mirror of https://github.com/MISP/misp-galaxy
add: threat actors from Dragos Inc. (based on https://dragos.com/adversaries.html)
parent
8498243005
commit
6b1d7d2201
|
@ -2545,6 +2545,126 @@
|
|||
]
|
||||
},
|
||||
"uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c"
|
||||
},
|
||||
{
|
||||
"value": "ALLANITE",
|
||||
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://dragos.com/adversaries.html"
|
||||
],
|
||||
"mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection",
|
||||
"since": "2017",
|
||||
"capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec",
|
||||
"victimology": "Electric utilities, US and UK",
|
||||
"synonyms": [
|
||||
"Palmetto Fusion"
|
||||
]
|
||||
},
|
||||
"uuid": "a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470"
|
||||
},
|
||||
{
|
||||
"value": "CHRYSENE",
|
||||
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://dragos.com/adversaries.html"
|
||||
],
|
||||
"mode-of-operation": "IT compromise, information gathering and recon against industrial orgs",
|
||||
"since": "2017",
|
||||
"capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR",
|
||||
"victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America",
|
||||
"synonyms": [
|
||||
"OilRig",
|
||||
"Greenbug"
|
||||
]
|
||||
},
|
||||
"uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1"
|
||||
},
|
||||
{
|
||||
"value": "COVELLITE",
|
||||
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://dragos.com/adversaries.html"
|
||||
],
|
||||
"mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs",
|
||||
"since": "2017",
|
||||
"capabilities": "Encoded binaries in documents, evasion techniques",
|
||||
"victimology": "Electric Utilities, US",
|
||||
"synonyms": [
|
||||
"Lazarus",
|
||||
"Hidden Cobra"
|
||||
]
|
||||
},
|
||||
"uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b"
|
||||
},
|
||||
{
|
||||
"value": "DYMALLOY",
|
||||
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://dragos.com/adversaries.html"
|
||||
],
|
||||
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
|
||||
"since": "2016",
|
||||
"capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz",
|
||||
"victimology": "Turkey, Europe, US",
|
||||
"synonyms": [
|
||||
"Dragonfly2",
|
||||
"Berserker Bear"
|
||||
]
|
||||
},
|
||||
"uuid": "a08ab076-33c1-4350-b021-650c34277f2d"
|
||||
},
|
||||
{
|
||||
"value": "ELECTRUM",
|
||||
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://dragos.com/adversaries.html"
|
||||
],
|
||||
"mode-of-operation": "Electric grid disruption and long-term persistence",
|
||||
"since": "2016",
|
||||
"capabilities": "CRASHOVERRIDE",
|
||||
"victimology": "Ukraine, Electric Utilities",
|
||||
"synonyms": [
|
||||
"Sandworm"
|
||||
]
|
||||
},
|
||||
"uuid": "a2d44915-6cff-43cf-8a53-f4850058ad05"
|
||||
},
|
||||
{
|
||||
"value": "MAGNALLIUM",
|
||||
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://dragos.com/adversaries.html"
|
||||
],
|
||||
"mode-of-operation": "IT network limited, information gathering against industrial orgs",
|
||||
"since": "2016",
|
||||
"capabilities": "STONEDRILL wiper, variants of TURNEDUP malware",
|
||||
"victimology": "Petrochemical, Aerospace, Saudi Arabia",
|
||||
"synonyms": [
|
||||
"APT33"
|
||||
]
|
||||
},
|
||||
"uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2"
|
||||
},
|
||||
{
|
||||
"value": "XENOTIME",
|
||||
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
|
||||
"meta": {
|
||||
"refs": [
|
||||
"https://dragos.com/adversaries.html"
|
||||
],
|
||||
"mode-of-operation": "Focused on physical destruction and long-term persistence",
|
||||
"since": "2014",
|
||||
"capabilities": "TRISIS, custom credential harvesting",
|
||||
"victimology": "Oil and Gas, Middle East",
|
||||
"synonyms": []
|
||||
},
|
||||
"uuid": "3dddc77e-a52a-466a-bf1c-1463e352077f"
|
||||
}
|
||||
],
|
||||
"name": "Threat actor",
|
||||
|
@ -2559,5 +2679,5 @@
|
|||
],
|
||||
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
|
||||
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
|
||||
"version": 38
|
||||
"version": 39
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue