[threat-actors] Fix Volatile Cedar and Dancing Salome conflicts

2022-09-29 14:39:42 -07:00 · 2022-09-29 14:39:42 -07:00 · 5994fa4160
parent 9338222b64
commit 5994fa4160
1 changed files with 26 additions and 10 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -3606,32 +3606,48 @@
    {
      "description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.",
      "meta": {
+        "country": "LB",
        "refs": [
          "https://blog.checkpoint.com/2015/03/31/volatilecedar/",
          "https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/",
          "https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/",
-          "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf"
+          "https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf",
+          "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf"
+        ],
+        "suspected-victims": [
+          "Middle East",
+          "Israel",
+          "Lebanon",
+          "Saudi Arabia"
        ],
        "synonyms": [
-          "Reuse team",
-          "Malware reusers",
-          "Dancing Salome",
          "Lebanese Cedar"
        ]
      },
+      "related": [
+        {
+          "dest-uuid": "0155c3b1-8c7c-4176-aeda-68678dd99992",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        }
+      ],
      "uuid": "cf421ce6-ddfe-419a-bc65-6a9fc953232a",
      "value": "Volatile Cedar"
    },
    {
-      "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.",
+      "description": "Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine. What makes Dancing Salome interesting and relevant is the attacker’s penchant for leveraging HackingTeam RCS implants compiled after the public breach.",
      "meta": {
-        "synonyms": [
-          "Reuse team",
-          "Dancing Salome"
+        "refs": [
+          "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170728/Guerrero-Saade-Raiu-VB2017.pdf"
+        ],
+        "suspected-victims": [
+          "Ukraine"
        ]
      },
      "uuid": "3d5192f2-f235-46fd-aa68-dd00cc17d632",
-      "value": "Malware reusers"
+      "value": "Dancing Salome"
    },
    {
      "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",