diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fca33c98..2f88cb7c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -12501,7 +12501,194 @@ }, "uuid": "0e9bbcf1-9273-4438-b437-287317bfb989", "value": "TA499" + }, + { + "description": "Kaspersky researchers have identified a new APT group named BadRory that has mounted two waves of spear-phishing attacks against Russian organizations. The campaigns took place in October 2022 and April 2023 and leveraged boobytrapped Office emails. Targets included government entities, military contractors, universities, and hospitals.", + "meta": { + "refs": [ + "https://securelist.com/apt-trends-report-q3-2023/110752/" + ] + }, + "uuid": "aa74d1f3-b294-405b-bb18-3ac1c13560a1", + "value": "BadRory" + }, + { + "description": "SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware.", + "meta": { + "country": "CN", + "refs": [ + "https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-sharppanda-chinese-apt-group-targets-southeast-asian-government-active-iocs", + "https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/" + ] + }, + "uuid": "7133a722-088c-4d5a-b2e0-a1f9915f807d", + "value": "SharpPanda" + }, + { + "description": "Guacamaya has conducted multiple hack and leak campaigns against military and police agencies and mining companies across Latin America, which they believe have played a role in the region’s environmental degradation and repression of native populations.", + "meta": { + "refs": [ + "https://cyberscoop.com/environmentalist-hacktivist-collective-mining-company/", + "https://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural", + "https://finance.yahoo.com/news/analysis-mexico-data-hack-exposes-003101651.html", + "https://www.redpacketsecurity.com/guacamaya-hacktivists-stole-sensitive-data-from-mexico-and-latin-american-countries/", + "https://research.checkpoint.com/2022/3rd-october-threat-intelligence-report/", + "https://www.cyberscoop.com/central-american-hacking-group-releases-emails/", + "https://therecord.media/mexican-army-spyware" + ] + }, + "uuid": "51f056f5-b596-446e-9394-a310af4e2e75", + "value": "Guacamaya" + }, + { + "description": "Prodaft researchers have published a report on Paperbug, a cyber-espionage campaign carried out by suspected Russian-speaking group Nomadic Octopus and which targeted entities in Tajikistan. According to Prodaft, known compromised victims included high-ranking government officials, telcos, and public service infrastructures. Compromised devices also included OT devices, besides your typical computers, servers, and mobile devices. In typical Prodaft fashion, the company also gained access to one of the group's C&C server backend panels.", + "meta": { + "country": "RU", + "refs": [ + "https://securelist.com/octopus-infested-seas-of-central-asia/88200/", + "https://www.prodaft.com/m/reports/PAPERBUG_TLPWHITE-1.pdf", + "https://www.virusbulletin.com/conference/vb2018/abstracts/nomadic-octopus-cyber-espionage-central-asia/" + ], + "synonyms": [ + "Nomadic Octopus" + ] + }, + "uuid": "7b227f41-efea-4dc0-8a2a-148893795ce4", + "value": "DustSquad" + }, + { + "description": "KromSec is a hacktivist group that claims to be composed of hackers, activists, writers, and journalists. The group has been involved in a number of high-profile cyberattacks, including a cyber offensive against Iran in September 2022 and the sale of the database of the Iran Ministry of Industries and Mines on a hacker forum in November 2023. KromSec's attacks have been met with mixed reactions, but the group has quickly made a name for itself as a significant threat to governments and organizations around the world.", + "meta": { + "refs": [ + "https://thecyberexpress.com/kromsec-sells-iran-ministry-database-dark-web/", + "https://cybershafarat.com/2022/11/17/kromsec-outs-anonopsse-as-iranian-regime-makes-statement/" + ] + }, + "uuid": "f4b81cb7-0492-414f-8bf4-cc806cbff1a9", + "value": "KromSec" + }, + { + "description": "The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.", + "meta": { + "country": "IR", + "refs": [ + "https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/", + "https://cyberwarzone.com/cyber-av3ngers-claims-infiltration-of-israeli-water-treatment-stations-amid-ongoing-conflict/", + "https://cyberwarzone.com/hacking-group-cyber-av3ngers-claims-responsibility-for-yavne-power-outages-what-you-need-to-know/" + ] + }, + "uuid": "286db62d-859d-48e2-9601-1b7abde9f3c3", + "value": "Cyber Av3ngers" + }, + { + "description": "Altahrea Team is a pro-Iranian hacking group that has been active since at least 2020. The group has claimed responsibility for a number of cyberattacks, including DDoS attacks against Israeli websites, a hack of the Israel Airports Authority website, and a cyberattack on the Orot Yosef power plant in Israel.", + "meta": { + "country": "IQ", + "refs": [ + "https://securelist.com/ddos-attacks-in-q2-2022/107025/", + "https://www.timesofisrael.com/cyberattack-on-health-ministry-website-blocks-overseas-access/", + "https://techmonitor.ai/technology/cybersecurity/alahrea-team-power-plant-fire-israel", + "https://www.presstv.ir/Detail/2022/07/27/686324/Iraqi-hacker-group--ALtahrea-Team--targets-Israeli-IT,-e-commerce-companies-with-major-cyber-attack", + "https://www.hackread.com/pro-iran-altahrea-hit-port-of-london-website-ddos-attack/", + "https://nsi-globalcounterintelligence.com/cyber-security/pro-iran-hackers-target-israel-airports-authority-website/" + ] + }, + "uuid": "b87f9ba7-f480-4ed5-b60e-b880e6b519ea", + "value": "Altahrea Team" + }, + { + "description": "1937CN is a Chinese hacking group that has been active since at least 2013. The group is known for targeting Vietnamese organizations, including government agencies, businesses, and media outlets. 