Merge pull request #953 from Mathieu4141/threat-actors/d9ef3240-7f58-453c-926b-7757caf17f1a

[threat actors] 4 new actors and 1 alias
2024-03-27 22:42:22 +01:00 · 2024-03-27 22:42:22 +01:00 · 2d4a03a553
parent 1fc03a4173 22bea56895
commit 2d4a03a553
1 changed files with 52 additions and 2 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -3238,7 +3238,9 @@
          "https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/",
          "https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds",
          "https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists",
-          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html"
+          "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html",
+          "https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/",
+          "https://us-cert.cisa.gov/ncas/alerts/aa21-048a"
        ],
        "synonyms": [
          "Operation DarkSeoul",
@ -3278,7 +3280,8 @@
          "Sapphire Sleet",
          "COPERNICIUM",
          "TA404",
-          "Lazarus group"
+          "Lazarus group",
+          "BeagleBoyz"
        ]
      },
      "related": [
@ -15460,6 +15463,53 @@
      },
      "uuid": "da89d534-5be8-414b-832c-3e9d0d66b4e0",
      "value": "Mirage Tiger"
+    },
+    {
+      "description": "SilitNetwork is a hacking group known for targeting high-profile entities, such as airlines, for various motives. They utilize sophisticated tactics to breach their targets, potentially including social engineering and exploiting software vulnerabilities. The group's attack on RwandAir highlighted the vulnerability of the aviation industry and the need for robust cybersecurity measures.",
+      "meta": {
+        "refs": [
+          "https://www.resecurity.com/blog/article/the-aviation-and-aerospace-sectors-face-skyrocketing-cyber-threats"
+        ]
+      },
+      "uuid": "a0b92be9-7b62-47df-a2e8-16211c864599",
+      "value": "SilitNetwork"
+    },
+    {
+      "description": "Edalat-e Ali is a hacktivist group known for disrupting Iranian state-run TV and radio transmissions during significant events, such as the Revolution Day ceremonies. They have also targeted government facilities, releasing security camera footage to expose abuses and draw attention to human rights violations. The group has used their hacks to call for protests against the Iranian regime and have displayed anti-government messages during their disruptions. Edalat-e Ali has been active in releasing sensitive information and footage to embarrass Iranian officials and highlight injustices within the country.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/",
+          "https://securityaffairs.com/142172/hacktivism/iranian-state-tv-hacked.html",
+          "https://www.chronline.com/stories/a-hacking-slugfest-between-iran-and-its-foes-sparks-fears-of-a-wider-cyberwar,281423"
+        ]
+      },
+      "uuid": "1759f8f2-e6ef-4683-a9e4-44984b9deaba",
+      "value": "Edalat-e Ali"
+    },
+    {
+      "description": "Saad Tycoon is the operator and alleged developer of the Tycoon 2FA PhaaS, a phishing service that targets users for financial gain. The actor utilizes Bitcoin transactions to generate significant profits from the fraudulent service. The phishing infrastructure includes domain registration, server hosting, and possibly Cloudflare protection.",
+      "meta": {
+        "refs": [
+          "https://blog.sekoia.io/tycoon-2fa-an-in-depth-analysis-of-the-latest-version-of-the-aitm-phishing-kit/"
+        ]
+      },
+      "uuid": "d9709373-7a3a-4905-8c90-ba74237e77ea",
+      "value": "Saad Tycoon"
+    },
+    {
+      "description": "UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK. UNC5174 is believed to have connections to China's Ministry of State Security and has been observed using custom tooling and the SUPERSHELL framework in their operations. The actor has shown indications of transitioning from hacktivist collectives to working as a contractor for Chinese intelligence agencies.",
+      "meta": {
+        "refs": [
+          "https://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/",
+          "https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect"
+        ],
+        "synonyms": [
+          "Uteus"
+        ]
+      },
+      "uuid": "0b158297-ee47-48ef-9346-0cb0f9cb348a",
+      "value": "UNC5174"
    }
  ],
  "version": 305