MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #892 from Mathieu4141/threat-actors/b780c817-c1d2-4f6b-b03f-b9405d7d1473 

[threat actors] Add 10 actors
pull/893/head
Alexandre Dulaunoy 2023-11-13 14:10:00 +01:00 committed by GitHub
parent 563ef36986 28e02d308f
commit 553a7f836d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 121 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
clusters/threat-actor.json
View File

@ -12845,6 +12845,127 @@
},
"uuid": "46de4091-379f-478c-bb6d-5833e2047f15",
"value": "DiceyF"
},
{
"description": "Lace Tempest, also known as DEV-0950, is a threat actor that exploited vulnerabilities in software such as SysAid and PaperCut to gain unauthorized access to systems. Lace Tempest is known for deploying the Clop ransomware and exfiltrating data from compromised networks.",
"meta": {
"refs": [
"http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/"
],
"synonyms": [
"Lace Tempest"
]
},
"uuid": "4581f930-348e-4054-a71c-863871de66ee",
"value": "DEV-0950"
},
{
"description": "WeRedEvils is a hacking group that has claimed responsibility for multiple cyber attacks. They targeted the Iranian Electric Grid and the Tasnimnews website, causing the latter to go offline. The group also claimed to have hacked into Iran's oil infrastructure, causing significant damage. They emerged in response to the Hamas massacre and are believed to be a group of Israeli cyber experts.",
"meta": {
"country": "IL",
"refs": [
"https://cyberwarzone.com/tasnim-news-hacked-by-weredevils/",
"https://www.msspalert.com/news/managed-security-services-provider-mssp-market-news-30-october-2023"
]
},
"uuid": "7ba756f0-0753-4da9-b00d-8cf35ba84e57",
"value": "WeRedEvils"
},
{
"description": "WIRTE is a threat actor group that was first discovered in 2018. They are suspected to be part of the Gaza Cybergang, an Arabic politically motivated cyber criminal group. WIRTE has been observed changing their toolkit and operating methods to remain undetected for longer periods of time. They primarily target governmental and political entities, but have also been known to target law firms and financial institutions.",
"meta": {
"country": "PS",
"refs": [
"https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/",
"https://lab52.io/blog/wirte-group-attacking-the-middle-east/"
]
},
"uuid": "ec6bcaa9-4cb3-4397-a735-c806bc986c81",
"value": "WIRTE"
},
{
"description": "Caracal Kitten is an APT group that has been targeting activists associated with the Kurdistan Democratic Party. They employ a mobile remote access Trojan to gain unauthorized access to victims' devices. The group disguises their malware as legitimate mobile apps, tricking users into installing them and granting the hackers access to their personal data.",
"meta": {
"refs": [
"https://deform.co/hacker-group-caracal-kitten-targets-kdp-activists-with-malware/",
"https://www.ctfiot.com/138538.html"
],
"synonyms": [
"APT-Q-58"
]
},
"uuid": "46a67fdf-5376-4d01-8092-6549a20030af",
"value": "Caracal Kitten"
},
{
"description": "Trend Micro discovered a threat actor they named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques, interacting with victims to gain their trust and then manipulating them into providing the permissions needed to transfer cryptocurrency assets. While Water Labbu managed to steal cryptocurrencies via a similar method by obtaining access permissions and token allowances from their victims wallets, unlike other similar campaigns, they did not use any kind of social engineering — at least not directly. Instead, Water Labbu lets other scammers use their social engineering tricks to scam unsuspecting victims.",
"meta": {
"refs": [
"https://www.trendmicro.com/en_us/research/22/j/water-labbu-abuses-malicious-dapps-to-steal-cryptocurrency.html"
]
},
"uuid": "7f24740c-9370-4968-a92e-667ef2591abe",
"value": "Water Labbu"
},
{
"description": "TAG-56 is a threat actor group that shares similarities with the APT42 group. They use tactics such as fake registration pages and spearphishing to target victims, often using encrypted chat platforms like WhatsApp or Telegram. TAG-56 is believed to be part of a broader campaign led by an Iran-nexus threat activity group. They have been observed using shared web hosts and recycled code, indicating a preference for acquiring purpose-built infrastructure rather than establishing their own.",
"meta": {
"country": "IR",
"refs": [
"https://socradar.io/dark-web-profile-apt42-iranian-cyber-espionage-group/",
"https://www.recordedfuture.com/suspected-iran-nexus-tag-56-uses-uae-forum-lure-for-credential-theft-against-us-think-tank"
]
},
"uuid": "7cae7378-5595-4d1e-be63-e13216162a20",
"value": "TAG-56"
},
{
"description": "Since early 2022, Proofpoint researchers have observed a prolific threat actor, tracked as TA482, regularly engaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists and media organizations. This victimology, TA482s use of services originating from Turkey to host its domains and infrastructure, as well as Turkeys history of leveraging social media to spread pro-President Recep Tayyip Erdogan and pro-Justice and Development Party (Turkeys ruling party) propaganda support Proofpoints assessment that TA482 is aligned with the Turkish state.",
"meta": {
"country": "TR",
"refs": [
"https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists"
]
},
"uuid": "610a7301-5963-4653-8aa2-eeb8573dfad9",
"value": "TA482"
},
{
"description": "XakNet is a self-proclaimed hacktivist group that has targeted Ukraine. They claim to be comprised of Russian patriotic volunteers and have conducted various threat activities, including DDoS attacks, compromises, data leaks, and website defacements. They coordinate their operations with other hacktivist groups and have connections to APT28, a cyber espionage group sponsored by the GRU.",
"meta": {
"country": "RU",
"refs": [
"https://www.mandiant.com/resources/blog/gru-rise-telegram-minions",
"https://www.mandiant.com/resources/blog/gru-disruptive-playbook"
]
},
"uuid": "566752f5-a294-4430-b47e-8e705f9887ea",
"value": "XakNet"
},
{
"description": "Zarya is a pro-Russian hacktivist group that emerged in March 2022. Initially operating as a special forces unit under the command of Killnet, Zarya has since become an independent entity. The group is primarily known for engaging in Denial-of-Service attacks, website defacement campaigns, and data leaks. Zarya targets government agencies, service providers, critical infrastructure, and civil service employees, both domestically and internationally.",
"meta": {
"country": "RU",
"refs": [
"https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics",
"https://www.cyfirma.com/?post_type=out-of-band&p=17397",
"https://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries",
"https://channellife.com.au/story/the-increasing-presence-of-pro-russia-hacktivists",
"https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/"
]
},
"uuid": "3689f0e2-6c39-4864-ae0b-cc03e4cb695a",
"value": "Zarya"
},
{
"description": "DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.",
"meta": {
"refs": [
"https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/"
]
},
"uuid": "b9128c29-8941-48a8-a5be-8076dde03a08",
"value": "DarkCasino"
}
],
"version": 293