MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Import manually cert-eu contribution 

- Fix the meta attributes (like the motive field ) to be within meta and not
   outside
 - Remove some "null" values that seems to come from previous tests
 - Pretty-print the Javascript (better for diffing)
pull/17/head
Alexandre Dulaunoy 2017-01-09 23:07:57 +01:00
parent bb47f52d24
commit 649c043ad2
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 168 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

230
clusters/threat-actor.json
View File

@ -410,7 +410,8 @@
"GREF",
"Playful Dragon",
"APT 15",
"Metushy"
"Metushy",
"Social Network Team"
],
"country": "CN",
"refs": [
@ -430,9 +431,11 @@
],
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
]
],
"Motive": "Espionage"
},
"value": "Anchor Panda"
"value": "Anchor Panda",
"Description": "PLA Navy"
},
{
"meta": {
@ -457,7 +460,8 @@
"https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/"
]
},
"value": "Ice Fog"
"value": "Ice Fog",
"description": "Operate since at least 2011, from several locations in China, with members in Korea and Japan as well."
},
{
"meta": {
@ -467,7 +471,8 @@
],
"country": "CN"
},
"value": "Pitty Panda"
"value": "Pitty Panda",
"description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials"
},
{
"value": "Roaming Tiger",
@ -497,16 +502,13 @@
},
{
"meta": {
"country": "CN"
"country": "CN",
"synonyms": [
"Shrouded Crossbow"
]
},
"value": "Radio Panda"
},
{
"meta": {
"country": "CN"
},
"value": "Dagger Panda"
},
{
"value": "APT.3102",
"meta": {
@ -598,7 +600,8 @@
"Group 26"
]
},
"value": "Flying Kitten"
"value": "Flying Kitten",
"description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry."
},
{
"meta": {
@ -622,10 +625,12 @@
"synonyms": [
"Newscaster",
"Parastoo",
"Group 83"
"Group 83",
"Newsbeef"
]
},
"value": "Charming Kitten"
"value": "Charming Kitten",
"description": "Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors."
},
{
"meta": {
@ -637,7 +642,7 @@
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
]
},
"description": "An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.",
"description": "Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.",
"value": "Magic Kitten"
},
{
@ -663,13 +668,16 @@
"meta": {
"country": "IR",
"synonyms": [
"Operation Cleaver"
"Operation Cleaver",
"Tarh Andishan",
"Alibaba"
],
"refs": [
"http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
},
"value": "Cleaver"
"value": "Cleaver",
"description": "A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies."
},
{
"meta": {
@ -682,9 +690,11 @@
"country": "TN",
"synonyms": [
"FallagaTeam"
]
],
"motive": "Hacktivism-Nationalist"
},
"value": "Rebel Jackal"
"value": "Rebel Jackal",
"description": "This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region."
},
{
"meta": {
@ -707,7 +717,8 @@
"TG-4127",
"Group-4127",
"STRONTIUM",
"Grey-Cloud"
"Grey-Cloud",
"TAG_0700"
],
"country": "RU",
"refs": [
@ -754,7 +765,10 @@
"WRAITH",
"Turla Team",
"Uroburos",
"Pfinet"
"Pfinet",
"TAG_0530",
"KRYPTON",
"Hippo Team"
],
"refs": [
"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf",
@ -788,7 +802,8 @@
"Sandworm Team",
"Black Energy",
"BlackEnergy",
"Quedagh"
"Quedagh",
"Voodoo Bear"
],
"country": "RU",
"refs": [
@ -800,8 +815,10 @@
{
"meta": {
"country": "RU",
"refs": ["http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"]
},
"refs": [
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"
]
},
"value": "TeleBots",
"description": "We will refer to the gang behind the malware as TeleBots. However its important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group."
},
@ -811,7 +828,8 @@
"Carbanak",
"Carbon Spider"
],
"country": "RU"
"country": "RU",
"motive": "Cybercrime"
},
"description": "Groups targeting financial organizations or people with significant financial assets.",
"value": "Anunak"
@ -820,7 +838,8 @@
"meta": {
"synonyms": [
"TeamSpy",
"Team Bear"
"Team Bear",
"Berserk Bear"
],
"country": "RU",
"refs": [
@ -846,7 +865,10 @@
},
{
"meta": {
"country": "RO"
"country": "RO",
"synonyms": [
"FIN4"
]
},
"value": "Wolf Spider"
},
@ -854,13 +876,15 @@
"meta": {
"country": "RU"
},
"value": "Boulder Bear"
"value": "Boulder Bear",
"description": "First observed activity in December 2013."
},
{
"meta": {
"country": "RU"
},
"value": "Shark Spider"
"value": "Shark Spider",
"description": "This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets."
},
{
"meta": {
@ -876,7 +900,10 @@
"meta": {
"country": "KP",
"synonyms": [
"OperationTroy"
"OperationTroy",
"Guardian of Peace",
"GOP",
"WHOis Team"
],
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
@ -931,7 +958,8 @@
"country": "FR",
"synonyms": [
"Animal Farm"
]
],
"description": "In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007."
}
},
{
@ -967,7 +995,10 @@
],
"country": "UAE",
"value": "Stealth Falcon",
"description": "Group targeting Emirati journalists, activists, and dissidents."
"description": "Group targeting Emirati journalists, activists, and dissidents.",
"synonyms": [
"FruityArmor"
]
},
{
"synonyms": [
@ -1007,7 +1038,8 @@
"synonyms": [
