From d4225c546958e96017686d510de264392a1d8baa Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Mon, 17 Apr 2023 11:16:21 +0200
Subject: [PATCH 1/7] add some SNOWYAMBER relationships
---
clusters/microsoft-activity-group.json | 7 +++++++
clusters/threat-actor.json | 14 +++++++++++++
clusters/tool.json | 27 ++++++++++++++++++++++++--
3 files changed, 46 insertions(+), 2 deletions(-)
diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json
index 012e1bd8..d611db8d 100644
--- a/clusters/microsoft-activity-group.json
+++ b/clusters/microsoft-activity-group.json
@@ -315,6 +315,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
+ },
+ {
+ "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
}
],
"uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c9297482..b1e8967d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2274,6 +2274,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
+ },
+ {
+ "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
}
],
"uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
@@ -8160,6 +8167,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
+ },
+ {
+ "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
}
],
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
diff --git a/clusters/tool.json b/clusters/tool.json
index 1bc037be..3aab56e5 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8711,7 +8711,7 @@
},
"related": [
{
- "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36,",
+ "dest-uuid": "54c03b3c-6f97-46ea-a93f-f07bfd5cdd36",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
@@ -8756,7 +8756,7 @@
"value": "AHK Bot"
},
{
- "description": "A tool first used in October 2022, abusing the Notion7 service to communicate and download further malicious files. Two versions of this tool have been observed.",
+ "description": "A tool first used in October 2022, abusing the Notion service to communicate and download further malicious files. Two versions of this tool have been observed.\n\nSNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls.",
"meta": {
"refs": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
@@ -8764,6 +8764,29 @@
"https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d"
]
},
+ "related": [
+ {
+ "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ }
+ ],
"uuid": "0125ef58-2675-426f-90eb-0b189961199a",
"value": "SNOWYAMBER"
},
From 6d5df91efab527dc68ded6fe645adb69f058a25e Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Mon, 17 Apr 2023 11:31:48 +0200
Subject: [PATCH 2/7] add relationship SNOWYAMBER & Notion
---
clusters/online-service.json | 11 ++++++++++-
clusters/tool.json | 9 ++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/clusters/online-service.json b/clusters/online-service.json
index 92fdb227..1f45bd1f 100644
--- a/clusters/online-service.json
+++ b/clusters/online-service.json
@@ -16,9 +16,18 @@
"https://www.notion.so/product"
]
},
+ "related": [
+ {
+ "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ }
+ ],
"uuid": "5c807e49-dc90-4f80-b044-49bb990acb61",
"value": "Notion"
}
],
- "version": 1
+ "version": 2
}
diff --git a/clusters/tool.json b/clusters/tool.json
index 3aab56e5..72716b96 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8785,6 +8785,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "used-by"
+ },
+ {
+ "dest-uuid": "5c807e49-dc90-4f80-b044-49bb990acb61",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
}
],
"uuid": "0125ef58-2675-426f-90eb-0b189961199a",
@@ -8815,5 +8822,5 @@
"value": "QUARTERRIG"
}
],
- "version": 162
+ "version": 163
}
From 4a4fa6d16ff3d7e1877f9662d9bab2d04deca6a5 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Mon, 17 Apr 2023 11:32:51 +0200
Subject: [PATCH 3/7] fix versions
---
clusters/microsoft-activity-group.json | 2 +-
clusters/threat-actor.json | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json
index d611db8d..ba6cdbae 100644
--- a/clusters/microsoft-activity-group.json
+++ b/clusters/microsoft-activity-group.json
@@ -328,5 +328,5 @@
"value": "NOBELIUM"
}
],
- "version": 11
+ "version": 12
}
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9c0ef005..0265c4a7 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -10650,5 +10650,5 @@
