From 693eed8d78ec1541ebbaeb995afd89f1559135c1 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Mon, 4 Jul 2022 14:03:36 +0200 Subject: [PATCH] [threat actor] Break Cleaver aliases into respective entries --- clusters/threat-actor.json | 51 +++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0b69ce80..dfe37863 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2107,38 +2107,30 @@ "cfr-type-of-incident": "Espionage", "country": "IR", "refs": [ - "https://www.cfr.org/interactive/cyber-operations/magic-hound", "https://www.secureworks.com/research/the-curious-case-of-mia-ash", - "https://www.cfr.org/interactive/cyber-operations/operation-cleaver", - "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "\"https://www.cfr.org/interactive/cyber-operations/operation-cleaver", "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing", - "https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/", "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", "https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/", "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", - "https://attack.mitre.org/groups/G0059/", "https://attack.mitre.org/groups/G0003/", - "https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/" + "https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/", + "https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles", + "https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten", + "https://www.cfr.org/cyber-operations/operation-cleaver", + "https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html", + "https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf" ], "synonyms": [ "Operation Cleaver", + "Op Cleaver", "Tarh Andishan", "Alibaba", - "2889", "TG-2889", - "Threat Group 2889", "Cobalt Gypsy", - "Rocket_Kitten", "Cutting Kitten", - "Group 41", - "Magic Hound", - "APT35", - "APT 35", - "TEMP.Beanie", - "Ghambar", - "G0059", "G0003" ] }, @@ -2185,13 +2177,6 @@ ], "type": "similar" }, - { - "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ @@ -5867,13 +5852,29 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", + "https://attack.mitre.org/groups/G0059/", + "https://www.cfr.org/interactive/cyber-operations/magic-hound", + "https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html", + "https://www.cfr.org/cyber-operations/apt-35" ], "synonyms": [ "APT 35", - "Newscaster Team" + "Newscaster Team", + "Magic Hound", + "G0059" ] }, + "related": [ + { + "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "value": "APT35" },