From 309f4f2ea5857c67468a47b0674ecae8cef4135a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 20 Apr 2023 17:04:05 +0200 Subject: [PATCH] chg: [microsoft-activity-group] updated following contribution from @botlabsDev script --- clusters/microsoft-activity-group.json | 1339 +++++++++++++----------- 1 file changed, 729 insertions(+), 610 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 375a2bd..b0e4b6a 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -343,13 +343,29 @@ }, { "meta": { - "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], + "sector": "Russia", "synonyms": [ - "APT41", - "BARIUM" + "ACTINIUM", + "UNC530", + "Primitive Bear", + "Gamaredon" + ] + }, + "uuid": "fc77a775-d06f-5efc-a6fa-0b2af01902a7", + "value": "Aqua Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "BARIUM", + "APT41" ] }, "uuid": "2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5", @@ -357,10 +373,81 @@ }, { "meta": { - "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], + "sector": "Russia", + "synonyms": [ + "DEV-0586" + ] + }, + "uuid": "7f190457-6829-55c4-9b6b-bccdadb747cb", + "value": "Cadet Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "TAAL", + "FIN6", + "Skeleton Spider" + ] + }, + "uuid": "3126bd2c-3d04-5174-ad03-40136b94f574", + "value": "Camouflage Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Vietnam", + "synonyms": [ + "BISMUTH", + "APT32", + "OceanLotus" + ] + }, + "uuid": "37808cab-cbb3-560b-bebd-375fa328ea1e", + "value": "Canvas Cyclone" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Private sector offensive actor", + "synonyms": [ + "SOURGUM", + "Candiru" + ] + }, + "uuid": "1b15288c-ff19-5f52-8c4b-6185de934ff8", + "value": "Caramel Tsunami" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Private sector offensive actor", + "synonyms": [ + "DEV-0196", + "QuaDream" + ] + }, + "uuid": "ab6940c3-a2f0-5802-9270-87f15f2e168a", + "value": "Carmine Tsunami" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", "synonyms": [ "CHROMIUM", "ControlX" @@ -371,10 +458,25 @@ }, { "meta": { - "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], + "sector": "Financially motivated", + "synonyms": [ + "DEV-0401", + "Emperor Dragonfly", + "Bronze Starlight" + ] + }, + "uuid": "43fe584d-88e5-5f2b-a9fd-a866e62040bb", + "value": "Cinnamon Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", "synonyms": [ "DEV-0322" ] @@ -384,16 +486,146 @@ }, { "meta": { - "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], + "sector": "Iran", + "synonyms": [ + "NEPTUNIUM", + "Vice Leaker" + ] + }, + "uuid": "b06ff51a-77e7-5b7f-9938-4a2d37bce5a4", + "value": "Cotton Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "DEV-0198 (NEPTUNIUM)", + "Vice Leaker" + ] + }, + "uuid": "b06ff51a-77e7-5b7f-9938-4a2d37bce5a4", + "value": "Cotton Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "CURIUM", + "TA456", + "Tortoise Shell" + ] + }, + "uuid": "b76e22b0-26a4-50ca-b876-09bc90a81b3b", + "value": "Crimson Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "DEV-0228" + ] + }, + "uuid": "badacab7-5097-5817-8516-d8a72de2a71b", + "value": "Cuboid Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Private sector offensive actor", + "synonyms": [ + "KNOTWEED", + "DSIRF" + ] + }, + "uuid": "9a4a662a-84a9-5b86-b241-7c5eef9cea4d", + "value": "Denim Tsunami" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "ZINC", + "Labyrinth