From 214ac5d32936b7d120795f7a9179ac27dd107881 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 15 Sep 2023 10:07:19 +0200 Subject: [PATCH 1/5] fix caps --- clusters/sector.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/sector.json b/clusters/sector.json index d5726e6e..f9df390e 100644 --- a/clusters/sector.json +++ b/clusters/sector.json @@ -348,7 +348,7 @@ }, { "uuid": "e07cd84c-1d66-4de3-8b93-15fa93f119cc", - "value": "engineering" + "value": "Engineering" }, { "uuid": "7508db07-ffd1-4137-9941-718f18370c4c", From db23d6eb4c6dcacb18c5012be6c472dd94596dda Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 15 Sep 2023 10:21:44 +0200 Subject: [PATCH 2/5] adding targeted sectors --- clusters/threat-actor.json | 76 +++++++++++++++++++++++++++++++++++++- 1 file changed, 74 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 804d33ec..0e951191 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2982,6 +2982,11 @@ "https://www.kaspersky.com/blog/financial-trojans-2019/25690/", "https://www.welivesecurity.com/2015/04/09/operation-buhtrap/", "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + ], + "targeted-sector": [ + "Bank", + "Payment", + "Finance" ] }, "uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb", @@ -3002,6 +3007,11 @@ "synonyms": [ "FIN4", "G0085" + ], + "targeted-sector": [ + "Health", + "Finance", + "Pharmacy" ] }, "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", @@ -3020,7 +3030,10 @@ "description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.", "meta": { "attribution-confidence": "50", - "country": "RU" + "country": "RU", + "targeted-sector": [ + "Bank" + ] }, "uuid": "7dd7a8df-9012-4d14-977f-b3f9f71266b4", "value": "SHARK SPIDER" @@ -3032,6 +3045,10 @@ "country": "RU", "refs": [ "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" + ], + "targeted-sector": [ + "Manufacturing", + "Industrial" ] }, "uuid": "db774b7d-a0ee-4375-b24e-fd278f5ab2fd", @@ -3264,6 +3281,10 @@ "APT-C-35", "SectorE02", "Orange Kala" + ], + "targeted-sector": [ + "Government, Administration", + "Security Service" ] }, "related": [ @@ -3364,6 +3385,14 @@ "synonyms": [ "SyrianElectronicArmy", "SEA" + ], + "targeted-sector": [ + "Country", + "Defense", + "Opposition", + "Political party", + "News - Media", + "Government, Administration" ] }, "uuid": "4265d44e-8372-4ed0-b428-b331a5443d7d", @@ -3403,6 +3432,11 @@ "TMP.Lapis", "Green Havildar", "COPPER FIELDSTONE" + ], + "targeted-sector": [ + "Activists", + "Civil society", + "Military" ] }, "related": [ @@ -3447,6 +3481,12 @@ "synonyms": [ "FruityArmor", "G0038" + ], + "targeted-sector": [ + "Activists", + "Dissidents", + "Journalist", + "Civil society" ] }, "related": [ @@ -3516,6 +3556,10 @@ "G0040", "Orange Athos", "Thirsty Gemini" + ], + "targeted-sector": [ + "Finance", + "Diplomacy" ] }, "related": [ @@ -3558,6 +3602,9 @@ "synonyms": [ "G0029", "Golfing Taurus" + ], + "targeted-sector": [ + "Activists" ] }, "related": [ @@ -3683,6 +3730,9 @@ "Sauron", "Project Sauron", "G0041" + ], + "targeted-sector": [ + "Intelligence" ] }, "related": [ @@ -3727,6 +3777,9 @@ ], "synonyms": [ "G0036" + ], + "targeted-sector": [ + "Bank" ] }, "related": [ @@ -3825,7 +3878,10 @@ "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", "meta": { "attribution-confidence": "50", - "country": "LY" + "country": "LY", + "targeted-sector": [ + "Intelligence" + ] }, "uuid": "815cbe98-e157-4078-9caa-c5a25dd64731", "value": "Libyan Scorpions" @@ -3911,6 +3967,15 @@ "ATK40", "G0049", "Evasive Serpens" + ], + "targeted-sector": [ + "Chemical", + "Energy", + "engineering", + "Finance", + "Government, Administration", + "Telecoms", + "Other" ] }, "related": [ @@ -4059,6 +4124,10 @@ ], "suspected-victims": [ "Ukraine" + ], + "targeted-sector": [ + "Think Tanks", + "Government, Administration" ] }, "uuid": "3d5192f2-f235-46fd-aa68-dd00cc17d632", @@ -4069,6 +4138,9 @@ "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" + ], + "targeted-sector": [ + "Energy" ] }, "related": [ From 2aa0fb22ba098fc85269e065dd97bcc916d39b55 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 15 Sep 2023 10:32:26 +0200 Subject: [PATCH 3/5] finish fixing Botswana infos into Brazil cluster --- clusters/target-information.json | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/clusters/target-information.json b/clusters/target-information.json index b300d975..7cd4d59b 100644 --- a/clusters/target-information.json +++ b/clusters/target-information.json @@ -958,10 +958,28 @@ "calling-code": [ "+267" ], + "capital": [ + "Gaborone" + ], + "currency": [ + "Botswana pula", + "BWP" + ], "iso-code": [ "BW", "BWA" ], + "official-languages": [ + "English", + "Setswana" + ], + "synonyms": [ + "Republic of Botswana", + "Lefatshe la Botswana" + ], + "territory-type": [ + "Country" + ], "top-level-domain": ".bw" }, "uuid": "b29dca55-6930-494e-ae8e-fe89e5317529", @@ -8102,5 +8120,5 @@ "value": "Zimbabwe" } ], - "version": 7 + "version": 8 } From 5efe48385826a7ec473e29e77ae0761a9863794c Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 15 Sep 2023 15:49:43 +0200 Subject: [PATCH 4/5] adding targeted sectors --- clusters/threat-actor.json | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0e951191..d4c61baf 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4266,6 +4266,11 @@ "meta": { "refs": [ "https://citizenlab.ca/2015/12/packrat-report/" + ], + "targeted-sector": [ + "Activists", + "Journalist", + "Political party" ] }, "uuid": "fe344665-d153-4d31-a32a-1509efde1ca7", @@ -4314,6 +4319,10 @@ "synonyms": [ "Lion Soldiers Team", "Phantom Turk" + ], + "targeted-sector": [ + "Government, Administration", + "News - Media" ] }, "uuid": "23410d3f-c359-422d-9a4e-45f8fdf0c84a", @@ -4455,6 +4464,13 @@ "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/", "https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/", "https://www.clearskysec.com/greenbug/" + ], + "targeted-sector": [ + "Education", + "Energy", + "Investment", + "Aerospace", + "Government, Administration" ] }, "related": [ @@ -4584,6 +4600,10 @@ "Operation Mermaid", "Prince of Persia", "Foudre" + ], + "targeted-sector": [ + "Activists", + "Civil society" ] }, "uuid": "1671be1b-c844-48f5-84c8-54ac4fe4d71e", @@ -4635,6 +4655,9 @@ "country": "UA", "refs": [ "http://www.welivesecurity.com/2016/05/18/groundbait" + ], + "targeted-sector": [ + "Separatists" ] }, "uuid": "8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73", @@ -11720,5 +11743,5 @@ "value": "MoustachedBouncer" } ], - "version": 281 + "version": 282 } From ac4d003c3ee44fd236fb7c6d695129da1b1380f3 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 15 Sep 2023 16:00:38 +0200 Subject: [PATCH 5/5] fix caps --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d4c61baf..67e65e5b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -3971,7 +3971,7 @@ "targeted-sector": [ "Chemical", "Energy", - "engineering", + "Engineering", "Finance", "Government, Administration", "Telecoms",