"value": "Anonymous Sudan"
}
],
- "version": 263
+ "version": 264
}
From 6b8994271e08cf0ce32265625d268f3887003ab2 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Tue, 18 Apr 2023 12:20:20 +0200
Subject: [PATCH 4/7] add relationships for HALFRIG & QUATTERRIG
---
clusters/microsoft-activity-group.json | 16 +++++++-
clusters/threat-actor.json | 30 ++++++++++++++-
clusters/tool.json | 52 ++++++++++++++++++++++++--
3 files changed, 93 insertions(+), 5 deletions(-)
diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json
index ba6cdbae..5063270f 100644
--- a/clusters/microsoft-activity-group.json
+++ b/clusters/microsoft-activity-group.json
@@ -322,11 +322,25 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
+ },
+ {
+ "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
}
],
"uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
"value": "NOBELIUM"
}
],
- "version": 12
+ "version": 13
}
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 0265c4a7..dcceae3a 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2281,6 +2281,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
+ },
+ {
+ "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
}
],
"uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
@@ -8176,6 +8190,20 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "uses"
+ },
+ {
+ "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
+ },
+ {
+ "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "uses"
}
],
"uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
@@ -10650,5 +10678,5 @@
"value": "Anonymous Sudan"
}
],
- "version": 264
+ "version": 265
}
diff --git a/clusters/tool.json b/clusters/tool.json
index 72716b96..76d1f625 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -8798,7 +8798,7 @@
"value": "SNOWYAMBER"
},
{
- "description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.",
+ "description": "Used for the first time in February 2023. This tool is distinguished from the others by the embedded code that runs the COBALT STRIKE tool.\n\nHALFRIG is a stager for CobaltStrike Beacon that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. HALFRIG has significant code overlap with the QUARTERRIG and it is highly probable that it was developed by the same team.",
"meta": {
"refs": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
@@ -8806,11 +8806,34 @@
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
]
},
+ "related": [
+ {
+ "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ }
+ ],
"uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e",
"value": "HALFRIG"
},
{
- "description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.",
+ "description": "A tool first used in March 2023, sharing part of the code with HALFRIG. Two versions of this tool were observed.\n\nQUARTERRIG is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. QUARTERRIG does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, QUARTERRIG heavily relies on obfuscation based on opaque predicates and multi-stage execution, interweaving shellcode and PE files. HALFRIG and QUARTERRIG share some of the codebase, suggesting that QUARTERRIG authors have access to both HALFRIG source code and the same obfuscation libraries.",
"meta": {
"refs": [
"https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services",
@@ -8818,9 +8841,32 @@
"https://www.gov.pl/attachment/6e085a2c-ac05-4b62-9423-5d6e9ef730bf"
]
},
+ "related": [
+ {
+ "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "d7247cf9-13b6-4781-b789-a5f33521633b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ },
+ {
+ "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b",
+ "tags": [
+ "estimative-language:likelihood-probability=\"likely\""
+ ],
+ "type": "used-by"
+ }
+ ],
"uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b",
"value": "QUARTERRIG"
}
],
- "version": 163
+ "version": 164
}
From 8d2b9537f1c415adbd04161a67fd8456b3155367 Mon Sep 17 00:00:00 2001
From: Tobias Mainka <neok0@users.noreply.github.com>
Date: Wed, 19 Apr 2023 12:38:37 +0200
Subject: [PATCH 5/7] replace "sector" tag with "country" for matching data.
this allows to be confirm with existing clusters.