Chollima", + "Lazarus" + ] + }, + "uuid": "9630b0aa-ee9e-5b58-9f79-cf7fa8d291a8", + "value": "Diamond Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "THALLIUM", + "Kimsuky", + "Velvet Chollima" + ] + }, + "uuid": "44be06b1-e17a-5ea6-a0a2-067933a7af77", + "value": "Emerald Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "STRONTIUM", + "APT28", + "Fancy Bear" + ] + }, + "uuid": "8d84d7b0-7716-5ab3-a3a4-f373dd148347", + "value": "Forest Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "BROMINE", + "Energetic Bear", + "Crouching Yeti" + ] + }, + "uuid": "45d0f984-2b63-517b-922a-12924bcf4f68", + "value": "Ghost Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", "synonyms": [ - "APT40", "GADOLINIUM", - "Kryptonite Panda", + "APT40", "Leviathan", - "TEMP.Periscope" + "TEMP.Periscope", + "Kryptonite Panda" ] }, "uuid": "dbc45b46-5b64-50d4-b0f1-d7de888d4e85", @@ -401,10 +633,10 @@ }, { "meta": { - "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], + "sector": "China", "synonyms": [ "GALLIUM" ] @@ -414,105 +646,32 @@ }, { "meta": { - "country": "CN", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], + "sector": "Iran", "synonyms": [ - "DEV-0234" + "DEV-0343" ] }, - "uuid": "aa45a89c-4c2b-5f6b-9a3d-51abccaa9623", - "value": "Lilac Typhoon" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT5", - "Keyhole Panda", - "MANGANESE", - "TABCTENG" - ] - }, - "uuid": "fa562b27-d3ff-5e7c-9079-c957eb01a0e0", - "value": "Mulberry Typhoon" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT15", - "NICKEL", - "Vixen Panda", - "ke3chang" - ] - }, - "uuid": "66571167-13fe-5817-93e0-54ae8f206fdc", - "value": "Nylon Typhoon" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT30", - "LotusBlossom", - "RADIUM" - ] - }, - "uuid": "b3c378fc-1ce3-5a46-a32e-f55a584c6536", - "value": "Raspberry Typhoon" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "HAFNIUM" - ] - }, - "uuid": "9728610a-17cb-5cac-9322-ef19ae296a29", - "value": "Silk Typhoon" - }, - { - "meta": { - "country": "CN", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT31", - "ZIRCONIUM" - ] - }, - "uuid": "27eb4928-b3e6-5ae1-bbb6-f73bce8d7c69", - "value": "Violet Typhoon" + "uuid": "395473c6-be98-5369-82d1-cdbc97b3fddc", + "value": "Gray Sandstorm" }, { "meta": { "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Financially motivated", + "sector": "Iran", "synonyms": [ - "Bronze Starlight", - "DEV-0401", - "Emperor Dragonfly" + "EUROPIUM", + "Cobalt Gypsy", + "APT34", + "OilRig" ] }, - "uuid": "43fe584d-88e5-5f2b-a9fd-a866e62040bb", - "value": "Cinnamon Tempest" + "uuid": "b6260d6d-a2f7-5b79-8132-5c456a225f53", + "value": "Hazel Sandstorm" }, { "meta": { @@ -529,6 +688,142 @@ "uuid": "b27dcdee-14b1-5842-86b3-32eacec94584", "value": "Lace Tempest" }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "RUBIDIUM", + "Fox Kitten", + "UNC757", + "PioneerKitten" + ] + }, + "uuid": "0757856a-1313-57d8-bb6c-f4c537e110da", + "value": "Lemon Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "DEV-0234" + ] + }, + "uuid": "aa45a89c-4c2b-5f6b-9a3d-51abccaa9623", + "value": "Lilac Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "DEV-0243", + "EvilCorp", + "UNC2165", + "Indrik Spider" + ] + }, + "uuid": "b19bc1a0-2489-56ae-aa61-ed147310363e", + "value": "Manatee Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "MERCURY", + "MuddyWater", + "SeedWorm", + "Static