Merge "red october" and "cloud atlas" to inception framework"

2022-08-16 09:30:29 +00:00 · 2022-08-16 09:30:29 +00:00 · 370045b01d
parent 62b168600f
commit 370045b01d
1 changed files with 42 additions and 76 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -6264,33 +6264,66 @@
      "description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.",
      "meta": {
        "attribution-confidence": "50",
-        "cfr-suspected-state-sponsor": "Unknown",
+        "cfr-suspected-state-sponsor": "Russian Federation",
        "cfr-suspected-victims": [
-          "South Africa",
-          "Malaysia",
+          "Afghanistan",
+          "Armenia",
+          "Azerbaijan",
+          "Belarus",
+          "Belgium",
+          "Czech Republic",
+          "Greece",
+          "India",
+          "Iran",
+          "Italy",
+          "Kazakhstan",
          "Kenya",
+          "Malaysia",
+          "Russia",
+          "South Africa",
          "Suriname",
-          "United Kingdom"
+          "Turkmenistan",
+          "Ukraine",
+          "United Kingdom",
+          "United States",
+          "Vietnam"
        ],
        "cfr-target-category": [
          "Government",
          "Private sector"
        ],
        "cfr-type-of-incident": "Espionage",
+        "country": "RU",
        "refs": [
          "https://www.cfr.org/interactive/cyber-operations/inception-framework",
          "https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware",
          "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf",
-          "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/",
+          "https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack",
          "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf",
-          "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/",
+          "https://securelist.com/the-red-october-campaign/57647",
+          "https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740",
+          "https://securelist.com/red-october-part-two-the-modules/57645",
+          "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083",
+          "https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899",
+          "https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability",
+          "https://securelist.com/recent-cloud-atlas-activity/92016",
          "https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
-          "https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
          "https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf",
-          "https://unit42.paloaltonetworks.com/atoms/clean-ursa/"
+          "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
+          "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
+          "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
+          "https://unit42.paloaltonetworks.com/atoms/clean-ursa",
+          "https://www.cfr.org/interactive/cyber-operations/cloud-atlas",
+          "https://www.cfr.org/cyber-operations/red-october",
+          "https://attack.mitre.org/groups/G0100"
        ],
        "synonyms": [
-          "Clean Ursa"
+          "Clean Ursa",
+          "Cloud Atlas",
+          "OXYGEN",
+          "G0100",
+          "ATK116",
+          "Blue Odin"
        ]
      },
      "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
@ -6489,73 +6522,6 @@
      "uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1",
      "value": "Operation BugDrop"
    },
-    {
-      "description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas",
-      "meta": {
-        "attribution-confidence": "50",
-        "cfr-suspected-state-sponsor": "Russian Federation",
-        "cfr-suspected-victims": [
-          "Russia",
-          "Belgium",
-          "Armenia",
-          "Ukraine",
-          "Belarus",
-          "Kazakhstan",
-          "India",
-          "Iran",
-          "United States",
-          "Greece",
-          "Azerbaijan",
-          "Afghanistan",
-          "Turkmenistan",
-          "Vietnam",
-          "Italy"
-        ],
-        "cfr-target-category": [
-          "Government",
-          "Private sector"
-        ],
-        "cfr-type-of-incident": "Espionage",
-        "country": "RU",
-        "refs": [
-          "https://www.cfr.org/interactive/cyber-operations/red-october"
-        ],
-        "synonyms": [
-          "the Rocra"
-        ]
-      },
-      "uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
-      "value": "Red October"
-    },
-    {
-      "description": "This threat actor targets governments and diplomatic organizations for espionage purposes.",
-      "meta": {
-        "attribution-confidence": "50",
-        "cfr-suspected-state-sponsor": "Russian Federation",
-        "cfr-suspected-victims": [
-          "Russia",
-          "India",
-          "Kazakhstan",
-          "Czech Republic",
-          "Belarus"
-        ],
-        "cfr-target-category": [
-          "Government"
-        ],
-        "cfr-type-of-incident": "Espionage",
-        "country": "RU",
-        "refs": [
-          "https://www.cfr.org/interactive/cyber-operations/cloud-atlas",
-          "https://attack.mitre.org/groups/G0100/"
-        ],
-        "synonyms": [
-          "ATK116",
-          "G0100"
-        ]
-      },
-      "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
-      "value": "Cloud Atlas"
-    },
    {
      "description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ",
      "meta": {