mirror of https://github.com/MISP/misp-galaxy
update threat actors meta
parent
97690426bf
commit
0f7803b091
|
@ -668,10 +668,14 @@
|
||||||
"LEAD",
|
"LEAD",
|
||||||
"WICKED SPIDER",
|
"WICKED SPIDER",
|
||||||
"WICKED PANDA",
|
"WICKED PANDA",
|
||||||
|
"Wicked Panda",
|
||||||
"BARIUM",
|
"BARIUM",
|
||||||
"BRONZE ATLAS",
|
"BRONZE ATLAS",
|
||||||
"BRONZE EXPORT",
|
"BRONZE EXPORT",
|
||||||
"Red Kelpie"
|
"Red Kelpie",
|
||||||
|
"G0044",
|
||||||
|
"G0096",
|
||||||
|
"TG-2633"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1068,7 +1072,13 @@
|
||||||
"ZipToken",
|
"ZipToken",
|
||||||
"Iron Tiger",
|
"Iron Tiger",
|
||||||
"BRONZE UNION",
|
"BRONZE UNION",
|
||||||
"Lucky Mouse"
|
"Bronze Union",
|
||||||
|
"Lucky Mouse",
|
||||||
|
"LuckyMouse",
|
||||||
|
"Emissary Panda",
|
||||||
|
"G0027",
|
||||||
|
"ATK 15",
|
||||||
|
"ATK15"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1610,7 +1620,10 @@
|
||||||
"APT20",
|
"APT20",
|
||||||
"APT 20",
|
"APT 20",
|
||||||
"TH3Bug",
|
"TH3Bug",
|
||||||
"Twivy"
|
"Twivy",
|
||||||
|
"APT 8",
|
||||||
|
"APT8",
|
||||||
|
"G0116"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40",
|
"uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40",
|
||||||
|
@ -1692,7 +1705,9 @@
|
||||||
"KeyBoy",
|
"KeyBoy",
|
||||||
"TropicTrooper",
|
"TropicTrooper",
|
||||||
"Tropic Trooper",
|
"Tropic Trooper",
|
||||||
"BRONZE HOBART"
|
"BRONZE HOBART",
|
||||||
|
"Bronze Hobart",
|
||||||
|
"G0081"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
|
"uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
|
||||||
|
@ -2015,9 +2030,16 @@
|
||||||
"APT 33",
|
"APT 33",
|
||||||
"Elfin",
|
"Elfin",
|
||||||
"MAGNALLIUM",
|
"MAGNALLIUM",
|
||||||
|
"Magnallium",
|
||||||
"Refined Kitten",
|
"Refined Kitten",
|
||||||
"HOLMIUM",
|
"HOLMIUM",
|
||||||
"COBALT TRINITY"
|
"Holmium",
|
||||||
|
"COBALT TRINITY",
|
||||||
|
"COBALT Trinity",
|
||||||
|
"TA 451",
|
||||||
|
"G0064",
|
||||||
|
"ATK 35",
|
||||||
|
"Group 83"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -2228,7 +2250,18 @@
|
||||||
"APT35",
|
"APT35",
|
||||||
"APT 35",
|
"APT 35",
|
||||||
"TEMP.Beanie",
|
"TEMP.Beanie",
|
||||||
"Ghambar"
|
"Ghambar",
|
||||||
|
"TA 453",
|
||||||
|
"NewsBeef",
|
||||||
|
"Charming Kitten",
|
||||||
|
"Phosphorus",
|
||||||
|
"G0003",
|
||||||
|
"G0059",
|
||||||
|
"COBALT illusion",
|
||||||
|
"Timberworm",
|
||||||
|
"C-Major",
|
||||||
|
"Newscaster",
|
||||||
|
"TunnelVision"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -2301,6 +2334,13 @@
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
],
|
],
|
||||||
"type": "similar"
|
"type": "similar"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "similar"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
|
"uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
|
||||||
|
@ -2435,6 +2475,7 @@
|
||||||
"Fancy Bear",
|
"Fancy Bear",
|
||||||
"Sednit",
|
"Sednit",
|
||||||
"SNAKEMACKEREL",
|
"SNAKEMACKEREL",
|
||||||
|
"Snakemackerel",
|
||||||
"TsarTeam",
|
"TsarTeam",
|
||||||
"Tsar Team",
|
"Tsar Team",
|
||||||
"TG-4127",
|
"TG-4127",
|
||||||
|
@ -2443,10 +2484,20 @@
|