Kitten", + "TEMP.Zagros" + ] + }, + "uuid": "da68ca6d-250f-50f1-a585-240475fdbb35", + "value": "Mango Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Turkey", + "synonyms": [ + "SILICON", + "Sea Turtle" + ] + }, + "uuid": "fc91881e-92c0-5a63-a0b9-b253958a594e", + "value": "Marbled Dust" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "DEV-0500", + "Moses Staff" + ] + }, + "uuid": "ef415059-e150-5324-877e-44b65ab022f5", + "value": "Marigold Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "NOBELIUM", + "APT29", + "Cozy Bear" + ] + }, + "uuid": "31982812-c8bf-5e85-b0ba-0c64a7d05d20", + "value": "Midnight Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "PHOSPHORUS", + "APT35", + "Charming Kitten" + ] + }, + "uuid": "400cd1b8-52b7-5a5c-984f-9b4af35ea231", + "value": "Mint Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "MANGANESE", + "APT5", + "Keyhole Panda", + "TABCTENG" + ] + }, + "uuid": "fa562b27-d3ff-5e7c-9079-c957eb01a0e0", + "value": "Mulberry Typhoon" + }, { "meta": { "refs": [ @@ -543,6 +838,91 @@ "uuid": "1b1524f4-16b0-5b85-aea4-844babea4ccb", "value": "Mustard Tempest" }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Private sector offensive actor", + "synonyms": [ + "DEV-0336", + "NSO Group" + ] + }, + "uuid": "af54315b-3561-5046-8b9b-c3e9e05c0f77", + "value": "Night Tsunami" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "NICKEL", + "ke3chang", + "APT15", + "Vixen Panda" + ] + }, + "uuid": "66571167-13fe-5817-93e0-54ae8f206fdc", + "value": "Nylon Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "OSMIUM", + "Konni" + ] + }, + "uuid": "5163b2d9-7521-5225-a7a8-88d881fbc406", + "value": "Opal Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "HOLMIUM", + "APT33", + "Refined Kitten" + ] + }, + "uuid": "4c0f085a-70b1-5ee6-a45a-dc368f03e701", + "value": "Peach Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "LAWRENCIUM" + ] + }, + "uuid": "1c5c67ad-c241-5103-99d0-daab5a554b0d", + "value": "Pearl Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "DEV-0215 (LAWRENCIUM)" + ] + }, + "uuid": "1c5c67ad-c241-5103-99d0-daab5a554b0d", + "value": "Pearl Sleet" + }, { "meta": { "refs": [ @@ -551,8 +931,8 @@ "sector": "Financially motivated", "synonyms": [ "DEV-0193", - "UNC2053", - "Wizard Spider" + "Wizard Spider", + "UNC2053" ] }, "uuid": "120dc1ae-e850-5059-a4fb-520748ca6881", @@ -565,15 +945,49 @@ ], "sector": "Financially motivated", "synonyms": [ - "Choziosi loader", - "Chrome Loader", + "DEV-0796", "ClickPirate", - "DEV-0796" + "Chrome Loader", + "Choziosi loader" ] }, "uuid": "3c9a0350-8d17-5624-872c-fe44969a5888", "value": "Phlox Tempest" }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "AMERICIUM", + "Agrius", + "Deadwood", + "BlackShadow", + "SharpBoys" + ] + }, + "uuid": "cca311c0-dc91-5aee-b282-5e412040dac3", + "value": "Pink Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "DEV-0227 (AMERICIUM)", + "Agrius", + "Deadwood", + "BlackShadow", + "SharpBoys" + ] + }, + "uuid": "cca311c0-dc91-5aee-b282-5e412040dac3", + "value": "Pink Sandstorm" + }, { "meta": { "refs": [ @@ -588,6 +1002,61 @@ "uuid": "567ea386-a78f-5550-ae7c-9c9eacdf45af", "value": "Pistachio Tempest" }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Lebanon", + "synonyms": [ + "POLONIUM" + ] + }, + "uuid": "ce5357da-0e15-5022-bd4f-74aa689d0b2e", + "value": "Plaid