update threat actor galaxy

clusters/threat-actor.json

@@ -613,7 +613,11 @@
       "meta": {
         "refs": [
           "http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
-          "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf"
+          "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf",
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/",
+          "https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
+          "https://blog.lookout.com/titan-mobile-threat",
+          "https://attack.mitre.org/groups/G0081/"
         ],
         "synonyms": [
           "Operation Tropic Trooper",
@@ -1618,7 +1622,8 @@
         "refs": [
           "https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html",
           "https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html",
-          "https://www.cfr.org/interactive/cyber-operations/admin338"
+          "https://www.cfr.org/interactive/cyber-operations/admin338",
+          "https://attack.mitre.org/groups/G0018/"
         ],
         "synonyms": [
           "Admin338",
@@ -2524,7 +2529,26 @@
           "https://www.cfr.org/interactive/cyber-operations/turla",
           "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/",
           "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/",
-          "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf"
+          "http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf",
+          "https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/",
+          "https://www.nytimes.com/2010/08/26/technology/26cyber.html",
+          "https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548",
+          "https://securelist.com/the-epic-turla-operation/65545/",
+          "https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html",
+          "https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/",
+          "https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/",
+          "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/",
+          "https://securelist.com/introducing-whitebear/81638/",
+          "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/",
+          "https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/",
+          "https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/",
+          "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
+          "https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit",
+          "https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/",
+          "https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/",
+          "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf",
+          "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf",
+          "https://attack.mitre.org/groups/G0010/"
         ],
         "synonyms": [
           "Turla",
@@ -2540,7 +2564,9 @@
           "KRYPTON",
           "Hippo Team",
           "Pacifier APT",
-          "Popeye"
+          "Popeye",
+          "SIG23",
+          "Iron Hunter"
         ]
       },
       "related": [
@@ -2702,12 +2728,18 @@
       "value": "Sandworm"
     },
     {
-      "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group.",
+      "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group. TeleBots appear to be associated with Sandworm Team, Iron Viking, Voodoo Bear.",
       "meta": {
         "attribution-confidence": "50",
         "country": "RU",
         "refs": [
-          "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"
+          "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
+          "https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/",
+          "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
+          "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/",
+          "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/",
+          "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/"
         ],
         "synonyms": [
           "Sandworm"
@@ -2797,6 +2829,7 @@
       "value": "Anunak"
     },
     {
+      "description": "Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say.\nThe attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets.\nResearchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.",
       "meta": {
         "attribution-confidence": "50",
         "cfr-suspected-state-sponsor": "Russian Federation",
@@ -2812,7 +2845,10 @@
         "country": "RU",
         "refs": [
           "https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/",
-          "https://www.cfr.org/interactive/cyber-operations/team-spy-crew"
+          "https://www.cfr.org/interactive/cyber-operations/team-spy-crew",
+          "https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/",
+          "https://www.crysys.hu/publications/files/teamspy.pdf",
+          "https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf"
         ],
         "synonyms": [
           "TeamSpy",
@@ -3202,7 +3238,8 @@
           "https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf",
           "https://aisa.org.au//PDF/AISA%20Sydney%20-%20Dec2016.pdf",
           "https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials",
-          "https://s.tencent.com/research/report/669.html"
+          "https://s.tencent.com/research/report/669.html",
+          "https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html"
         ],
         "synonyms": [
           "C-Major",
@@ -3871,7 +3908,14 @@
       "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .",
       "meta": {
         "refs": [
-          "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
+          "https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf",
+          "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/",
+          "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/"
+        ],
+        "synonyms": [
+          "Reuse team",
+          "Malware reusers",
+          "Dancing Salome"
         ]
       },
       "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a",
@@ -6417,7 +6461,8 @@
         "cfr-type-of-incident": "Espionage",
         "refs": [
           "https://www.cfr.org/interactive/cyber-operations/thrip",
-          "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
+          "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets",
+          "https://attack.mitre.org/groups/G0076/"
         ]
       },
       "uuid": "98be4300-a9ef-11e8-9a95-bb9221083cfc",
@@ -6832,7 +6877,7 @@
           "https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter",
           "https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware",
           "https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf",
-          "https://threatpost.com/ta505-servhelper-malware/140792/"
+          "https://threatpost.com/ta505-servhelper-malware/140792/",
           "https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/"
         ]
       },
@@ -7373,7 +7418,33 @@
       },
       "uuid": "4fcbd08a-8ea6-11e9-8bf2-970182ab6bb5",
       "value": "Slingshot"
+    },
+    {
+      "description": "The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues. The attackers actively sent out malicious documents and maintained several IP addresses for command and control.\nAs part of their social engineering ploy, the Taidoor attackers attach a decoy document to their emails that, when opened, displays the contents of a legitimate document but executes a malicious payload in the background.\nWe were only able to gather a limited amount of information regarding the Taidoor attackers’ activities after they have compromised a target. We did, however, find that the Taidoor malware allowed attackers to operate an interactive shell on compromised computers and to upload and download files. In order to determine the operational capabilities of the attackers behind the Taidoor campaign, we monitored a compromised honeypot. The attackers issued out some basic commands in an attempt to map out the extent of the network compromise but quickly realized that the honeypot was not an intended targeted and so promptly disabled the Taidoor malware running on it. This indicated that while Taidoor malware were more widely distributed compared with those tied to other targeted campaigns, the attackers could quickly assess their targets and distinguish these from inadvertently compromised computers and honeypots.",
+      "meta": {
+        "refs": [
+          "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf",
+          "https://attack.mitre.org/groups/G0015/"
+        ]
+      },
+      "uuid": "e6669606-91ad-11e9-b6f5-374843911989",
+      "value": "Taidoor"
+    },
+    {
+      "description": "TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.",
+      "meta": {
+        "refs": [
+          "https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/",
+          "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
+          "https://attack.mitre.org/groups/G0088/"
+        ],
+        "synonyms": [
+          "Xenotime"
+        ]
+      },
+      "uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2",
+      "value": "TEMP.Veles"
     }
   ],
-  "version": 115
+  "version": 117
 }