diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4c96b73d..64241ba6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -67,8 +67,7 @@ "Brown Fox", "GIF89a", "ShadyRAT", - "Shanghai Group", - "G0006" + "Shanghai Group" ] }, "related": [ @@ -279,10 +278,8 @@ "MSUpdater", "4HCrew", "SULPHUR", - "Sulphur", "SearchFire", - "TG-6952", - "G0024" + "TG-6952" ] }, "related": [ @@ -328,9 +325,7 @@ "Buckeye", "Boyusec", "BORON", - "BRONZE MAYFAIR", - "Bronze Mayfair", - "G0022" + "BRONZE MAYFAIR" ] }, "related": [ @@ -430,16 +425,12 @@ "BeeBus", "Group 22", "DynCalc", - "DynCALC", "Calc Team", "DNSCalc", "Crimson Iron", "APT12", "APT 12", - "BRONZE GLOBE", - "Bronze GLOBE", - "G0005", - "CTG-8223" + "BRONZE GLOBE" ] }, "related": [ @@ -474,8 +465,7 @@ ], "synonyms": [ "APT16", - "SVCMONDR", - "G0023" + "SVCMONDR" ] }, "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", @@ -514,17 +504,7 @@ "Hidden Lynx", "Tailgater Team", "Dogfish", - "BRONZE KEYSTONE", - "Bronze KEYSTONE", - "TEMP.Avengers", - "Sneaky Panda", - "Barium", - "G0025", - "G0066", - "TG-8153", - "ATK 2", - "Elderwood", - "Group 72" + "BRONZE KEYSTONE" ] }, "related": [ @@ -584,11 +564,8 @@ "TG-0416", "APT 18", "SCANDIUM", - "Scandium", - "G0026", "PLA Navy", - "APT18", - "Wekby" + "APT18" ] }, "related": [ @@ -668,14 +645,10 @@ "LEAD", "WICKED SPIDER", "WICKED PANDA", - "Wicked Panda", "BARIUM", "BRONZE ATLAS", "BRONZE EXPORT", - "Red Kelpie", - "G0044", - "G0096", - "TG-2633" + "Red Kelpie" ] }, "related": [ @@ -753,20 +726,12 @@ "Deep Panda", "WebMasters", "APT 19", - "APT19", "KungFu Kittens", "Black Vine", "Group 13", "PinkPanther", "Sh3llCr3w", - "BRONZE FIRESTONE", - "Bronze FIRESTONE", - "Sunshop Group", - "C0d0s0", - "G0009", - "G0073", - "TG-3551", - "Pupa" + "BRONZE FIRESTONE" ] }, "related": [ @@ -1072,13 +1037,7 @@ "ZipToken", "Iron Tiger", "BRONZE UNION", - "Bronze Union", - "Lucky Mouse", - "LuckyMouse", - "Emissary Panda", - "G0027", - "ATK 15", - "ATK15" + "Lucky Mouse" ] }, "related": [ @@ -1144,21 +1103,12 @@ "menuPass Team", "happyyongzi", "POTASSIUM", - "Potassium", "DustStorm", "Red Apollo", "CVNX", "HOGFISH", - "Hogfish", "Cloud Hopper", - "BRONZE RIVERSIDE", - "TA 429", - "G0045", - "ITG01", - "Bronze RIVERSIDE", - "CTG-5938", - "ATK 41", - "Cicada" + "BRONZE RIVERSIDE" ] }, "related": [ @@ -1182,10 +1132,9 @@ ], "synonyms": [ "APT 9", - "APT9", + "Flowerlady/Flowershow", "Flowerlady", - "Flowershow", - "Group 27 " + "Flowershow" ] }, "uuid": "401dd2c9-bd4f-4814-bb87-701e38f18d45", @@ -1284,12 +1233,7 @@ "Lurid", "Social Network Team", "Royal APT", - "BRONZE PALACE", - "Bronze PALACE", - "G0004", - "Bronze DAVENPORT", - "Bronze IDLEWOOD", - "CTG-9246" + "BRONZE PALACE" ] }, "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", @@ -1322,8 +1266,7 @@ "APT14", "APT 14", "QAZTeam", - "ALUMINUM", - "Aluminum" + "ALUMINUM" ] }, "related": [ @@ -1620,10 +1563,7 @@ "APT20", "APT 20", "TH3Bug", - "Twivy", - "APT 8", - "APT8", - "G0116" + "Twivy" ] }, "uuid": "8bcd855f-a4c1-453a-bede-ff36582f4f40", @@ -1705,9 +1645,7 @@ "KeyBoy", "TropicTrooper", "Tropic Trooper", - "BRONZE HOBART", - "Bronze Hobart", - "G0081" + "BRONZE HOBART" ] }, "uuid": "7f16d1f5-04ee-4d99-abf0-87e1f23f9fee", @@ -2030,16 +1968,9 @@ "APT 33", "Elfin", "MAGNALLIUM", - "Magnallium", "Refined Kitten", "HOLMIUM", - "Holmium", - "COBALT TRINITY", - "COBALT Trinity", - "TA 451", - "G0064", - "ATK 35", - "Group 83" + "COBALT TRINITY" ] }, "related": [ @@ -2250,18 +2181,7 @@ "APT35", "APT 35", "TEMP.Beanie", - "Ghambar", - "TA 453", - "NewsBeef", - "Charming Kitten", - "Phosphorus", - "G0003", - "G0059", - "COBALT illusion", - "Timberworm", - "C-Major", - "Newscaster", - "TunnelVision" + "Ghambar" ] }, "related": [ @@ -2334,13 +2254,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", @@ -2475,7 +2388,6 @@ "Fancy Bear", "Sednit", "SNAKEMACKEREL", - "Snakemackerel", "TsarTeam", "Tsar Team", "TG-4127", @@ -2484,19 +2396,10 @@ "TAG_0700", "Swallowtail", "IRON TWILIGHT", - "Iron Twilight", "Group 74", "SIG40", "Grizzly Steppe", - "apt_sofacy", - "TA 422", - "Strontium", - "G0007", - "ITG05", - "ATK 5", - "ATK5", - "T-APT-12", - "APT-C-20" + "apt_sofacy" ] }, "related": [ @@ -2563,26 +2466,19 @@ "CozyDuke", "EuroAPT", "CozyBear", - "Cozy Bear", "CozyCar", "Cozer", "Office Monkeys", "OfficeMonkeys", "APT29", + "Cozy Bear", "The Dukes", "Minidionis", "SeaDuke", "Hammer Toss", "YTTRIUM", - "Yttrium", "Iron Hemlock", - "Grizzly Steppe", - "TA 421", - "CloudLook", - "G0016", - "ITG11", - "ATK7", - "ATK 7" + "Grizzly Steppe" ] }, "related": [ @@ -2918,19 +2814,7 @@ "synonyms": [ "CARBON SPIDER", "GOLD NIAGARA", - "Calcium", - "Carbanak", - "FIN 7", - "ELBRUS", - "G0046", - "ITG14", - "Magecart Group 7", - "Gold NIAGARA", - "Anunak", - "ATK 32", - "APT-C-11", - "Navigator", - "TelePort Crew" + "Calcium" ] }, "related": [ @@ -3043,10 +2927,7 @@ "https://attack.mitre.org/groups/G0085/" ], "synonyms": [ - "FIN4", - "FIN 4", - "Wolf Spider", - "G0085" + "FIN4" ] }, "uuid": "ff449346-aa9f-45f6-b482-71e886a5cf57", @@ -3222,19 +3103,7 @@ "Nickel Academy", "APT-C-26", "NICKEL GLADSTONE", - "COVELLITE", - "G0082", - "G0032", - "ITG03", - "Hive0080", - "CTG-6459", - "Lazarus", - "ATK 117", - "T-APT-15", - "Klipodenc", - "SectorA01", - "BeagleBoyz", - "NESTEGG" + "COVELLITE" ] }, "related": [ @@ -3412,11 +3281,8 @@ "APT36", "APT 36", "TMP.Lapis", - "TEMP.Lapis", "Green Havildar", - "COPPER FIELDSTONE", - "G0134", - "APT-C-56" + "COPPER FIELDSTONE" ] }, "related": [ @@ -3514,14 +3380,7 @@ "Sarit", "Quilted Tiger", "APT-C-09", - "ZINC EMERSON", - "Confucius", - "ATK 11", - "TG-4410", - "G0040", - "G0089", - "Viceroy Tiger", - "Dropping Elephant" + "ZINC EMERSON" ] }, "related": [ @@ -3717,13 +3576,7 @@ "https://www.cfr.org/interactive/cyber-operations/apt-30" ], "synonyms": [ - "APT30", - "Naikon", - "Override Panda", - "G0019", - "G0013", - "BRONZE STERLING", - "CTG-5326" + "APT30" ] }, "related": [ @@ -3831,12 +3684,7 @@ "ITG08", "MageCart Group 6", "White Giant", - "GOLD FRANKLIN", - "FIN 6", - "G0037", - "Gold FRANKLIN", - "ATK 88", - "APT-C-01" + "GOLD FRANKLIN" ] }, "related": [ @@ -3936,13 +3784,7 @@ "Helix Kitten", "APT 34", "APT34", - "IRN2", - "TA 452", - "G0049", - "G0116", - "ITG13", - "ATK 40", - "Chrysene" + "IRN2" ] }, "related": [ @@ -4608,11 +4450,7 @@ "Ocean Buffalo", "POND LOACH", "TIN WOODLAWN", - "Tin Woodlawn", - "Woodlawn", - "BISMUTH", - "G0050", - "SectorF01" + "BISMUTH" ] }, "related": [ @@ -4769,11 +4607,6 @@ "https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf", "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://attack.mitre.org/groups/G0061" - ], - "synonyms": [ - "FIN 8", - "G0061", - "ATK113" ] }, "related": [ @@ -4869,10 +4702,6 @@ "refs": [ "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts", "https://attack.mitre.org/groups/G0062/" - ], - "synonyms": [ - "TA 459", - "G0062" ] }, "related": [ @@ -4924,9 +4753,7 @@ "synonyms": [ "CactusPete", "Karma Panda", - "BRONZE HUNTLEY", - "Bronze HUNTLEY", - "G0131" + "BRONZE HUNTLEY" ] }, "uuid": "0ab7c8de-fc23-4793-99aa-7ee336199e26", @@ -4944,7 +4771,6 @@ { "description": "We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. \nAPT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. \nIn