Rain" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "DEV-0146", + "ZeroCleare" + ] + }, + "uuid": "562049d7-78f5-5a65-b7db-c509c9f483f7", + "value": "Pumpkin Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "RADIUM", + "APT30", + "LotusBlossom" + ] + }, + "uuid": "b3c378fc-1ce3-5a46-a32e-f55a584c6536", + "value": "Raspberry Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "CERIUM" + ] + }, + "uuid": "c29e7262-6a6f-501d-8c00-57f75f2172a3", + "value": "Ruby Sleet" + }, { "meta": { "refs": [ @@ -595,14 +1064,85 @@ ], "sector": "Financially motivated", "synonyms": [ - "Carbon Spider", "ELBRUS", + "Carbon Spider", "FIN7" ] }, "uuid": "9471ad21-0553-5483-bf7c-e6ad9c062c79", "value": "Sangria Tempest" }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "COPERNICIUM", + "Genie Spider", + "BlueNoroff" + ] + }, + "uuid": "3a32c54d-d86a-55de-b16a-d9a08a5cf49b", + "value": "Sapphire Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "IRIDIUM", + "Sandworm" + ] + }, + "uuid": "473eb51c-36cb-5e3a-8347-2f57df809be9", + "value": "Seashell Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "KRYPTON", + "Venomous Bear", + "Turla", + "Snake" + ] + }, + "uuid": "8d19da8a-d0fa-5194-ad6f-315cc4f36c8b", + "value": "Secret Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "HAFNIUM" + ] + }, + "uuid": "9728610a-17cb-5cac-9322-ef19ae296a29", + "value": "Silk Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "BOHRIUM" + ] + }, + "uuid": "4426d375-1435-5ccc-8c1f-f8688bd11f80", + "value": "Smoke Sandstorm" + }, { "meta": { "refs": [ @@ -617,6 +1157,49 @@ "uuid": "c85120d0-c397-5d30-9d57-3b019090acd5", "value": "Spandex Tempest" }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "SEABORGIUM", + "Callisto", + "Reuse Team" + ] + }, + "uuid": "06630ccd-98ed-5aec-8083-e04c894bd2d6", + "value": "Star Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Group in development", + "synonyms": [ + "DEV-0257", + "UNC1151" + ] + }, + "uuid": "60ac9e2c-b3b2-5c6b-913e-935952e14c28", + "value": "Storm-0257" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "DEV-0530", + "H0lyGh0st" + ] + }, + "uuid": "ab314f1c-8d07-5edb-bb32-64d1105f74ff", + "value": "Storm-0530" + }, { "meta": { "refs": [ @@ -631,6 +1214,33 @@ "uuid": "d4dfb329-822c-5db3-a078-a8c0f77924da", "value": "Strawberry Tempest" }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "DEV-0665" + ] + }, + "uuid": "79f8646f-d127-51b7-b502-b096b445c322", + "value": "Sunglow Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "SPURR", + "Vatet" + ] + }, + "uuid": "028b667a-1102-5b1e-9726-edbf145d9d8f", + "value": "Tomato Tempest" + }, { "meta": { "refs": [ @@ -657,6 +1267,20 @@ "uuid": "0662a721-a92e-50b3-a5ac-0c4142ac9aeb", "value": "Velvet Tempest" }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "ZIRCONIUM", + "APT31" + ] + }, + "uuid": "27eb4928-b3e6-5ae1-bbb6-f73bce8d7c69", + "value": "Violet Typhoon" + }, { "meta": { "refs": [ @@ -676,370 +1300,10 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Group in development", + "sector": "Private sector offensive actor", "synonyms": [ - "DEV-0257", - "UNC1151" - ] - }, - "uuid": "60ac9e2c-b3b2-5c6b-913e-935952e14c28", - "value": "Storm-0257" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "NEPTUNIUM", - "Vice Leaker" - ] - }, - "uuid": "b06ff51a-77e7-5b7f-9938-4a2d37bce5a4", - "value": "Cotton Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "CURIUM", - "TA456", - "Tortoise