---
clusters/microsoft-activity-group.json | 88 +++++++++++++-------------
1 file changed, 44 insertions(+), 44 deletions(-)
diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json
index 1cf87578..9a460902 100644
--- a/clusters/microsoft-activity-group.json
+++ b/clusters/microsoft-activity-group.json
@@ -325,7 +325,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"APT41",
"BARIUM"
@@ -339,7 +339,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"CHROMIUM",
"ControlX"
@@ -353,7 +353,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"DEV-0322"
]
@@ -366,7 +366,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"APT40",
"GADOLINIUM",
@@ -383,7 +383,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"GALLIUM"
]
@@ -396,7 +396,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"DEV-0234"
]
@@ -409,7 +409,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"APT5",
"Keyhole Panda",
@@ -425,7 +425,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"APT15",
"NICKEL",
@@ -441,7 +441,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"APT30",
"LotusBlossom",
@@ -456,7 +456,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"HAFNIUM"
]
@@ -469,7 +469,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "China",
+ "country": "CN",
"synonyms": [
"APT31",
"ZIRCONIUM"
@@ -669,7 +669,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"NEPTUNIUM",
"Vice Leaker"
@@ -683,7 +683,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"CURIUM",
"TA456",
@@ -698,7 +698,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"DEV-0228"
]
@@ -711,7 +711,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"DEV-0343"
]
@@ -724,7 +724,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"APT34",
"Cobalt Gypsy",
@@ -740,7 +740,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"Fox Kitten",
"PioneerKitten",
@@ -756,7 +756,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"MERCURY",
"MuddyWater",
@@ -773,7 +773,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"DEV-0500",
"Moses Staff"
@@ -787,7 +787,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"APT35",
"Charming Kitten",
@@ -802,7 +802,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"APT33",
"HOLMIUM",
@@ -817,7 +817,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"AMERICIUM",
"Agrius",
@@ -834,7 +834,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"DEV-0146",
"ZeroCleare"
@@ -848,7 +848,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Iran",
+ "country": "IR",
"synonyms": [
"BOHRIUM"
]
@@ -861,7 +861,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Lebanon",
+ "country": "LB",
"synonyms": [
"POLONIUM"
]
@@ -874,7 +874,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "North Korea",
+ "country": "KP",
"synonyms": [
"Labyrinth Chollima",
"Lazarus",
@@ -889,7 +889,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "North Korea",
+ "country": "KP",
"synonyms": [
"Kimsuky",
"THALLIUM",
@@ -904,7 +904,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "North Korea",
+ "country": "KP",
"synonyms": [
"Konni",
"OSMIUM"
@@ -918,7 +918,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "North Korea",
+ "country": "KP",
"synonyms": [
"LAWRENCIUM"
]
@@ -931,7 +931,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "North Korea",
+ "country": "KP",
"synonyms": [
"CERIUM"
]
@@ -944,7 +944,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "North Korea",
+ "country": "KP",
"synonyms": [
"BlueNoroff",
"COPERNICIUM",
@@ -959,7 +959,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "North Korea",
+ "country": "KP",
"synonyms": [
"DEV-0530",
"H0lyGh0st"
@@ -1029,7 +1029,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Russia",
+ "country": "RU",
"synonyms": [
"ACTINIUM",
"Gamaredon",
@@ -1045,7 +1045,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Russia",
+ "country": "RU",
"synonyms": [
"DEV-0586"
]
@@ -1058,7 +1058,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Russia",
+ "country": "RU",
"synonyms": [
"APT28",
"Fancy Bear",
@@ -1073,7 +1073,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Russia",
+ "country": "RU",
"synonyms": [
"BROMINE",
"Crouching Yeti",
@@ -1088,7 +1088,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Russia",
+ "country": "RU",
"synonyms": [
"APT29",
"Cozy Bear",
@@ -1103,7 +1103,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Russia",
+ "country": "RU",
"synonyms": [
"IRIDIUM",
"Sandworm"
@@ -1117,7 +1117,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Russia",
+ "country": "RU",
"synonyms": [
"Callisto",
"Reuse Team",
@@ -1132,7 +1132,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Russia",
+ "country": "RU",
"synonyms": [
"DEV-0665"
]
@@ -1145,7 +1145,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "South Korea",
+ "country": "KR",
"synonyms": [
"DUBNIUM",
"Dark Hotel",
@@ -1160,7 +1160,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Turkey",
+ "country": "TR",
"synonyms": [
"SILICON",
"Sea Turtle"
@@ -1174,7 +1174,7 @@
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "sector": "Vietnam",
+ "country": "VN",
"synonyms": [
"APT32",
"BISMUTH",
@@ -1185,5 +1185,5 @@
"value": "Canvas Cyclone"
}
],
- "version": 12
+ "version": 13
}
From 063ac9fc71eaa3a7e5eaef91830031f777a085d6 Mon Sep 17 00:00:00 2001
From: Delta-Sierra <deborah.servili@gmail.com>
Date: Wed, 19 Apr 2023 15:10:25 +0200
Subject: [PATCH 6/7] jq?
