diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1b07843..714a65a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -181,7 +181,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "06e659ff-ece8-4e6c-a110-d9692ac6d8ee", @@ -386,12 +386,12 @@ "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", "https://securelist.com/blog/research/66779/the-darkhotel-apt/", "https://securelist.com/the-darkhotel-apt/66779/", - "http://drops.wooyun.org/tips/11726", + "https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726", "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/", "https://www.cfr.org/interactive/cyber-operations/darkhotel", "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians", "https://attack.mitre.org/groups/G0012/", - "http://www.secureworks.com/research/threat-profiles/tungsten-bridge", + "https://www.secureworks.com/research/threat-profiles/tungsten-bridge", "https://www.antiy.cn/research/notice&report/research_report/20200522.html" ], "synonyms": [ @@ -511,7 +511,7 @@ "cfr-type-of-incident": "Espionage", "country": "CN", "refs": [ - "http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", + "https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf", "https://www.cfr.org/interactive/cyber-operations/apt-17", "https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/", @@ -649,7 +649,6 @@ "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", "https://www.cfr.org/interactive/cyber-operations/axiom", "https://securelist.com/games-are-over/70991/", - "https://vsec.com.vn/en/blogen/initial-winnti-analysis-against-vietnam-game-company.html", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341", "https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/", @@ -736,7 +735,7 @@ "country": "CN", "refs": [ "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf", - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf", + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf", "https://www.cfr.org/interactive/cyber-operations/deep-panda", "https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/", "https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/", @@ -1047,7 +1046,7 @@ "country": "CN", "refs": [ "http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/", - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/", "https://www.cfr.org/interactive/cyber-operations/iron-tiger" @@ -1133,7 +1132,7 @@ "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", "https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018", "https://attack.mitre.org/groups/G0045/", - "http://www.secureworks.com/research/threat-profiles/bronze-riverside" + "https://www.secureworks.com/research/threat-profiles/bronze-riverside" ], "synonyms": [ "APT10", @@ -1266,7 +1265,7 @@ "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/", "https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/", "https://attack.mitre.org/groups/G0004/", - "http://www.secureworks.com/research/threat-profiles/bronze-palace" + "https://www.secureworks.com/research/threat-profiles/bronze-palace" ], "synonyms": [ "Vixen Panda", @@ -1467,7 +1466,7 @@ "refs": [ "https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/", "http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf", - "http://www.secureworks.com/research/threat-profiles/bronze-woodland" + "https://www.secureworks.com/research/threat-profiles/bronze-woodland" ], "synonyms": [ "BRONZE WOODLAND", @@ -1633,7 +1632,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "1514546d-f6ea-4af3-bbea-24d6fd9e6761", @@ -2019,7 +2018,7 @@ "https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/", "https://www.brighttalk.com/webcast/10703/275683", "https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage", - "http://www.secureworks.com/research/threat-profiles/cobalt-trinity" + "https://www.secureworks.com/research/threat-profiles/cobalt-trinity" ], "synonyms": [ "APT 33", @@ -2511,7 +2510,7 @@ "https://www.cfr.org/interactive/cyber-operations/dukes", "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", - "http://www.secureworks.com/research/threat-profiles/iron-hemlock" + "https://www.secureworks.com/research/threat-profiles/iron-hemlock" ], "synonyms": [ "Dukes", @@ -2604,7 +2603,7 @@ "https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit", "https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/", "https://attack.mitre.org/groups/G0010/", - "http://www.secureworks.com/research/threat-profiles/iron-hunter" + "https://www.secureworks.com/research/threat-profiles/iron-hunter" ], "synonyms": [ "Turla", @@ -2859,7 +2858,7 @@ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", "https://attack.mitre.org/groups/G0046/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "http://www.secureworks.com/research/threat-profiles/gold-niagara" + "https://www.secureworks.com/research/threat-profiles/gold-niagara" ], "synonyms": [ "Carbanak", @@ -3008,7 +3007,7 @@ "attribution-confidence": "50", "country": "RU", "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd", @@ -3019,7 +3018,7 @@ "attribution-confidence": "50", "country": "KP", "refs": [ - "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ], "synonyms": [ "OperationTroy", @@ -3117,7 +3116,7 @@ "https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/", "https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678", "https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/", - "http://www.secureworks.com/research/threat-profiles/nickel-gladstone" + "https://www.secureworks.com/research/threat-profiles/nickel-gladstone" ], "synonyms": [ "Operation DarkSeoul", @@ -3184,7 +3183,7 @@ "attribution-confidence": "50", "country": "IN", "refs": [ - "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" + "https://kung_foo.keybase.pub/papers_and_presentations/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" ], "synonyms": [ "Appin", @@ -3251,8 +3250,8 @@ "refs": [ "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/", "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", - "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", - "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", + "https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", "https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope", "https://www.cfr.org/interactive/cyber-operations/snowglobe", "https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/" @@ -3303,7 +3302,7 @@ "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials", "https://s.tencent.com/research/report/669.html", "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html", - "http://www.secureworks.com/research/threat-profiles/copper-fieldstone" + "https://www.secureworks.com/research/threat-profiles/copper-fieldstone" ], "synonyms": [ "C-Major", @@ -3436,7 +3435,7 @@ "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", "https://securelist.com/the-dropping-elephant-actor/75328/", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", - "http://www.secureworks.com/research/threat-profiles/zinc-emerson" + "https://www.secureworks.com/research/threat-profiles/zinc-emerson" ], "synonyms": [ "Chinastrats", @@ -3537,7 +3536,7 @@ "https://www.phnompenhpost.com/national/kingdom-targeted-new-malware", "https://attack.mitre.org/groups/G0017/", "https://attack.mitre.org/groups/G0002/", - "http://www.secureworks.com/research/threat-profiles/bronze-overbrook" + "https://www.secureworks.com/research/threat-profiles/bronze-overbrook" ], "synonyms": [ "Moafee", @@ -3883,7 +3882,7 @@ "https://www.clearskysec.com/oilrig/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/", "https://attack.mitre.org/groups/G0049/", - "http://www.secureworks.com/research/threat-profiles/cobalt-gypsy" + "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" ], "synonyms": [ "Twisted Kitten", @@ -4029,7 +4028,6 @@ "meta": { "refs": [ "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html", - "http://blog.vectranetworks.com/blog/moonlight-middle-east-targeted-attacks", "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/", "https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/", "https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website", @@ -4246,7 +4244,7 @@ "https://en.wikipedia.org/wiki/Stuxnet", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf", "https://attack.mitre.org/groups/G0020/", - "http://www.secureworks.com/research/threat-profiles/platinum-terminal" + "https://www.secureworks.com/research/threat-profiles/platinum-terminal" ], "synonyms": [ "Tilded Team", @@ -4514,7 +4512,7 @@ "https://github.com/eset/malware-research/tree/master/oceanlotus", "https://www.cfr.org/interactive/cyber-operations/ocean-lotus", "https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware", - "http://www.secureworks.com/research/threat-profiles/tin-woodlawn" + "https://www.secureworks.com/research/threat-profiles/tin-woodlawn" ], "synonyms": [ "OceanLotus Group", @@ -4682,7 +4680,7 @@ "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html", "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html", "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf", - "http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf", + "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://attack.mitre.org/groups/G0061" ] @@ -4963,7 +4961,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492182276.pdf" ] }, "uuid": "5bc7382d-ddc6-46d3-96f5-1dbdadbd601c", @@ -5012,7 +5010,7 @@ "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", "https://www.cfr.org/interactive/cyber-operations/mofang", "https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf", - "http://www.secureworks.com/research/threat-profiles/bronze-walker" + "https://www.secureworks.com/research/threat-profiles/bronze-walker" ], "synonyms": [ "Superman", @@ -5451,7 +5449,7 @@ { "meta": { "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "769bf551-ff39-4f84-b7f2-654a28df1e50", @@ -5514,7 +5512,7 @@ { "meta": { "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "445c7b62-028b-455e-9d65-74899b7006a4", @@ -5592,7 +5590,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://en.hackdig.com/02/39538.htm" + "http://webcache.googleusercontent.com/search?q=cache:TWoHHzH9gU0J:en.hackdig.com/02/39538.htm" ] }, "uuid": "110792e8-38d2-4df2-9ea3-08b60321e994", @@ -6242,7 +6240,7 @@ "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://attack.mitre.org/groups/G0027/", - "http://www.secureworks.com/research/threat-profiles/bronze-union" + "https://www.secureworks.com/research/threat-profiles/bronze-union" ], "synonyms": [ "Emissary Panda", @@ -6558,7 +6556,7 @@ "https://www.cfr.org/interactive/cyber-operations/mustang-panda", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "http://www.secureworks.com/research/threat-profiles/bronze-president" + "https://www.secureworks.com/research/threat-profiles/bronze-president" ], "synonyms": [ "BRONZE PRESIDENT", @@ -6910,7 +6908,7 @@ "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", "https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/", "https://krebsonsecurity.com/tag/dnspionage/", - "http://www.secureworks.com/research/threat-profiles/cobalt-edgewater" + "https://www.secureworks.com/research/threat-profiles/cobalt-edgewater" ], "synonyms": [ "COBALT EDGEWATER" @@ -7019,7 +7017,7 @@ "https://threatpost.com/ta505-servhelper-malware/140792/", "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/", "https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/", - "http://www.secureworks.com/research/threat-profiles/gold-tahoe" + "https://www.secureworks.com/research/threat-profiles/gold-tahoe" ], "synonyms": [ "SectorJ04 Group", @@ -7055,7 +7053,7 @@ "https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/", "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "http://www.secureworks.com/research/threat-profiles/gold-ulrick" + "https://www.secureworks.com/research/threat-profiles/gold-ulrick" ], "synonyms": [ "TEMP.MixMaster" @@ -7071,7 +7069,7 @@ "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service", - "http://www.secureworks.com/research/threat-profiles/gold-crestwood" + "https://www.secureworks.com/research/threat-profiles/gold-crestwood" ], "synonyms": [ "TA542", @@ -7139,7 +7137,7 @@ "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets", "https://attack.mitre.org/groups/G0087/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", - "http://www.secureworks.com/research/threat-profiles/cobalt-hickman" + "https://www.secureworks.com/research/threat-profiles/cobalt-hickman" ], "synonyms": [ "APT 39", @@ -7176,7 +7174,7 @@ "meta": { "refs": [ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "http://www.secureworks.com/research/threat-profiles/gold-lowell" + "https://www.secureworks.com/research/threat-profiles/gold-lowell" ], "synonyms": [ "GOLD LOWELL" @@ -7276,7 +7274,7 @@ "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", "https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/", - "http://www.secureworks.com/research/threat-profiles/gold-swathmore" + "https://www.secureworks.com/research/threat-profiles/gold-swathmore" ], "synonyms": [ "GOLD SWATHMORE" @@ -7408,7 +7406,7 @@ "https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities", "https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff", "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian", - "http://www.secureworks.com/research/threat-profiles/cobalt-dickens" + "https://www.secureworks.com/research/threat-profiles/cobalt-dickens" ], "synonyms": [ "COBALT DICKENS", @@ -7428,7 +7426,7 @@ "https://duo.com/decipher/apt-groups-moving-down-the-supply-chain", "https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists", "https:/twitter.com/bkMSFT/status/1201876664667582466", - "http://www.secureworks.com/research/threat-profiles/bronze-vinewood" + "https://www.secureworks.com/research/threat-profiles/bronze-vinewood" ], "synonyms": [ "APT 31", @@ -7796,7 +7794,7 @@ "meta": { "refs": [ "https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign", - "http://www.secureworks.com/research/threat-profiles/cobalt-lyceum" + "https://www.secureworks.com/research/threat-profiles/cobalt-lyceum" ], "synonyms": [ "COBALT LYCEUM" @@ -7989,7 +7987,7 @@ "meta": { "refs": [ "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", - "http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf" + "https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf" ], "since": "2014", "synonyms": [ @@ -8314,7 +8312,7 @@ "description": "COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.", "meta": { "refs": [ - "http://www.secureworks.com/research/threat-profiles/cobalt-juno" + "https://www.secureworks.com/research/threat-profiles/cobalt-juno" ], "synonyms": [ "APT-C-38 (QiAnXin)", @@ -8329,7 +8327,7 @@ "description": "COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.", "meta": { "refs": [ - "http://www.secureworks.com/research/threat-profiles/cobalt-katana" + "https://www.secureworks.com/research/threat-profiles/cobalt-katana" ], "synonyms": [ "Hive0081 (IBM)", @@ -8341,5 +8339,5 @@ "value": "COBALT KATANA" } ], - "version": 160 + "version": 161 }