"Chinastrats",
"Patchwork",
"Monsoon"
"Monsoon",
"Sarit"
],
"refs": [
"https://securelist.com/blog/research/75328/the-dropping-elephant-actor/",
@ -1042,7 +1074,8 @@
"refs": [
"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/",
"https://attack.mitre.org/wiki/Groups"
]
],
"country": "BR"
},
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.",
"value": "Poseidon Group"
@ -1088,9 +1121,12 @@
{
"meta": {
"refs": [
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://attack.mitre.org/wiki/Group/G0013"
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
"https://attack.mitre.org/wiki/Group/G0013"
],
"synonyms": [
"APT 30"
],
"synonyms": ["APT 30"],
"country": "CN"
},
"value": "APT30",
@ -1107,7 +1143,8 @@
"meta": {
"refs": [
"https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/"
]
],
"country": "RU"
},
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.",
"value": "GCMAN"
@ -1116,7 +1153,8 @@
"meta": {
"refs": [
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
]
],
"country": "CN"
},
"description": "Suckfly is a China-based threat group that has been active since at least 2014",
"value": "Suckfly"
@ -1141,7 +1179,8 @@
"meta": {
"refs": [
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
]
],
"country": "TU"
},
"value": "StrongPity"
},
@ -1161,9 +1200,11 @@
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
]
],
"country": "IR"
},
"value": "OilRig"
"value": "OilRig",
"description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015."
},
{
"meta": {
@ -1181,7 +1222,8 @@
"Coldriver",
"Reuse team",
"Malware reusers",
"Callisto Group"
"Callisto Group",
"Dancing Salome"
]
},
"description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.",
@ -1190,60 +1232,124 @@
{
"value": "TERBIUM",
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"meta" : {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"]
"meta": {
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
]
}
},
{
"value": "Molerats",
"description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”",
"meta": {
"refs": ["https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"],
"synonyms": ["Gaza Hackers Team", "Operation Molerats"]
}},
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"
],
"synonyms": [
"Gaza Hackers Team",
"Operation Molerats",
"Extreme Jackal"
]
}
},
{
"value": "PROMETHIUM",
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
}
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
}
},
{
"value": "NEODYMIUM",
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
}
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"
]
}
},
{
"value": "Packrat",
"description": "A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.",
"meta": {
"refs": ["https://citizenlab.org/2015/12/packrat-report/"]
}
"refs": [
"https://citizenlab.org/2015/12/packrat-report/"
]
}
},
{
"value": "Cadelle",
"description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, its likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.",
"meta": {
"refs": ["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"],
"country": "IR"
"refs": [
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
],
"country": "IR"
}
},
{
"value": "Chafer",
"description": "Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, its likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.",
"meta": {
"refs": ["https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"],
"country": "IR"
}
"refs": [
"https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets"
],
"country": "IR"
}
},
{
"value": "PassCV",
"description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term PassCV to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. Wed like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs theyve begun development on. ",
"meta": {
"refs": ["https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"]
}
"refs": [
"https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
],
"country": "CN"
}
},
{
"value": "Sath-ı Müdafaa",
"description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.",
"meta": {
"country": "TU",
"motive": "Hacktivists-Nationalists"
}
},
{
"value": "Aslan Neferler Tim",
"description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the groups site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkeys policies or leadership, and purports to act in defense of Islam",
"meta": {
"country": "TU",
"synonyms": [
"Lion Soldiers Team",
"Phantom Turk"
],
"motive": "Hacktivists-Nationalists"
}
},
{
"value": "Ayyıldız Tim",
"description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.",
"meta": {
"country": "TU",
"synonyms": [
"Crescent and Star"
],
"motive": "Hacktivists-Nationalists"
}
},
{
"value": "TurkHackTeam",
"description": "Founded in 2004, Turkhackteam is one of Turkeys oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteams forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ",
"meta": {
"country": "TU",
"synonyms": [
"Turk Hack Team"
],
"motive": "Hacktivists-Nationalists"
}
}
],
"name": "Threat actor",
@ -1258,5 +1364,5 @@
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 10
"version": 11
}