---
clusters/microsoft-activity-group.json | 86 +++++++++++++-------------
1 file changed, 43 insertions(+), 43 deletions(-)
diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json
index 51a3d7cb..375a2bd1 100644
--- a/clusters/microsoft-activity-group.json
+++ b/clusters/microsoft-activity-group.json
@@ -343,10 +343,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT41",
"BARIUM"
@@ -357,10 +357,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"CHROMIUM",
"ControlX"
@@ -371,10 +371,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"DEV-0322"
]
@@ -384,10 +384,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT40",
"GADOLINIUM",
@@ -401,10 +401,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"GALLIUM"
]
@@ -414,10 +414,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"DEV-0234"
]
@@ -427,10 +427,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT5",
"Keyhole Panda",
@@ -443,10 +443,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT15",
"NICKEL",
@@ -459,10 +459,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT30",
"LotusBlossom",
@@ -474,10 +474,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"HAFNIUM"
]
@@ -487,10 +487,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT31",
"ZIRCONIUM"
@@ -687,10 +687,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"NEPTUNIUM",
"Vice Leaker"
@@ -701,10 +701,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"CURIUM",
"TA456",
@@ -716,10 +716,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"DEV-0228"
]
@@ -729,10 +729,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"DEV-0343"
]
@@ -742,10 +742,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"APT34",
"Cobalt Gypsy",
@@ -758,10 +758,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"Fox Kitten",
"PioneerKitten",
@@ -774,10 +774,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"MERCURY",
"MuddyWater",
@@ -791,10 +791,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"DEV-0500",
"Moses Staff"
@@ -805,10 +805,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"APT35",
"Charming Kitten",
@@ -820,10 +820,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"APT33",
"HOLMIUM",
@@ -835,10 +835,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"AMERICIUM",
"Agrius",
@@ -852,10 +852,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"DEV-0146",
"ZeroCleare"
@@ -866,10 +866,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"BOHRIUM"
]
@@ -879,10 +879,10 @@
},
{
"meta": {
+ "country": "LB",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "LB",
"synonyms": [
"POLONIUM"
]
@@ -892,10 +892,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"Labyrinth Chollima",
"Lazarus",
@@ -907,10 +907,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"Kimsuky",
"THALLIUM",
@@ -922,10 +922,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"Konni",
"OSMIUM"
@@ -936,10 +936,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"LAWRENCIUM"
]
@@ -949,10 +949,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"CERIUM"
]
@@ -962,10 +962,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"BlueNoroff",
"COPERNICIUM",
@@ -977,10 +977,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"DEV-0530",
"H0lyGh0st"
@@ -1047,10 +1047,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"ACTINIUM",
"Gamaredon",
@@ -1063,10 +1063,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"DEV-0586"
]
@@ -1076,10 +1076,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"APT28",
"Fancy Bear",
@@ -1091,10 +1091,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"BROMINE",
"Crouching Yeti",
@@ -1106,10 +1106,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"APT29",
"Cozy Bear",
@@ -1121,10 +1121,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"IRIDIUM",
"Sandworm"
@@ -1135,10 +1135,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"Callisto",
"Reuse Team",
@@ -1150,10 +1150,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"DEV-0665"
]
@@ -1163,10 +1163,10 @@
},
{
"meta": {
+ "country": "KR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KR",
"synonyms": [
"DUBNIUM",
"Dark Hotel",
@@ -1178,10 +1178,10 @@
},
{
"meta": {
+ "country": "TR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "TR",
"synonyms": [
"SILICON",
"Sea Turtle"
@@ -1192,10 +1192,10 @@
},
{
"meta": {
+ "country": "VN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "VN",
"synonyms": [
"APT32",
"BISMUTH",
From bf7005c1c3ee35542d561c2c428fdab409bdc4b6 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 19 Apr 2023 16:23:02 +0200
Subject: [PATCH 7/7] chg: [microsoft-activity-group] jq all the things
---