1937CN has been linked to a number of high-profile cyberattacks, including the hacking of Vietnam Airlines in 2016 and the defacement of Vietnamese government websites in 2015.", + "meta": { + "country": "CN", + "refs": [ + "https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html", + "https://www.recordedfuture.com/international-hacktivism-analysis/", + "http://securityaffairs.co/wordpress/49876/hacking/china-1937cn-team-vietnam.html", + "https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a" + ] + }, + "uuid": "391573c5-9c21-4984-b6b8-97d42623d6cc", + "value": "1937CN" + }, + { + "description": "In September 2023, Cisco Talos identified a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East. They also discovered a sister implant to 'HTTPSnoop,’ that they are naming ‘PipeSnoop,’ which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Based on these findings, the researchers assess with high confidence that both implants belong to a new intrusion set that it named ‘ShroudedSnooper.’", + "meta": { + "refs": [ + "https://blog.talosintelligence.com/introducing-shrouded-snooper/", + "https://www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/" + ] + }, + "uuid": "3437c5a5-4c42-4665-99df-b17bc57a7ba6", + "value": "ShroudedSnooper" + }, + { + "description": "ShinyHunters is a cybercriminal group of unknown origin that is motivated by financial gain. The group is known for its sophisticated attacks against a wide range of targets, including businesses, organizations, and government agencies. ShinyHunters typically uses phishing attacks and exploit kits to gain access to victim networks, where they deploy malware to steal sensitive data, such as names, addresses, phone numbers, Social Security numbers, and credit card information.", + "meta": { + "refs": [ + "https://cyberwarzone.com/shinyhunters-22-year-old-member-pleads-guilty-to-cyber-extortion-causing-6-million-in-damage/", + "https://www.bitdefender.com/blog/hotforsecurity/pizza-hut-australia-leaks-one-million-customers-details-claims-shinyhunters-hacking-group/", + "https://www.justice.gov/usao-wdwa/pr/alleged-french-cybercriminal-appear-seattle-indictment-conspiracy-computer-intrusion" + ] + }, + "uuid": "d4fd0a30-15d4-4dfd-bf98-beff5fe34c33", + "value": "ShinyHunters" + }, + { + "description": "IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.", + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/", + "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk175885" + ] + }, + "uuid": "34d1e532-3d47-44cb-b87c-7e9cbba2321e", + "value": "IronHusky" + }, + { + "description": "UserSec is a pro-Russian hacking group that has been active since at least 2022. The group is known for its DDoS attacks and has collaborated with other pro-Russian hacking groups. In May 2023, UserSec announced a cyber campaign targeting NATO member states and joined forces with KillNet to launch attacks against NATO.", + "meta": { + "country": "RU", + "refs": [ + "https://therecord.media/scandinavian-airlines-cyberattack-anonymous-sudan/", + "https://blog.cyble.com/2023/05/24/notable-ddos-attack-tools-and-services-supporting-hacktivist-operations-in-2023/", + "https://socradar.io/cyber-shadows-pact-darknet-parliament-killnet-anonymous-sudan-revil/", + "https://socradar.io/dark-peep-2-war-and-a-piece-of-hilarity/" + ] + }, + "uuid": "d0e1811e-53f9-48b5-b2ef-107e0f53239b", + "value": "UserSec" + }, + { + "description": "State Service of Special Communication and Information Protection of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts. The Ukrainian CERT attributes the hacking campaign to threat actors tracked as UAC-0094. Threat actors are targeting Telegram users by sending Telegram messages with malicious links to the Telegram website in order to gain unauthorized access to the records and transfer a one-time code from SMS.", + "meta": { + "country": "RU", + "refs": [ + "https://cert.gov.ua/article/39253", + "https://vulners.com/thn/THN:4C1C2CD10F20E08DD74D465450DF3F17?utm_source=rss&utm_medium=rss&utm_campaign=rss" + ] + }, + "uuid": "def3c4e4-9d59-478f-8895-d3850cfa99c3", + "value": "UAC-0094" + }, + { + "description": "TraderTraitor targets blockchain companies through spear-phishing messages. The group sends these messages to employees, particularly those in system administration or software development roles, on various communication platforms, intended to gain access to these start-up and high-tech companies. TraderTraitor may be the work of operators previously responsible for APT38 activity.", + "meta": { + "country": "KP", + "refs": [ + "https://www.mandiant.com/resources/blog/north-korea-supply-chain", + "https://us-cert.cisa.gov/ncas/alerts/aa22-108a", + "https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023" + ], + "synonyms": [ + "Jade Sleet", + "UNC4899" + ] + }, + "uuid": "825abfd9-7238-4438-a9e7-c08791f4df4e", + "value": "TraderTraitor" } ], - "version": 292 + "version": 293 }