diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 18832e5b..1d7e6222 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11,7 +11,8 @@ "Byzantine Candor", "Group 3", "TG-8223", - "Comment Group" + "Comment Group", + "Brown Fox" ], "country": "CN", "refs": [ @@ -48,10 +49,14 @@ "country": "CN", "refs": [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", + "http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf", + "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html" ], "synonyms": [ "C0d0so", + "APT19", + "APT 19", "Sunshop Group" ] } @@ -76,44 +81,65 @@ }, { "meta": { - "country": "CN" + "country": "CN", + "synonyms": [ + "temp.bottle" + ] }, "value": "Keyhole Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] }, "value": "Wet Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] }, "value": "Foxy Panda", "description": "Adversary group targeting telecommunication and technology organizations." }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] }, "value": "Predator Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] }, "value": "Union Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] }, "value": "Spicy Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] }, "value": "Eloquent Panda" }, @@ -169,11 +195,18 @@ "meta": { "synonyms": [ "DUBNIUM", - "Fallout Team" + "Fallout Team", + "Karba", + "Luder", + "Nemim", + "Tapaoux" ], "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2" + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", + "https://securelist.com/blog/research/66779/the-darkhotel-apt/", + "http://drops.wooyun.org/tips/11726", + "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" ] }, "value": "DarkHotel", @@ -187,6 +220,8 @@ "BeeBus", "Group 22", "DynCalc", + "Calc Team", + "DNSCalc", "Crimson Iron", "APT12", "APT 12" @@ -234,6 +269,7 @@ "TG-0416", "APT 18", "SCANDIUM", + "PLA Navy", "APT18" ], "country": "CN", @@ -269,6 +305,11 @@ "Blackfly", "Lead", "Wicked Spider", + "APT17", + "APT 17", + "Dogfish", + "Deputy Dog", + "Wicked Panda", "Barium" ], "country": "CN", @@ -306,6 +347,8 @@ "meta": { "synonyms": [ "PLA Unit 78020", + "APT 30", + "APT30", "Override Panda", "Camerashy", "APT.Naikon" @@ -338,12 +381,19 @@ "synonyms": [ "Elise" ], - "country": "CN" + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" + ] }, "value": "Lotus Panda" }, { "meta": { + "synonyms": [ + "Black Vine", + "TEMP.Avengers" + ], "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" @@ -358,6 +408,8 @@ "APT 27", "TEMP.Hippo", "Group 35", + "Bronze Union", + "ZipToken", "HIPPOTeam", "APT27", "Operation Iron Tiger" @@ -436,11 +488,13 @@ "Playful Dragon", "APT 15", "Metushy", + "Lurid", "Social Network Team" ], "country": "CN", "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html" + "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", + "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/" ] }, "value": "Mirage" @@ -482,7 +536,8 @@ ], "country": "CN", "refs": [ - "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/" + "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/", + "https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/" ] }, "value": "Ice Fog", @@ -543,6 +598,7 @@ "PLA Navy", "APT4", "APT 4", + "Wisp Team", "Getkys", "SykipotGroup", "Wkysol" @@ -569,6 +625,8 @@ "synonyms": [ "APT20", "APT 20", + "APT8", + "APT 8", "TH3Bug" ] }, @@ -605,7 +663,8 @@ "meta": { "country": "CN", "refs": [ - "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" + "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india", + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" ], "synonyms": [ "APT23", @@ -625,7 +684,8 @@ "Group 26" ], "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf", + "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ] }, "value": "Flying Kitten", @@ -653,11 +713,20 @@ "synonyms": [ "Newscaster", "Parastoo", + "iKittens", "Group 83", "Newsbeef" ], "refs": [ - "https://en.wikipedia.org/wiki/Operation_Newscaster" + "https://en.wikipedia.org/wiki/Operation_Newscaster", + "https://iranthreats.github.io/resources/macdownloader-macos-malware/", + "https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/", + "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/", + "https://cryptome.org/2012/11/parastoo-hacks-iaea.htm", + "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", + "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", + "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", + "https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks" ] }, "value": "Charming Kitten", @@ -692,7 +761,8 @@ "synonyms": [ "TEMP.Beanie", "Operation Woolen Goldfish", - "Thamar Reservoir" + "Thamar Reservoir", + "Timberworm" ], "country": "IR", "refs": [ @@ -700,7 +770,10 @@ "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "http://www.clearskysec.com/thamar-reservoir/", "https://citizenlab.org/2015/08/iran_two_factor_phishing/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", + "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://en.wikipedia.org/wiki/Rocket_Kitten" ] }, "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", @@ -714,10 +787,15 @@ "Tarh Andishan", "Alibaba", "2889", - "TG-2889" + "TG-2889", + "Cobalt Gypsy", + "Ghambar", + "Cutting Kitten" ], "refs": [ - "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" + "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" ] }, "value": "Cleaver", @@ -763,11 +841,17 @@ "STRONTIUM", "TAG_0700", "Swallowtail", - "IRON TWILIGHT" + "IRON TWILIGHT", + "Group 74" ], "country": "RU", "refs": [ - "https://en.wikipedia.org/wiki/Sofacy_Group" + "https://en.wikipedia.org/wiki/Sofacy_Group", + "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/" ] }, "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", @@ -790,11 +874,15 @@ "Cozy Bear", "The Dukes", "Minidionis", - "SeaDuke" + "SeaDuke", + "Hammer Toss" ], "country": "RU", "refs": [ - "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/" + "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", + "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" ] }, "value": "APT 29", @@ -819,7 +907,13 @@ "refs": [ "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", "https://www.circl.lu/pub/tr-25/", - "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec" + "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", + "https://securelist.com/blog/research/67962/the-penquin-turla-2/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "country": "RU" }, @@ -838,7 +932,10 @@ ], "country": "RU", "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", + "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", + "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/" ] }, "description": "A Russian group that collects intelligence on the energy industry.", @@ -851,11 +948,16 @@ "Black Energy", "BlackEnergy", "Quedagh", - "Voodoo Bear" + "Voodoo Bear", + "TEMP.Noble" ], "country": "RU", "refs": [ - "http://www.isightpartners.com/2014/10/cve-2014-4114/" + "http://www.isightpartners.com/2014/10/cve-2014-4114/", + "http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-163A", + "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid" ] }, "value": "Sandworm" @@ -865,6 +967,9 @@ "country": "RU", "refs": [ "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ], + "synonyms": [ + "Sandworm" ] }, "value": "TeleBots", @@ -880,7 +985,12 @@ "country": "RU", "refs": [ "https://en.wikipedia.org/wiki/Carbanak", - "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" + "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", + "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns" ], "motive": "Cybercrime" }, @@ -892,7 +1002,8 @@ "synonyms": [ "TeamSpy", "Team Bear", - "Berserk Bear" + "Berserk Bear", + "Anger Bear" ], "country": "RU", "refs": [ @@ -969,11 +1080,20 @@ "country": "KP", "synonyms": [ "Operation DarkSeoul", - "Hidden Cobra" + "Dark Seoul", + "Hidden Cobra", + "Hastati Group", + "Andariel", + "Unit 121", + "Bureau 121", + "NewRomanic Cyber Army Team", + "Bluenoroff" ], "refs": [ "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", - "https://www.us-cert.gov/ncas/alerts/TA17-164A" + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securelist.com/lazarus-under-the-hood/77908/", + "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf" ] }, "value": "Lazarus Group", @@ -1007,7 +1127,10 @@ "synonyms": [ "TunisianCyberArmy" ], - "country": "TN" + "country": "TN", + "refs": [ + "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" + ] }, "value": "Corsair Jackal" }, @@ -1016,7 +1139,11 @@ "meta": { "country": "FR", "refs": [ - "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/" + "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/", + "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", + "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", + "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html" ], "synonyms": [ "Animal Farm" @@ -1111,7 +1238,9 @@ ], "refs": [ "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", - "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" + "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", + "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", + "https://www.cymmetria.com/patchwork-targeted-attack/" ] }, "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", @@ -1155,7 +1284,11 @@ ], "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", - "https://attack.mitre.org/wiki/Groups" + "https://attack.mitre.org/wiki/Groups", + "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", + "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", + "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" ], "country": "CN" }, @@ -1224,7 +1357,8 @@ { "meta": { "refs": [ - "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" ], "country": "CN" }, @@ -1262,9 +1396,21 @@ { "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "http://www.clearskysec.com/oilrig/", + "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20", + "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" ], - "country": "IR" + "country": "IR", + "synonyms": [ + "Twisted Kitten", + "Cobalt Gypsy" + ] }, "value": "OilRig", "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015." @@ -1307,6 +1453,7 @@ ], "synonyms": [ "Gaza Hackers Team", + "Gaza cybergang", "Operation Molerats", "Extreme Jackal", "Moonlight" @@ -1424,6 +1571,11 @@ "country": "US", "refs": [ "https://en.wikipedia.org/wiki/Equation_Group" + ], + "synonyms": [ + "Tilded Team", + "Lamberts", + "EQGRP" ] } }, @@ -1432,8 +1584,10 @@ "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", "meta": { "refs": [ - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" - ] + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" + ], + "country": "IR" } }, { @@ -1449,7 +1603,8 @@ "meta": { "country": "CN", "synonyms": [ - "Zhenbao" + "Zhenbao", + "TEMP.Zhenbao" ], "refs": [ "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" @@ -1465,7 +1620,10 @@ "Operation Mermaid" ], "refs": [ - "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf" + "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", + "https://iranthreats.github.io/", + "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" ] }, "value": "Infy", @@ -1475,7 +1633,8 @@ "meta": { "country": "IR", "refs": [ - "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf" + "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", + "https://iranthreats.github.io/" ] }, "value": "Sima", @@ -1488,7 +1647,8 @@ "Cloudy Omega" ], "refs": [ - "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" + "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/", + "http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets" ] }, "value": "Blue Termite", @@ -1507,7 +1667,8 @@ { "meta": { "refs": [ - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7" + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/" ], "country": "US" }, @@ -1528,11 +1689,17 @@ "synonyms": [ "OceanLotus Group", "Ocean Lotus", + "Cobalt Kitty", + "APT-C-00", + "SeaLotus", "APT-32", "APT 32" ], "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", + "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", + "https://www.brighttalk.com/webcast/10703/261205" ] }, "value": "APT32", @@ -1571,6 +1738,9 @@ "refs": [ "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/" + ], + "synonyms": [ + "TwoForOne" ] } }, @@ -1581,6 +1751,9 @@ "refs": [ "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + ], + "synonyms": [ + "Sandworm" ] } }, @@ -1618,6 +1791,424 @@ "Cobalt gang" ] } + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" + ] + }, + "value": "TA459" + }, + { + "meta": { + "refs": [ + "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter" + ], + "country": "RU" + }, + "value": "Cyber Berkut" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==", + "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/" + ] + }, + "value": "Tonto Team" + }, + { + "value": "Danti", + "meta": { + "refs": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ] + } + }, + { + "value": "APT5", + "meta": { + "refs": [ + "https://www.fireeye.com/current-threats/apt-groups.html" + ] + } + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "APT22" + ], + "refs": [ + "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild" + ] + }, + "value": "APT 22" + }, + { + "meta": { + "synonyms": [ + "Bronze Butler" + ], + "country": "CN", + "refs": [ + "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", + "https://www.secureworks.jp/resources/rp-bronze-butler", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", + "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" + ] + }, + "value": "Tick" + }, + { + "meta": { + "synonyms": [ + "APT26", + "Hippo Team", + "JerseyMikes" + ], + "country": "CN" + }, + "value": "APT 26" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Sabre Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?" + ] + }, + "value": "Big Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] + }, + "value": "Poisonous Panda" + }, + { + "value": "Ghost Jackal", + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + } + }, + { + "meta": { + "country": "KP", + "refs": [ + "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + ] + }, + "value": "TEMP.Hermit" + }, + { + "meta": { + "synonyms": [ + "Superman" + ], + "country": "CN", + "refs": [ + "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", + "https://www.threatconnect.com/china-superman-apt/" + ] + }, + "value": "Mofang" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Slayer Kitten" + ], + "refs": [ + "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", + "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", + "http://www.clearskysec.com/copykitten-jpost/", + "http://www.clearskysec.com/tulip/" + ] + }, + "value": "CopyKittens" + }, + { + "value": "EvilPost", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + ] + } + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ] + }, + "value": "SVCMONDR", + "description": "The referenced link links this group to Temper Panda" + }, + { + "value": "Test Panda", + "meta": { + "country": "CN", + "refs": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + } + }, + { + "meta": { + "country": "IR", + "refs": [ + "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", + "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" + ] + }, + "value": "Madi" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + }, + "value": "Electric Panda" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "PLA Navy", + "Sykipot" + ], + "refs": [ + "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", + "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", + "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919" + ] + }, + "value": "Maverick Panda" + }, + { + "meta": { + "country": "KP", + "refs": [ + "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/" + ] + }, + "value": "Kimsuki" + }, + { + "value": "Snake Wine", + "meta": { + "refs": [ + "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" + ] + } + }, + { + "value": "Careto", + "meta": { + "refs": [ + "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/" + ], + "synonyms": [ + "The Mask" + ] + } + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + }, + "value": "Gibberish Panda" + }, + { + "meta": { + "country": "KP", + "refs": [ + "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml" + ] + }, + "value": "OnionDog" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Group 41" + ], + "refs": [ + "http://www.crowdstrike.com/blog/whois-clever-kitten/" + ] + }, + "value": "Clever Kitten" + }, + { + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Andromeda Spider" + }, + { + "value": "Cyber Caliphate Army", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division", + "https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697" + ], + "synonyms": [ + "Islamic State Hacking Division", + "CCA", + "United Cyber Caliphate", + "UUC" + ] + } + }, + { + "meta": { + "country": "RU", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Magnetic Spider" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf" + ] + }, + "value": "Group 27" + }, + { + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Singing Spider" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Fraternal Jackal" + ], + "refs": [ + "http://pastebin.com/u/QassamCyberFighters", + "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html" + ] + }, + "value": "Cyber fighters of Izz Ad-Din Al Qassam" + }, + { + "meta": { + "synonyms": [ + "1.php Group", + "APT6" + ], + "country": "CN" + }, + "value": "APT 6" + }, + { + "value": "AridViper", + "meta": { + "refs": [ + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf", + "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html", + "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/", + "https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf", + "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/", + "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", + "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", + "https://www.ci-project.org/blog/2017/3/4/arid-viper", + "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" + ], + "synonyms": [ + "Desert Falcon", + "Arid Viper", + "APT-C-23" + ] + } + }, + { + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Dextorous Spider" + }, + { + "value": "Unit 8200", + "meta": { + "country": "IL", + "refs": [ + "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", + "https://archive.org/details/Stuxnet" + ], + "synonyms": [ + "Duqu Group" + ] + } + }, + { + "meta": { + "refs": [ + "https://securelist.com/introducing-whitebear/81638/" + ], + "synonyms": [ + "Skipper Turla" + ], + "country": "RU" + }, + "value": "White Bear" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Pale Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + ] + }, + "value": "Mana Team" } ], "name": "Threat actor", @@ -1632,5 +2223,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 26 + "version": 27 }