||||||
"TAG_0700",
|
"TAG_0700",
|
||||||
"Swallowtail",
|
"Swallowtail",
|
||||||
"IRON TWILIGHT",
|
"IRON TWILIGHT",
|
||||||
|
"Iron Twilight",
|
||||||
"Group 74",
|
"Group 74",
|
||||||
"SIG40",
|
"SIG40",
|
||||||
"Grizzly Steppe",
|
"Grizzly Steppe",
|
||||||
"apt_sofacy"
|
"apt_sofacy",
|
||||||
|
"TA 422",
|
||||||
|
"Strontium",
|
||||||
|
"G0007",
|
||||||
|
"ITG05",
|
||||||
|
"ATK 5",
|
||||||
|
"ATK5",
|
||||||
|
"Swallowtail",
|
||||||
|
"T-APT-12",
|
||||||
|
"APT-C-20"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -2513,6 +2564,7 @@
|
||||||
"CozyDuke",
|
"CozyDuke",
|
||||||
"EuroAPT",
|
"EuroAPT",
|
||||||
"CozyBear",
|
"CozyBear",
|
||||||
|
"Cozy Bear",
|
||||||
"CozyCar",
|
"CozyCar",
|
||||||
"Cozer",
|
"Cozer",
|
||||||
"Office Monkeys",
|
"Office Monkeys",
|
||||||
|
@ -2524,8 +2576,15 @@
|
||||||
"SeaDuke",
|
"SeaDuke",
|
||||||
"Hammer Toss",
|
"Hammer Toss",
|
||||||
"YTTRIUM",
|
"YTTRIUM",
|
||||||
|
"Yttrium",
|
||||||
"Iron Hemlock",
|
"Iron Hemlock",
|
||||||
"Grizzly Steppe"
|
"Grizzly Steppe",
|
||||||
|
"TA 421",
|
||||||
|
"CloudLook",
|
||||||
|
"G0016",
|
||||||
|
"ITG11",
|
||||||
|
"ATK7",
|
||||||
|
"ATK 7"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3166,7 +3225,20 @@
|
||||||
"Nickel Academy",
|
"Nickel Academy",
|
||||||
"APT-C-26",
|
"APT-C-26",
|
||||||
"NICKEL GLADSTONE",
|
"NICKEL GLADSTONE",
|
||||||
"COVELLITE"
|
"COVELLITE",
|
||||||
|
"Stardust Chollima",
|
||||||
|
"G0082",
|
||||||
|
"G0032",
|
||||||
|
"ITG03",
|
||||||
|
"Hive0080",
|
||||||
|
"CTG-6459",
|
||||||
|
"Lazarus",
|
||||||
|
"ATK 117",
|
||||||
|
"T-APT-15",
|
||||||
|
"Klipodenc",
|
||||||
|
"SectorA01",
|
||||||
|
"BeagleBoyz",
|
||||||
|
"NESTEGG"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3332,8 +3404,11 @@
|
||||||
"APT36",
|
"APT36",
|
||||||
"APT 36",
|
"APT 36",
|
||||||
"TMP.Lapis",
|
"TMP.Lapis",
|
||||||
|
"TEMP.Lapis",
|
||||||
"Green Havildar",
|
"Green Havildar",
|
||||||
"COPPER FIELDSTONE"
|
"COPPER FIELDSTONE",
|
||||||
|
"G0134",
|
||||||
|
"APT-C-56"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3431,7 +3506,14 @@
|
||||||
"Sarit",
|
"Sarit",
|
||||||
"Quilted Tiger",
|
"Quilted Tiger",
|
||||||
"APT-C-09",
|
"APT-C-09",
|
||||||
"ZINC EMERSON"
|
"ZINC EMERSON",
|
||||||
|
"Confucius",
|
||||||
|
"ATK 11",
|
||||||
|
"TG-4410",
|
||||||
|
"G0040",
|
||||||
|
"G0089",
|
||||||
|
"Viceroy Tiger",
|
||||||
|
"Dropping Elephant"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3627,7 +3709,13 @@
|
||||||
"https://www.cfr.org/interactive/cyber-operations/apt-30"
|
"https://www.cfr.org/interactive/cyber-operations/apt-30"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT30"
|
"APT30",
|
||||||
|
"Naikon",
|
||||||
|
"Override Panda",
|
||||||
|
"G0019",
|
||||||
|
"G0013",
|
||||||
|
"BRONZE STERLING",
|
||||||
|
"CTG-5326"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3847,7 +3935,13 @@
|
||||||
"Helix Kitten",
|
"Helix Kitten",
|
||||||
"APT 34",
|
"APT 34",
|
||||||
"APT34",
|
"APT34",
|
||||||
"IRN2"
|
"IRN2",
|
||||||
|
"TA 452",
|
||||||
|
"G0049",
|
||||||
|
"G0116",
|
||||||
|
"ITG13",
|
||||||
|
"ATK 40",
