diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2ca46522..df8aecbd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3207,13 +3207,15 @@ "https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", "https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/", - "https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger" + "https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "OPERATION HANGOVER", "Donot Team", "APT-C-35", - "SectorE02" + "SectorE02", + "Orange Kala" ] }, "uuid": "e2b87f81-a6a1-4524-b03f-193c3191d239", @@ -3433,18 +3435,21 @@ "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://securelist.com/the-dropping-elephant-actor/75328/", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", - "https://www.secureworks.com/research/threat-profiles/zinc-emerson" + "https://www.secureworks.com/research/threat-profiles/zinc-emerson", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", + "https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait" ], "synonyms": [ "Chinastrats", "Patchwork", "Monsoon", "Sarit", - "Quilted Tiger", + "Dropping Elephant", "APT-C-09", "ZINC EMERSON", "ATK11", - "G0040" + "G0040", + "Orannge Athos" ] }, "related": [ @@ -3464,7 +3469,7 @@ } ], "uuid": "18d473a5-831b-47a5-97a1-a32156299825", - "value": "Dropping Elephant" + "value": "QUILTED TIGER" }, { "description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same.\nThe attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.\nThe attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC.\nScarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.", @@ -8016,7 +8021,6 @@ "refs": [ "https://securelist.com/apt-trends-report-q1-2018/85280/", "https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/", - "https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder", "https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/", "https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html", "https://s.tencent.com/research/report/659.html", @@ -8026,7 +8030,7 @@ "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg" ], "synonyms": [ - "RAZOR TIGER", + "SideWinder", "Rattlesnake", "APT-C-17", "T-APT-04" @@ -8042,7 +8046,7 @@ } ], "uuid": "c4ce1174-9462-47e9-8038-794f40a184b3", - "value": "SideWinder" + "value": "RAZOR TIGER" }, { "description": "Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.\nThis report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.", @@ -9231,12 +9235,14 @@ "country": "IN", "refs": [ "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf", - "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg" + "https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf" ], "synonyms": [ "Bitter", "T-APT-17", - "APT-C-08" + "APT-C-08", + "Orange Yali" ] }, "uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772",