jq

clusters/threat-actor.json

@@ -3519,7 +3519,7 @@
           "tags": [
             "estimative-language:likelihood-probability=\"likely\""
           ],
-          "type": "similar",
+          "type": "similar"
         }
       ],
       "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302",
@@ -6988,7 +6988,6 @@
       "value": "BlackTech"
     },
     {
-      "value": "FIN5",
       "description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.",
       "meta": {
         "refs": [
@@ -6996,10 +6995,10 @@
           "https://attack.mitre.org/groups/G0053/"
         ]
       },
-      "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70"
+      "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70",
+      "value": "FIN5"
     },
     {
-      "value": "FIN10",
       "description": "FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.",
       "meta": {
         "refs": [
@@ -7007,10 +7006,10 @@
           "https://attack.mitre.org/groups/G0051/"
         ]
       },
-      "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79"
+      "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79",
+      "value": "FIN10"
     },
     {
-      "value": "GhostNet",
       "description": "Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information.\nAttacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)",
       "meta": {
         "refs": [
@@ -7022,10 +7021,10 @@
           "Snooping Dragon"
         ]
       },
-      "uuid": "cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d"
+      "uuid": "cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d",
+      "value": "GhostNet"
     },
     {
-      "value": "GozNym",
       "description": "IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.",
       "meta": {
         "refs": [
@@ -7035,10 +7034,10 @@
           "https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation"
         ]
       },
-      "uuid": "7803b380-8c4c-11e9-90a1-f3880ab3aaa0"
+      "uuid": "7803b380-8c4c-11e9-90a1-f3880ab3aaa0",
+      "value": "GozNym"
     },
     {
-      "value": "Group5",
       "description": "A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal.\nThe operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android malware.\nThe threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian opposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after regime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a group linked to Lebanon did the same in the past",
       "meta": {
         "refs": [
@@ -7046,7 +7045,8 @@
           "https://attack.mitre.org/groups/G0043/"
         ]
       },
-      "uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af"
+      "uuid": "bc8390aa-8c4e-11e9-a9cb-e37c361210af",
+      "value": "Group5"
     }
   ],
   "version": 112