|
||||||
|
"Chrysene"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4513,7 +4607,11 @@
|
||||||
"Ocean Buffalo",
|
"Ocean Buffalo",
|
||||||
"POND LOACH",
|
"POND LOACH",
|
||||||
"TIN WOODLAWN",
|
"TIN WOODLAWN",
|
||||||
"BISMUTH"
|
"Tin Woodlawn",
|
||||||
|
"Woodlawn",
|
||||||
|
"BISMUTH",
|
||||||
|
"G0050",
|
||||||
|
"SectorF01"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4825,7 +4923,9 @@
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"CactusPete",
|
"CactusPete",
|
||||||
"Karma Panda",
|
"Karma Panda",
|
||||||
"BRONZE HUNTLEY"
|
"BRONZE HUNTLEY",
|
||||||
|
"Bronze HUNTLEY",
|
||||||
|
"G0131"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
|
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
|
||||||
|
@ -4879,7 +4979,11 @@
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT22",
|
"APT22",
|
||||||
"BRONZE OLIVE"
|
"BRONZE OLIVE",
|
||||||
|
"Bronze Olive",
|
||||||
|
"Group 46",
|
||||||
|
"Suckfly",
|
||||||
|
"G0039"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842",
|
"uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842",
|
||||||
|
@ -4944,7 +5048,14 @@
|
||||||
"Hippo Team",
|
"Hippo Team",
|
||||||
"JerseyMikes",
|
"JerseyMikes",
|
||||||
"Turbine Panda",
|
"Turbine Panda",
|
||||||
"BRONZE EXPRESS"
|
"BRONZE EXPRESS",
|
||||||
|
"Bronze Express",
|
||||||
|
"KungFu Kittens",
|
||||||
|
"WebMasters",
|
||||||
|
"Black Vine",
|
||||||
|
"Group 13",
|
||||||
|
"Shell Crew",
|
||||||
|
"PinkPanther"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -5800,7 +5911,15 @@
|
||||||
"Red Eyes",
|
"Red Eyes",
|
||||||
"Ricochet Chollima",
|
"Ricochet Chollima",
|
||||||
"ScarCruft",
|
"ScarCruft",
|
||||||
"Venus 121"
|
"Venus 121",
|
||||||
|
"TEMP.Reaper",
|
||||||
|
"Thallium",
|
||||||
|
"G0067",
|
||||||
|
"ITG10",
|
||||||
|
"ATK 4",
|
||||||
|
"Hermit",
|
||||||
|
"Geumseong121",
|
||||||
|
"Hidden Cobra"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -5886,8 +6005,16 @@
|
||||||
"APT 40",
|
"APT 40",
|
||||||
"APT40",
|
"APT40",
|
||||||
"BRONZE MOHAWK",
|
"BRONZE MOHAWK",
|
||||||
|
"Bronze Mohawk",
|
||||||
"GADOLINIUM",
|
"GADOLINIUM",
|
||||||
"Kryptonite Panda"
|
"Gadolinium",
|
||||||
|
"Kryptonite Panda",
|
||||||
|
"G0065",
|
||||||
|
"ITG09",
|
||||||
|
"ATK29",
|
||||||
|
"Flaccid Rose",
|
||||||
|
"Nanhaishu",
|
||||||
|
"Mudcarp"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -5915,6 +6042,15 @@
|
||||||
"Newscaster Team"
|
"Newscaster Team"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
"related": [
|
||||||
|
{
|
||||||
|
"dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810",
|
||||||
|
"tags": [
|
||||||
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
|
],
|
||||||
|
"type": "similar"
|
||||||
|
}
|
||||||
|
],
|
||||||
"uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e",
|
"uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e",
|
||||||
"value": "APT35"
|
"value": "APT35"
|
||||||
},
|
},
|
||||||
|
@ -6079,6 +6215,7 @@
|
||||||
"Private sector"
|
"Private sector"
|
||||||
],
|
],
|
||||||
"cfr-type-of-incident": "Espionage",
|
"cfr-type-of-incident": "Espionage",
|
||||||