one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies", "meta": { - "country": "CN", "refs": [ "https://www.fireeye.com/current-threats/apt-groups.html", "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf", @@ -4952,19 +4778,7 @@ ], "synonyms": [ "MANGANESE", - "BRONZE FLEETWOOD", - "APT 5", - "UNC2630", - "Poisoned Flight", - "Keyhole Panda", - "Pitty Panda", - "Manganese", - "G0011", - "Bronze FLEETWOOD", - "TG-2754", - "PittyTiger", - "DPD", - "TEMP.Bottle" + "BRONZE FLEETWOOD" ] }, "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", @@ -4980,11 +4794,7 @@ ], "synonyms": [ "APT22", - "BRONZE OLIVE", - "Bronze Olive", - "Group 46", - "Suckfly", - "G0039" + "BRONZE OLIVE" ] }, "uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842", @@ -5049,14 +4859,7 @@ "Hippo Team", "JerseyMikes", "Turbine Panda", - "BRONZE EXPRESS", - "Bronze Express", - "KungFu Kittens", - "WebMasters", - "Black Vine", - "Group 13", - "Shell Crew", - "PinkPanther" + "BRONZE EXPRESS" ] }, "related": [ @@ -5306,11 +5109,7 @@ "APT4", "APT 4", "BRONZE EDISON", - "Bronze EDISON", - "Sykipot", - "Samurai Panda", - "TG-0623", - "Wisp Team" + "Sykipot" ] }, "uuid": "8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b", @@ -5912,15 +5711,7 @@ "Red Eyes", "Ricochet Chollima", "ScarCruft", - "Venus 121", - "TEMP.Reaper", - "Thallium", - "G0067", - "ITG10", - "ATK 4", - "Hermit", - "Geumseong121", - "Hidden Cobra" + "Venus 121" ] }, "related": [ @@ -6006,16 +5797,8 @@ "APT 40", "APT40", "BRONZE MOHAWK", - "Bronze Mohawk", "GADOLINIUM", - "Gadolinium", - "Kryptonite Panda", - "G0065", - "ITG09", - "ATK29", - "Flaccid Rose", - "Nanhaishu", - "Mudcarp" + "Kryptonite Panda" ] }, "related": [ @@ -6043,15 +5826,6 @@ "Newscaster Team" ] }, - "related": [ - { - "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "value": "APT35" }, @@ -6216,7 +5990,6 @@ "Private sector" ], "cfr-type-of-incident": "Espionage", - "country": "RU", "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details", "refs": [ "https://dragos.com/adversaries.html", @@ -6227,10 +6000,7 @@ "synonyms": [ "Dragonfly 2.0", "Dragonfly2", - "Berserker Bear", - "Berserk Bear", - "G0074", - "Dymalloy" + "Berserker Bear" ], "victimology": "Turkey, Europe, US" }, @@ -6651,12 +6421,6 @@ "refs": [ "https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/", "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/" - ], - "synonyms": [ - "G0112", - "Urpage", - "EHDevel", - "WindShift" ] }, "uuid": "dc3edacc-bb24-11e8-81fb-8c16458922a7", @@ -6919,11 +6683,6 @@ "country": "RU", "refs": [ "https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" - ], - "synonyms": [ - "Indrik Spider", - "G0119", - "Gold DRAKE" ] }, "uuid": "658314bc-3bb8-48d2-913a-c528607b75c8", @@ -7062,15 +6821,7 @@ "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", - "TA 505", - "Graceful Spider", - "TEMP.Warlock", - "Chimborazo", - "G0092", - "Hive0065", - "Gold TAHOE", - "ATK 103", - "SectorJ04" + "TEMP.Warlock" ] }, "uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", @@ -7129,12 +6880,7 @@ ], "synonyms": [ "TA542", - "GOLD CRESTWOOD", - "Mummy Spider", - "TA 542", - "Gold CRESTWOOD", - "ATK104", - "Mealybug" + "GOLD CRESTWOOD" ] }, "uuid": "c93281be-f6cd-4cd0-a5a3-defde9d77d8b", @@ -7201,11 +6947,7 @@ "synonyms": [ "Chafer", "REMIX KITTEN", - "Remix Kitten", - "COBALT HICKMAN", - "TA 454", - "G0087", - "ITG07" + "COBALT HICKMAN" ] }, "uuid": "c2c64bd3-a325-446f-91a8-b4c0f173a30b", @@ -7468,11 +7210,7 @@ "synonyms": [ "COBALT DICKENS", "Mabna Institute", - "TA407", - "TA 