mirror of https://github.com/MISP/misp-galaxy
update threat actor galaxy
parent
11c2f43c9f
commit
20e77afcc3
|
@ -100,7 +100,9 @@
|
||||||
"attribution-confidence": "50",
|
"attribution-confidence": "50",
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf"
|
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf",
|
||||||
|
"https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/",
|
||||||
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Covert Grove"
|
"Covert Grove"
|
||||||
|
@ -804,7 +806,12 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
|
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
|
||||||
"https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
|
"https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/apt-30"
|
"https://www.cfr.org/interactive/cyber-operations/apt-30",
|
||||||
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf",
|
||||||
|
"https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/",
|
||||||
|
"https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/",
|
||||||
|
"https://threatconnect.com/tag/naikon/",
|
||||||
|
"https://attack.mitre.org/groups/G0019/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"PLA Unit 78020",
|
"PLA Unit 78020",
|
||||||
|
@ -813,7 +820,8 @@
|
||||||
"Override Panda",
|
"Override Panda",
|
||||||
"Camerashy",
|
"Camerashy",
|
||||||
"APT.Naikon",
|
"APT.Naikon",
|
||||||
"Lotus Panda"
|
"Lotus Panda",
|
||||||
|
"Hellsing"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1171,7 +1179,9 @@
|
||||||
"attribution-confidence": "50",
|
"attribution-confidence": "50",
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://kc.mcafee.com/corporate/index?page=content&id=KB71150"
|
"https://kc.mcafee.com/corporate/index?page=content&id=KB71150",
|
||||||
|
"https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf",
|
||||||
|
"https://attack.mitre.org/groups/G0014/"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1327,10 +1337,16 @@
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/",
|
"https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/nettraveler"
|
"https://www.cfr.org/interactive/cyber-operations/nettraveler",
|
||||||
|
"https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes",
|
||||||
|
"https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary",
|
||||||
|
"https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/",
|
||||||
|
"https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"APT 21"
|
"APT 21",
|
||||||
|
"APT21",
|
||||||
|
"TravNet"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "b80f4788-ccb2-466d-ae16-b397159d907e",
|
"uuid": "b80f4788-ccb2-466d-ae16-b397159d907e",
|
||||||
|
@ -3658,13 +3674,33 @@
|
||||||
"https://www.cfr.org/interactive/cyber-operations/oilrig",
|
"https://www.cfr.org/interactive/cyber-operations/oilrig",
|
||||||
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/",
|
"https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/",
|
||||||
"https://researchcenter.paloaltonetworks.com/2018/11/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/",
|
"https://researchcenter.paloaltonetworks.com/2018/11/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/",
|
||||||
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/"
|
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/",
|
||||||
|
"https://www.symantec.com/connect/blogs/shamoon-attacks",
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html",
|
||||||
|
"https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/",
|
||||||
|
"https://www.symantec.com/connect/blogs/shamoon-back-dead-and-destructive-ever",
|
||||||
|
"https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/",
|
||||||
|
"https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/",
|
||||||
|
"https://www.clearskysec.com/oilrig/",
|
||||||
|
"https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/",
|
||||||
|
"https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/",
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html",
|
||||||
|
"https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/",
|
||||||
|
"https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/",
|
||||||
|
"https://www.symantec.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail",
|
||||||
|
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/",
|
||||||
|
"https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/",
|
||||||
|
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/",
|
||||||
|
"https://attack.mitre.org/groups/G0049/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Twisted Kitten",
|
"Twisted Kitten",
|
||||||
"Cobalt Gypsy",
|
"Cobalt Gypsy",
|
||||||
"Crambus",
|
"Crambus",
|
||||||
"Helix Kitten"
|
"Helix Kitten",
|
||||||
|
"APT 34",
|
||||||
|
"APT34",
|
||||||
|
"IRN2"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3837,7 +3873,9 @@
|
||||||
"country": "TR",
|
"country": "TR",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
|
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
|
||||||
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
|
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users",
|
||||||
|
"https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
|
||||||
|
"https://attack.mitre.org/groups/G0055/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"StrongPity"
|
"StrongPity"
|
||||||
|
@ -6239,7 +6277,7 @@
|
||||||
"value": "HenBox"
|
"value": "HenBox"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.",
|
"description": "This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes.\nIn April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX.\nRecently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"attribution-confidence": "50",
|
"attribution-confidence": "50",
|
||||||
"cfr-suspected-state-sponsor": "China",
|
"cfr-suspected-state-sponsor": "China",
|
||||||
|
@ -6252,7 +6290,8 @@
|
||||||
"cfr-type-of-incident": "Espionage",
|
"cfr-type-of-incident": "Espionage",
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.cfr.org/interactive/cyber-operations/mustang-panda"
|
"https://www.cfr.org/interactive/cyber-operations/mustang-panda",
|
||||||
|
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
|
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
|
||||||
|
|
Loading…
Reference in New Issue