [ + "BitterAPT", + "T-APT-17", + "APT-C-08" + ] + }, + "uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772", + "value": "Bitter" } ], - "version": 214 + "version": 216 }