407", - "Yellow Nabu", - "SilentLibrarian", - "Silent Librarian" + "TA407" ] }, "uuid": "5059b44d-2753-4977-b987-4922f09afe6b", @@ -7506,13 +7244,9 @@ "https://twitter.com/bkMSFT/status/1417823714922610689" ], "synonyms": [ - "APT 31", "ZIRCONIUM", - "Zirconium", "JUDGMENT PANDA", - "Judgment Panda", - "BRONZE VINEWOOD", - "G0128" + "BRONZE VINEWOOD" ] }, "uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", @@ -7574,10 +7308,6 @@ "refs": [ "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", "https://attack.mitre.org/groups/G0053/" - ], - "synonyms": [ - "FIN 5", - "G0053" ] }, "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70", @@ -7600,10 +7330,6 @@ "refs": [ "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf", "https://attack.mitre.org/groups/G0051/" - ], - "synonyms": [ - "FIN 10", - "G0051" ] }, "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79", @@ -7883,9 +7609,7 @@ ], "synonyms": [ "Temp.Hex", - "Vicious Panda", - "TA 428", - "Bronze DUDLEY" + "Vicious Panda" ] }, "uuid": "5533d062-18ab-4c70-9472-0eac03f95a1d", @@ -8005,11 +7729,6 @@ "https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals", "https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks", "https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new" - ], - "synonyms": [ - "LookBack", - "TA 410", - "TALONITE" ] }, "uuid": "5cd95926-0098-435e-892d-9c9f61763ad7", @@ -8053,7 +7772,6 @@ { "description": "For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.", "meta": { - "country": "CN", "refs": [ "https://www.ptsecurity.com/upload/corporate/ru-ru/analytics/calypso-apt-2019-rus.pdf" ] @@ -8314,10 +8032,7 @@ ], "synonyms": [ "GOLD ESSEX", - "TA544", - "TA 544", - "Narwhal Spider", - "Gold ESSEX" + "TA544" ] }, "uuid": "fda9cdea-0017-495e-879d-0f348db2aa07", @@ -8605,9 +8320,7 @@ "synonyms": [ "TEMP.Warlock", "UNC902", - "GRACEFUL SPIDER", - "Graceful Spider", - "Gold Evergreen" + "GRACEFUL SPIDER" ] }, "uuid": "c01aadc6-1087-4e8e-8d5c-a27eba409fe3", @@ -8762,9 +8475,7 @@ ], "synonyms": [ "UNC1151", - "TA 445", - "TA445", - "UAC-0051" + "TA445" ] }, "uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5", @@ -8981,10 +8692,7 @@ ], "synonyms": [ "Shakthak", - "TA551", - "TA 551", - "Lunar Spider", - "G0127" + "TA551" ] }, "uuid": "36e8c848-4d20-47ea-9fc2-31aa17bf82d1", @@ -9274,11 +8982,6 @@ "meta": { "refs": [ "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" - ], - "synonyms": [ - "Scully Spider", - "TA 547", - "TH-163" ] }, "uuid": "29fbc8d4-1e6e-4edc-9887-bdf47f36e4c1", @@ -9291,8 +8994,7 @@ "https://www.thaicert.or.th/downloads/files/Threat_Group_Cards_v2.0.pdf" ], "synonyms": [ - "TH-163", - "TA 554" + "TH-163" ] }, "uuid": "36f1a1b8-e03a-484f-95a3-005345679cbe", @@ -9335,33 +9037,6 @@ "uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", "value": "MosesStaff" }, - { - "description": "The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.", - "meta": { - "country": "CN", - "refs": [ - "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers" - ] - }, - "uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b", - "value": "Avivore" - }, - { - "description": "The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.", - "meta": { - "country": "IN", - "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf" - ], - "synonyms": [ - "BitterAPT", - "T-APT-17", - "APT-C-08" - ] - }, - "uuid": "1e9bd6fe-e009-41ce-8e92-ad78c73ee772", - "value": "Bitter" - }, { "description": "An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.", "meta": { @@ -9396,5 +9071,5 @@ "value": "Scarab" } ], - "version": 216 + "version": 215 }