clusters/microsoft-activity-group.json | 86 +++++++++++++-------------
1 file changed, 43 insertions(+), 43 deletions(-)
diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json
index 9a460902..dd428dcd 100644
--- a/clusters/microsoft-activity-group.json
+++ b/clusters/microsoft-activity-group.json
@@ -322,10 +322,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT41",
"BARIUM"
@@ -336,10 +336,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"CHROMIUM",
"ControlX"
@@ -350,10 +350,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"DEV-0322"
]
@@ -363,10 +363,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT40",
"GADOLINIUM",
@@ -380,10 +380,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"GALLIUM"
]
@@ -393,10 +393,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"DEV-0234"
]
@@ -406,10 +406,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT5",
"Keyhole Panda",
@@ -422,10 +422,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT15",
"NICKEL",
@@ -438,10 +438,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT30",
"LotusBlossom",
@@ -453,10 +453,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"HAFNIUM"
]
@@ -466,10 +466,10 @@
},
{
"meta": {
+ "country": "CN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "CN",
"synonyms": [
"APT31",
"ZIRCONIUM"
@@ -666,10 +666,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"NEPTUNIUM",
"Vice Leaker"
@@ -680,10 +680,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"CURIUM",
"TA456",
@@ -695,10 +695,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"DEV-0228"
]
@@ -708,10 +708,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"DEV-0343"
]
@@ -721,10 +721,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"APT34",
"Cobalt Gypsy",
@@ -737,10 +737,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"Fox Kitten",
"PioneerKitten",
@@ -753,10 +753,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"MERCURY",
"MuddyWater",
@@ -770,10 +770,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"DEV-0500",
"Moses Staff"
@@ -784,10 +784,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"APT35",
"Charming Kitten",
@@ -799,10 +799,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"APT33",
"HOLMIUM",
@@ -814,10 +814,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"AMERICIUM",
"Agrius",
@@ -831,10 +831,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"DEV-0146",
"ZeroCleare"
@@ -845,10 +845,10 @@
},
{
"meta": {
+ "country": "IR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "IR",
"synonyms": [
"BOHRIUM"
]
@@ -858,10 +858,10 @@
},
{
"meta": {
+ "country": "LB",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "LB",
"synonyms": [
"POLONIUM"
]
@@ -871,10 +871,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"Labyrinth Chollima",
"Lazarus",
@@ -886,10 +886,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"Kimsuky",
"THALLIUM",
@@ -901,10 +901,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"Konni",
"OSMIUM"
@@ -915,10 +915,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"LAWRENCIUM"
]
@@ -928,10 +928,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"CERIUM"
]
@@ -941,10 +941,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"BlueNoroff",
"COPERNICIUM",
@@ -956,10 +956,10 @@
},
{
"meta": {
+ "country": "KP",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KP",
"synonyms": [
"DEV-0530",
"H0lyGh0st"
@@ -1026,10 +1026,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"ACTINIUM",
"Gamaredon",
@@ -1042,10 +1042,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"DEV-0586"
]
@@ -1055,10 +1055,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"APT28",
"Fancy Bear",
@@ -1070,10 +1070,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"BROMINE",
"Crouching Yeti",
@@ -1085,10 +1085,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"APT29",
"Cozy Bear",
@@ -1100,10 +1100,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"IRIDIUM",
"Sandworm"
@@ -1114,10 +1114,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"Callisto",
"Reuse Team",
@@ -1129,10 +1129,10 @@
},
{
"meta": {
+ "country": "RU",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "RU",
"synonyms": [
"DEV-0665"
]
@@ -1142,10 +1142,10 @@
},
{
"meta": {
+ "country": "KR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "KR",
"synonyms": [
"DUBNIUM",
"Dark Hotel",
@@ -1157,10 +1157,10 @@
},
{
"meta": {
+ "country": "TR",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "TR",
"synonyms": [
"SILICON",
"Sea Turtle"
@@ -1171,10 +1171,10 @@
},
{
"meta": {
+ "country": "VN",
"refs": [
"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
],
- "country": "VN",
"synonyms": [
"APT32",
"BISMUTH",