Shell" - ] - }, - "uuid": "b76e22b0-26a4-50ca-b876-09bc90a81b3b", - "value": "Crimson Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "DEV-0228" - ] - }, - "uuid": "badacab7-5097-5817-8516-d8a72de2a71b", - "value": "Cuboid Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "DEV-0343" - ] - }, - "uuid": "395473c6-be98-5369-82d1-cdbc97b3fddc", - "value": "Gray Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT34", - "Cobalt Gypsy", - "EUROPIUM", - "OilRig" - ] - }, - "uuid": "b6260d6d-a2f7-5b79-8132-5c456a225f53", - "value": "Hazel Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "Fox Kitten", - "PioneerKitten", - "RUBIDIUM", - "UNC757" - ] - }, - "uuid": "0757856a-1313-57d8-bb6c-f4c537e110da", - "value": "Lemon Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "MERCURY", - "MuddyWater", - "SeedWorm", - "Static Kitten", - "TEMP.Zagros" - ] - }, - "uuid": "da68ca6d-250f-50f1-a585-240475fdbb35", - "value": "Mango Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "DEV-0500", - "Moses Staff" - ] - }, - "uuid": "ef415059-e150-5324-877e-44b65ab022f5", - "value": "Marigold Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT35", - "Charming Kitten", - "PHOSPHORUS" - ] - }, - "uuid": "400cd1b8-52b7-5a5c-984f-9b4af35ea231", - "value": "Mint Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT33", - "HOLMIUM", - "Refined Kitten" - ] - }, - "uuid": "4c0f085a-70b1-5ee6-a45a-dc368f03e701", - "value": "Peach Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "AMERICIUM", - "Agrius", - "BlackShadow", - "Deadwood", - "SharpBoys" - ] - }, - "uuid": "cca311c0-dc91-5aee-b282-5e412040dac3", - "value": "Pink Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "DEV-0146", - "ZeroCleare" - ] - }, - "uuid": "562049d7-78f5-5a65-b7db-c509c9f483f7", - "value": "Pumpkin Sandstorm" - }, - { - "meta": { - "country": "IR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "BOHRIUM" - ] - }, - "uuid": "4426d375-1435-5ccc-8c1f-f8688bd11f80", - "value": "Smoke Sandstorm" - }, - { - "meta": { - "country": "LB", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "POLONIUM" - ] - }, - "uuid": "ce5357da-0e15-5022-bd4f-74aa689d0b2e", - "value": "Plaid Rain" - }, - { - "meta": { - "country": "KP", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "Labyrinth Chollima", - "Lazarus", - "ZINC" - ] - }, - "uuid": "9630b0aa-ee9e-5b58-9f79-cf7fa8d291a8", - "value": "Diamond Sleet" - }, - { - "meta": { - "country": "KP", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "Kimsuky", - "THALLIUM", - "Velvet Chollima" - ] - }, - "uuid": "44be06b1-e17a-5ea6-a0a2-067933a7af77", - "value": "Emerald Sleet" - }, - { - "meta": { - "country": "KP", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "Konni", - "OSMIUM" - ] - }, - "uuid": "5163b2d9-7521-5225-a7a8-88d881fbc406", - "value": "Opal Sleet" - }, - { - "meta": { - "country": "KP", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "LAWRENCIUM" - ] - }, - "uuid": "1c5c67ad-c241-5103-99d0-daab5a554b0d", - "value": "Pearl Sleet" - }, - { - "meta": { - "country": "KP", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "CERIUM" - ] - }, - "uuid": "c29e7262-6a6f-501d-8c00-57f75f2172a3", - "value": "Ruby Sleet" - }, - { - "meta": { - "country": "KP", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "BlueNoroff", - "COPERNICIUM", - "Genie Spider" - ] - }, - "uuid": "3a32c54d-d86a-55de-b16a-d9a08a5cf49b", - "value": "Sapphire Sleet" - }, - { - "meta": { - "country": "KP", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "DEV-0530", - "H0lyGh0st" - ] - }, - "uuid": "ab314f1c-8d07-5edb-bb32-64d1105f74ff", - "value": "Storm-0530" - }, - { - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "sector": "Private Sector Offensive Actor", - "synonyms": [ - "Candiru", - "SOURGUM" - ] - }, - "uuid": "1b15288c-ff19-5f52-8c4b-6185de934ff8", - "value": "Caramel Tsunami" - }, - { - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "sector": "Private Sector Offensive Actor", - "synonyms": [ - "DSIRF", - "KNOTWEED" - ] - }, - "uuid": "9a4a662a-84a9-5b86-b241-7c5eef9cea4d", - "value": "Denim Tsunami" - }, - { - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "sector": "Private Sector Offensive Actor", - "synonyms": [ - "DEV-0336", - "NSO Group" - ] - }, - "uuid": "af54315b-3561-5046-8b9b-c3e9e05c0f77", - "value": "Night Tsunami" - }, - { - "meta": { - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "sector": "Private Sector Offensive Actor", - "synonyms": [ - "CyberRoot", - "DEV-0605" + "DEV-0605", + "CyberRoot" ] }, "uuid": "2263b6c9-861a-5971-b882-9ea4a84fcf74", @@ -1047,126 +1311,10 @@ }, { "meta": { - "country": "RU", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "ACTINIUM", - "Gamaredon", - "Primitive Bear", - "UNC530" - ] - }, - "uuid": "fc77a775-d06f-5efc-a6fa-0b2af01902a7", - "value": "Aqua Blizzard" - }, - { - "meta": { - "country": "RU", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "DEV-0586" - ] - }, - "uuid": "7f190457-6829-55c4-9b6b-bccdadb747cb", - "value": "Cadet Blizzard" - }, - { - "meta": { - "country": "RU", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT28", - "Fancy Bear", - "STRONTIUM" - ] - }, - "uuid": "8d84d7b0-7716-5ab3-a3a4-f373dd148347", - "value": "Forest Blizzard" - }, - { - "meta": { - "country": "RU", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "BROMINE", - "Crouching Yeti", - "Energetic Bear" - ] - }, - "uuid": "45d0f984-2b63-517b-922a-12924bcf4f68", - "value": "Ghost Blizzard" - }, - { - "meta": { - "country": "RU", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT29", - "Cozy Bear", - "NOBELIUM" - ] - }, - "uuid": "31982812-c8bf-5e85-b0ba-0c64a7d05d20", - "value": "Midnight Blizzard" - }, - { - "meta": { - "country": "RU", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "IRIDIUM", - "Sandworm" - ] - }, - "uuid": "473eb51c-36cb-5e3a-8347-2f57df809be9", - "value": "Seashell Blizzard" - }, - { - "meta": { - "country": "RU", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "Callisto", - "Reuse Team", - "SEABORGIUM" - ] - }, - "uuid": "06630ccd-98ed-5aec-8083-e04c894bd2d6", - "value": "Star Blizzard" - }, - { - "meta": { - "country": "RU", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "DEV-0665" - ] - }, - "uuid": "79f8646f-d127-51b7-b502-b096b445c322", - "value": "Sunglow Blizzard" - }, - { - "meta": { - "country": "KR", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], + "sector": "South Korea", "synonyms": [ "DUBNIUM", "Dark Hotel", @@ -1175,36 +1323,7 @@ }, "uuid": "0a4ddab3-a1a6-5372-b11f-5edc25c0e548", "value": "Zigzag Hail" - }, - { - "meta": { - "country": "TR", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "SILICON", - "Sea Turtle" - ] - }, - "uuid": "fc91881e-92c0-5a63-a0b9-b253958a594e", - "value": "Marbled Dust" - }, - { - "meta": { - "country": "VN", - "refs": [ - "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" - ], - "synonyms": [ - "APT32", - "BISMUTH", - "OceanLotus" - ] - }, - "uuid": "37808cab-cbb3-560b-bebd-375fa328ea1e", - "value": "Canvas Cyclone" } ], - "version": 13 + "version": 14 }