|
"country": "RU",
|
||||||
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
|
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://dragos.com/adversaries.html",
|
"https://dragos.com/adversaries.html",
|
||||||
|
@ -6089,7 +6226,10 @@
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Dragonfly 2.0",
|
"Dragonfly 2.0",
|
||||||
"Dragonfly2",
|
"Dragonfly2",
|
||||||
"Berserker Bear"
|
"Berserker Bear",
|
||||||
|
"Berserk Bear",
|
||||||
|
"G0074",
|
||||||
|
"Dymalloy"
|
||||||
],
|
],
|
||||||
"victimology": "Turkey, Europe, US"
|
"victimology": "Turkey, Europe, US"
|
||||||
},
|
},
|
||||||
|
@ -6531,6 +6671,12 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/",
|
"https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/",
|
||||||
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
|
"https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"G0112",
|
||||||
|
"Urpage",
|
||||||
|
"EHDevel",
|
||||||
|
"WindShift"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7",
|
"uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7",
|
||||||
|
@ -7079,7 +7225,11 @@
|
||||||
"APT 39",
|
"APT 39",
|
||||||
"Chafer",
|
"Chafer",
|
||||||
"REMIX KITTEN",
|
"REMIX KITTEN",
|
||||||
"COBALT HICKMAN"
|
"Remix Kitten",
|
||||||
|
"COBALT HICKMAN",
|
||||||
|
"TA 454",
|
||||||
|
"G0087",
|
||||||
|
"ITG07"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
|
"uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b",
|
||||||
|
@ -7381,9 +7531,13 @@
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 31",
|
"APT 31",
|
||||||
|
"APT31",
|
||||||
"ZIRCONIUM",
|
"ZIRCONIUM",
|
||||||
|
"Zirconium",
|
||||||
"JUDGMENT PANDA",
|
"JUDGMENT PANDA",
|
||||||
"BRONZE VINEWOOD"
|
"Judgment Panda",
|
||||||
|
"BRONZE VINEWOOD",
|
||||||
|
"G0128"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c",
|
"uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c",
|
||||||
|
@ -7927,6 +8081,7 @@
|
||||||
{
|
{
|
||||||
"description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.",
|
"description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf"
|
"https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf"
|
||||||
],
|
],
|
||||||
|
@ -9225,7 +9380,34 @@
|
||||||
},
|
},
|
||||||
"uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c",
|
"uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c",
|
||||||
"value": "MosesStaff"
|
"value": "MosesStaff"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.",
|
||||||
|
"meta": {
|
||||||
|
"country": "CN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b",
|
||||||
|
"value": "Avivore"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"description": "The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.",
|
||||||
|
"meta": {
|
||||||
|
"country": "IN",
|
||||||
|
"refs": [
|
||||||
|
"https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"BitterAPT",
|
||||||
|
"T-APT-17",
|
||||||
|
"APT-C-08"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772",
|
||||||
|
"value": "Bitter"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 214
|
"version": 216
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue