Merge pull request #762 from r0ny123/CN

Update threat-actor.json
pull/766/head
Alexandre Dulaunoy 2022-09-06 09:50:06 +02:00 committed by GitHub
commit 33f19bf8c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 163 additions and 155 deletions

View File

@ -53,7 +53,8 @@
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://attack.mitre.org/groups/G0006/",
"https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html",
"https://www.mandiant.com/resources/insights/apt-groups"
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"COMMENT PANDA",
@ -98,50 +99,6 @@
"uuid": "0b06fb39-ed3d-4868-ac42-12fff6df2c80",
"value": "Nitro"
},
{
"description": "The New York Times described Codoso as: 'A collection of hackers for hire that the security industry has been tracking for years. Over the years, the group has breached banks, law firms and tech companies, and once hijacked the Forbes website to try to infect visitors computers with malware.'",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks",
"http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/",
"https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html",
"https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
"https://www.mandiant.com/resources/insights/apt-groups"
],
"synonyms": [
"C0d0so",
"Codoso",
"Sunshop Group"
]
},
"related": [
{
"dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
"value": "APT19"
},
{
"meta": {
"refs": [
@ -171,6 +128,9 @@
"country": "CN",
"refs": [
"http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf"
],
"synonyms": [
"Red Chimera"
]
},
"uuid": "ba8973b2-fd97-4aa7-9307-ea4838d96428",
@ -259,7 +219,8 @@
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
"https://www.cfr.org/interactive/cyber-operations/putter-panda",
"https://attack.mitre.org/groups/G0024",
"https://www.mandiant.com/resources/insights/apt-groups"
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"PLA Unit 61486",
@ -304,18 +265,19 @@
"https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong",
"https://www.cfr.org/interactive/cyber-operations/apt-3",
"https://www.secureworks.com/research/threat-profiles/bronze-mayfair",
"https://www.mandiant.com/resources/insights/apt-groups"
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"GOTHIC PANDA",
"TG-0110",
"Group 6",
"UPS",
"APT3",
"Buckeye",
"Boyusec",
"BORON",
"BRONZE MAYFAIR"
"BRONZE MAYFAIR",
"Red Sylvan"
]
},
"related": [
@ -569,7 +531,6 @@
"synonyms": [
"DYNAMITE PANDA",
"TG-0416",
"APT 18",
"SCANDIUM",
"PLA Navy",
"Wekby",
@ -631,19 +592,30 @@
"https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/",
"https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf",
"https://attack.mitre.org/groups/G0009/",
"https://www.secureworks.com/research/threat-profiles/bronze-firestone"
"https://www.secureworks.com/research/threat-profiles/bronze-firestone",
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks",
"http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/",
"https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html",
"https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel",
"https://www.youtube.com/watch?v=FC9ARZIZglI"
],
"synonyms": [
"DEEP PANDA",
"Codoso",
"WebMasters",
"APT19",
"KungFu Kittens",
"Black Vine",
"TEMP.Avengers",
"Group 13",
"PinkPanther",
"Sh3llCr3w",
"Shell Crew",
"BRONZE FIRESTONE",
"G0009"
"G0009",
"G0073",
"Pupa",
"Sunshop Group"
]
},
"related": [
@ -655,14 +627,7 @@
"type": "similar"
},
{
"dest-uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
"dest-uuid": "fe8796a4-2a02-41a0-9d27-7aa1e995feb6",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
@ -670,7 +635,7 @@
}
],
"uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
"value": "Shell Crew"
"value": "APT19"
},
{
"description": "Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'",
@ -715,7 +680,8 @@
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://attack.mitre.org/wiki/Group/G0013",
"https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf",
"https://www.mandiant.com/resources/insights/apt-groups"
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"PLA Unit 78020",
@ -819,35 +785,8 @@
"https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/",
"https://www.crowdstrike.com/blog/storm-chasing/",
"https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"
],
"synonyms": [
"Black Vine",
"TEMP.Avengers"
]
},
"related": [
{
"dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "066d25c1-71bd-4bd4-8ca7-edbba00063f4",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "0286e80e-b0ed-464f-ad62-beec8536d0cb",
"value": "HURRICANE PANDA"
},
@ -898,7 +837,9 @@
"https://attack.mitre.org/groups/G0027/",
"https://www.secureworks.com/research/threat-profiles/bronze-union",
"https://unit42.paloaltonetworks.com/atoms/iron-taurus/",
"https://www.mandiant.com/resources/insights/apt-groups"
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
],
"synonyms": [
"GreedyTaotie",
@ -970,7 +911,9 @@
"https://attack.mitre.org/groups/G0045/",
"https://www.secureworks.com/research/threat-profiles/bronze-riverside",
"https://unit42.paloaltonetworks.com/atoms/granite-taurus",
"https://www.mandiant.com/resources/insights/apt-groups"
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"STONE PANDAD",
@ -1238,13 +1181,15 @@
"https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/",
"https://www.cfr.org/interactive/cyber-operations/icefog",
"https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf"
],
"synonyms": [
"IceFog",
"Trident",
"RedFoxtrot",
"Red Wendigo"
"Red Wendigo",
"PLA Unit 69010"
]
},
"uuid": "32c534b9-abec-4823-b223-a810f897b47b",
@ -1266,7 +1211,8 @@
],
"synonyms": [
"PITTY PANDA",
"G0011"
"G0011",
"Temp.Pittytiger"
]
},
"related": [
@ -1429,9 +1375,7 @@
],
"synonyms": [
"VIOLIN PANDA",
"APT 20",
"TH3Bug",
"Twivy",
"Crawling Taurus"
]
},
@ -1508,14 +1452,16 @@
"https://blog.lookout.com/titan-mobile-threat",
"https://attack.mitre.org/groups/G0081/",
"https://www.secureworks.com/research/threat-profiles/bronze-hobart",
"https://www.mandiant.com/resources/insights/apt-groups"
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [
"PIRATE PANDA",
"KeyBoy",
"Tropic Trooper",
"BRONZE HOBART",
"G0081"
"G0081",
"Red Orthrus"
]
},
"uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee",
@ -4519,12 +4465,19 @@
"https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/",
"https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
"https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/",
"https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403"
"https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
],
"synonyms": [
"CactusPete",
"KARMA PANDA",
"BRONZE HUNTLEY"
"BRONZE HUNTLEY",
"COPPER",
"Red Beifang",
"G0131",
"PLA Unit 65017"
]
},
"uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26",
@ -4586,7 +4539,9 @@
"https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/",
"https://attack.mitre.org/groups/G0060/",
"https://www.secureworks.com/research/threat-profiles/bronze-butler",
"https://unit42.paloaltonetworks.com/atoms/stalkertaurus/"
"https://unit42.paloaltonetworks.com/atoms/stalkertaurus/",
"https://twitter.com/iiyonite/status/1384431491485155331",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
],
"synonyms": [
"Nian",
@ -4594,7 +4549,8 @@
"REDBALDKNIGHT",
"STALKER PANDA",
"G0060",
"Stalker Taurus"
"Stalker Taurus",
"PLA Unit 61419"
]
},
"related": [
@ -4615,7 +4571,8 @@
"country": "CN",
"refs": [
"https://www.secureworks.com/research/threat-profiles/bronze-express",
"https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf"
"https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf"
],
"synonyms": [
"Hippo Team",
@ -5127,20 +5084,6 @@
"uuid": "430ba885-cd24-492e-804c-815176ed9b1e",
"value": "MAGNETIC SPIDER"
},
{
"description": "Arbors ASERT team is now reporting that, after looking deeper at that particular campaign, and by exposing a new trail in the groups activities, they managed to identify a new RAT that was undetectable at that time by most antivirus vendors.\nNamed Trochilus, this new RAT was part of Group 27s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim.\nThis collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn",
"https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml",
"https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
]
},
"uuid": "73e4728a-955e-426a-b144-8cb95131f2ca",
"value": "Group 27"
},
{
"meta": {
"refs": [
@ -5554,7 +5497,9 @@
"https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia"
"https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia",
"https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea",
"https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf"
],
"synonyms": [
"TEMP.Periscope",
@ -5564,7 +5509,11 @@
"GADOLINIUM",
"KRYPTONITE PANDA",
"G0065",
"ATK29"
"ATK29",
"TA423",
"Red Ladon",
"ITG09",
"MUDCARP"
]
},
"related": [
@ -6072,7 +6021,9 @@
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.secureworks.com/research/threat-profiles/bronze-president",
"https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military"
"https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [
"BRONZE PRESIDENT",
@ -6936,7 +6887,8 @@
"https://twitter.com/bkMSFT/status/1417823714922610689",
"https://www.mandiant.com/resources/insights/apt-groups",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi"
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [
"ZIRCONIUM",
@ -6992,7 +6944,8 @@
"https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt",
"https://unit42.paloaltonetworks.com/atoms/mangataurus/",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [
"CIRCUIT PANDA",
@ -7108,7 +7061,13 @@
"meta": {
"refs": [
"https://vx-underground.org/papers/luckycat-hackers-12-en.pdf",
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf"
"https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf",
"https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global",
"https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic"
],
"synonyms": [
"TA413",
"White Dev 9"
]
},
"uuid": "e502802e-8d0a-11e9-bd72-9f046529b3fd",
@ -7445,10 +7404,12 @@
"https://www.cfr.org/cyber-operations/apt-41",
"https://attack.mitre.org/groups/G0096",
"https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
],
"synonyms": [
"Double Dragon",
"G0096",
"TA415",
"Blackfly",
@ -7515,10 +7476,13 @@
"meta": {
"refs": [
"https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/",
"https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/"
"https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/",
"https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html"
],
"synonyms": [
"Evil Eye"
"Evil Eye",
"Red Dev 16",
"Earth Empusa"
]
},
"uuid": "7aa99279-4255-4d26-bb95-12e7156555a0",
@ -7575,7 +7539,8 @@
"description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.",
"meta": {
"refs": [
"https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf"
"https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
],
"synonyms": [
"BRONZE MEDLEY"
@ -8007,17 +7972,6 @@
"uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c",
"value": "GALLIUM"
},
{
"description": "Proofpoint researchers observed a phishing campaign impersonating the World Health Organizations (WHO) guidance on COVID-19 critical preparedness to deliver a new malware family that researchers have dubbed Sepulcher. This campaign targeted European diplomatic and legislative bodies, non-profit policy research organizations, and global organizations dealing with economic affairs. Additionally, a sender email identified in this campaign has been linked to historic Chinese APT targeting of the international Tibetan community using payloads linked to LuckyCat malware. Subsequently, a phishing campaign from July 2020 targeting Tibetan dissidents was identified delivering the same strain of Sepulcher malware. Operator email accounts identified in this campaign have been publicly linked to historic Chinese APT campaigns targeting the Tibetan community delivering ExileRAT malware. Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, Proofpoint researchers have attributed both campaigns to the APT actor TA413, which has previously been documented in association with ExileRAT. The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413s targets of interest. While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritized intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year.",
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic"
]
},
"uuid": "cbf94f8d-20f2-45a0-b78b-54715b6b4e18",
"value": "TA413"
},
{
"description": "ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The groups targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.",
"meta": {
@ -8135,14 +8089,12 @@
"https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf",
"https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/",
"https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf",
"https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730"
],
"threat-actor-classification": [
"operation"
"https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
]
},
"uuid": "c8b961fe-3698-41ac-aba1-002ee3c19531",
"value": "Operation Skeleton Key"
"value": "Red Charon"
},
{
"description": "Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITREs ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.",
@ -8230,7 +8182,8 @@
"https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks",
"https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking",
"https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china",
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi"
"https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
],
"synonyms": [
"ATK233",
@ -8907,7 +8860,6 @@
"value": "Scarab"
},
{
"description": "",
"meta": {
"cfr-suspected-victims": [
"Kurdistan"
@ -9145,7 +9097,10 @@
"refs": [
"https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/",
"https://securelist.com/toddycat/106799/",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/",
"https://gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html",
"https://community.riskiq.com/article/d8b749f2",
"https://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/"
],
"synonyms": [
"Websiic"
@ -9313,7 +9268,8 @@
"https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf",
"https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html",
"https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools",
"https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass"
"https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf"
],
"synonyms": [
"CHROMIUM",
@ -9384,11 +9340,15 @@
"refs": [
"https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.mandiant.com/resources/insights/apt-groups"
"https://www.mandiant.com/resources/insights/apt-groups",
"https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn",
"https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml",
"https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/"
],
"synonyms": [
"NIGHTSHADE PANDA",
"Red Pegasus"
"Red Pegasus",
"Group 27"
]
},
"uuid": "7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5",
@ -9531,7 +9491,8 @@
"https://securelist.com/apt-trends-report-q2-2019/91897",
"https://securelist.com/apt-trends-report-q2-2020/97937",
"https://securelist.com/it-threat-evolution-q2-2020/98230",
"https://securelist.com/apt-trends-report-q3-2021/104708"
"https://securelist.com/apt-trends-report-q3-2021/104708",
"https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"
],
"synonyms": [
"SixLittleMonkeys"
@ -9549,7 +9510,8 @@
"https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf",
"https://blogs.jpcert.or.jp/en/2021/10/windealer.html",
"https://securelist.com/windealer-dealing-on-the-side/105946",
"https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware"
"https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf"
],
"synonyms": [
"LuoYu"
@ -9706,7 +9668,53 @@
],
"uuid": "4245e4cd-a57a-4e0b-9853-acaa549d495d",
"value": "PARINACOTA"
},
{
"description": "In 2021, PwC started tracking a series of intrusions under the moniker of Red Dev 17 that they assess were highly likely conducted by a China-based threat actor. Their analysis suggests Red Dev 17 has been active since at least 2017. Red Dev 17's observed targets are mainly in India, and include the Indian military, a multinational India-based technology company, and a state energy company. They assess that it is highly probable that the threat actor behind intrusions associated with Red Dev 17 is also responsible for the campaign known in open source as Operation NightScout. Red Dev 17 is a user of the 8.t document weaponisation framework (also known as RoyalRoad), and abuses benign utilities such as Logitech or Windows Defender binaries to sideload and execute Chinoxy or PoisonIvy variants on victim systems. They identified capability and infrastructure links between Red Dev 17 and the threat actor they call Red Hariasa (aka FunnyDream APT), as well as infrastructure overlaps with Red Wendigo (aka Icefog, RedFoxtrot), and with ShadowPad C2 servers. At this time, they do not have sufficient evidence to directly link Red Dev 17 to any of these threat actors. However, They assess with realistic probability that Red Dev 17 operates within a cluster of threat actors that share tools and infrastructure, as well as a strong targeting focus on Southeast Asia and Central Asia.",
"meta": {
"cfr-suspected-victims": [
"India"
],
"cfr-target-category": [
"High-Tech",
"Military",
"Energy"
],
"country": "CN",
"refs": [
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/"
]
},
"uuid": "50d61877-bfc7-4c65-980e-c0589b5561fa",
"value": "Red Dev 17"
},
{
"description": "SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia. They assess that the threat actor's primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. We track this activity as 'Aoqin Dragon'. The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.",
"meta": {
"cfr-suspected-victims": [
"Australia",
"Cambodia",
"Hong Kong",
"Singapore",
"Vietnam"
],
"cfr-target-category": [
"Government",
"Education",
"Telecommunications"
],
"country": "CN",
"refs": [
"https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/"
],
"synonyms": [
"UNC94"
]
},
"uuid": "fa1fdccb-1a06-4607-bd45-1a7df4db02d7",
"value": "Aoqin Dragon"
}
],
"version": 244
"version": 245
}