MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #888 from Mathieu4141/threat-actors/e8e0bf88-5b60-436f-8f61-ddafab6ca141 

[threat actors] Add 10 actors
pull/891/head
Alexandre Dulaunoy 2023-11-06 17:44:41 +01:00 committed by GitHub
parent 61922581e7 5828ba1a9d
commit 63e27b9ebd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 131 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
clusters/threat-actor.json
View File

@ -12356,6 +12356,137 @@
},
"uuid": "27e11cc5-1688-4aea-a98d-96e6c275d005",
"value": "UNC3890"
},
{
"description": "In October 2022, Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.",
"meta": {
"aliases": [
"Bad Magic"
],
"refs": [
"https://www.malwarebytes.com/blog/threat-intelligence/2023/05/redstinger",
"https://securelist.com/bad-magic-apt/109087/"
]
},
"uuid": "b813c6a2-f8c7-4071-83bd-24c181ff2bd4",
"value": "RedStinger"
},
{
"description": "Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchettys activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations.",
"meta": {
"aliases": [
"LookingFrog"
],
"country": "CN",
"refs": [
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage",
"https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/"
]
},
"uuid": "202f5481-7bae-4a0b-b117-0642ea1dbe65",
"value": "Witchetty"
},
{
"description": "Network Battalion 65 is an hactivist group with ties to Anonymous, known for attacking Russian companies and performing hack-and-leak operations.",
"meta": {
"aliases": [
"Network Battalion 65"
],
"refs": [
"https://www.rewterz.com/rewterz-news/rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs",
"https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html",
"https://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/",
"https://www.rewterz.com/articles/russian-ukrainian-cyber-warfare-rewterz-threat-intelligence-rollup",
"https://www.hackread.com/anonymous-affiliate-nb65-russia-broadcaster-data-breach/"
]
},
"uuid": "e1941666-dcde-4f31-8a56-8041ac82bb99",
"value": "NB65"
},
{
"description": "IndigoZebra is a Chinese state-sponsored actor mentioned for the first time by Kaspersky in its APT Trends report Q2 2017, targeting, at the time of its discovery, former Soviet Republics with multiple malware strains including Meterpreter, Poison Ivy, xDown, and a previously unknown backdoor called “xCaon.”",
"meta": {
"country": "CN",
"refs": [
"https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/",
"https://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs",
"https://securelist.com/apt-trends-report-q2-2017/79332/"
]
},
"uuid": "79e826b0-b051-4a61-b38c-496021b3afdb",
"value": "IndigoZebra"
},
{
"description": "GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.",
"meta": {
"aliases": [
"Ghost Security"
],
"refs": [
"https://www.uptycs.com/blog/ghostlocker-ransomware-ghostsec",
"https://forescoutstage.wpengine.com/blog/the-increasing-threat-posed-by-hacktivist-attacks-an-analysis-of-targeted-organizations-devices-and-ttps/"
]
},
"uuid": "a1315451-326f-4185-8d71-80f9243f395f",
"value": "GhostSec"
},
{
"description": "OilAlpha has almost exclusively relied on infrastructure associated with the Public Telecommunication Corporation (PTC), a Yemeni government-owned enterprise reported to be under the direct control of the Houthi authorities. OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets. It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices.",
"meta": {
"refs": [
"https://www.zimperium.com/blog/zimperium-mtd-against-oilalpha-a-comprehensive-defense-strategy/",
"https://www.recordedfuture.com/oilalpha-likely-pro-houthi-group-targeting-arabian-peninsula"
]
},
"uuid": "ae2b897d-f285-4d03-9bab-0ff59d6657a7",
"value": "OilAlpha"
},
{
"description": "It was observed that a mobile network threat actor designated as HiddenArt actively sustains a capacity to remotely access the personal devices of targeted individuals around the world on an ongoing basis. Since detecting this threat actor, periodic reconnaissance activities were observed in at least 7 target mobile networks around the world and given the wide geographic distribution of these targeted mobile operators, it is probable that the threat actor is active on a global scale.",
"meta": {
"country": "RU",
"refs": [
"https://www.enea.com/insights/the-hunt-for-hiddenart/"
]
},
"uuid": "cdcfd3e1-4e42-4746-b1f1-66d5ce27b4da",
"value": "HiddenArt"
},
{
"description": "Elastic's security team has published a report on REF5961, a cyber-espionage group they found on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN). Elastic says it found the group's tools next to the malware of another cyber-espionage group it tracks as REF2924. REF5961's arsenal includes malware such as EAGERBEE, RUDEBIRD, and DOWNTOWN.",
"meta": {
"refs": [
"https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set",
"https://www.elastic.co/security-labs/disclosing-the-bloodalchemy-backdoor"
]
},
"uuid": "64234b2e-0c78-466d-8253-0df339f99f5f",
"value": "REF5961"
},
{
"description": "A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments.",
"meta": {
"country": "CN",
"refs": [
"https://www.elastic.co/security-labs/ref2924-howto-maintain-persistence-as-an-advanced-threat",
"https://www.elastic.co/security-labs/introducing-the-ref5961-intrusion-set"
]
},
"uuid": "c46ed7e9-3949-4c57-ab14-177d88f27e2c",
"value": "REF2924"
},
{
"description": "In early 2023, Microsoft In early 2023, observed a wave of activity from a Gaza-based group that we track as Storm-1133 targeting Israeli private sector energy, defense, and telecommunications organizations.",
"meta": {
"country": "PS",
"refs": [
"https://www.microsoft.com/en-us/security/security-insider/microsoft-digital-defense-report-2023",
"https://therecord.media/hacktivists-take-sides-israel-palestinian"
]
},
"uuid": "d5908276-068a-4a4f-a60d-ab5800173ccd",
"value": "Storm-1133"
}
],
"version": 289