add: threat actors from Dragos Inc. (based on https://dragos.com/adversaries.html)

2018-05-03 21:22:09 +02:00 · 2018-05-03 21:22:09 +02:00 · 6b1d7d2201
parent 8498243005
commit 6b1d7d2201
1 changed files with 121 additions and 1 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -2545,6 +2545,126 @@
        ]
      },
      "uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c"
+    },
+    {
+      "value": "ALLANITE",
+      "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
+      "meta": {
+        "refs": [
+          "https://dragos.com/adversaries.html"
+        ],
+        "mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection",
+        "since": "2017",
+        "capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec",
+        "victimology": "Electric utilities, US and UK",
+        "synonyms": [
+          "Palmetto Fusion"
+        ]
+      },
+      "uuid": "a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470"
+    },
+    {
+      "value": "CHRYSENE",
+      "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
+      "meta": {
+        "refs": [
+          "https://dragos.com/adversaries.html"
+        ],
+        "mode-of-operation": "IT compromise, information gathering and recon against industrial orgs",
+        "since": "2017",
+        "capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR",
+        "victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America",
+        "synonyms": [
+          "OilRig",
+          "Greenbug"
+        ]
+      },
+      "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1"
+    },
+    {
+      "value": "COVELLITE",
+      "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
+      "meta": {
+        "refs": [
+          "https://dragos.com/adversaries.html"
+        ],
+        "mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs",
+        "since": "2017",
+        "capabilities": "Encoded binaries in documents, evasion techniques",
+        "victimology": "Electric Utilities, US",
+        "synonyms": [
+          "Lazarus",
+          "Hidden Cobra"
+        ]
+      },
+      "uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b"
+    },
+    {
+      "value": "DYMALLOY",
+      "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
+      "meta": {
+        "refs": [
+          "https://dragos.com/adversaries.html"
+        ],
+        "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
+        "since": "2016",
+        "capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz",
+        "victimology": "Turkey, Europe, US",
+        "synonyms": [
+          "Dragonfly2",
+          "Berserker Bear"
+        ]
+      },
+      "uuid": "a08ab076-33c1-4350-b021-650c34277f2d"
+    },
+    {
+      "value": "ELECTRUM",
+      "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
+      "meta": {
+        "refs": [
+          "https://dragos.com/adversaries.html"
+        ],
+        "mode-of-operation": "Electric grid disruption and long-term persistence",
+        "since": "2016",
+        "capabilities": "CRASHOVERRIDE",
+        "victimology": "Ukraine, Electric Utilities",
+        "synonyms": [
+          "Sandworm"
+        ]
+      },
+      "uuid": "a2d44915-6cff-43cf-8a53-f4850058ad05"
+    },
+    {
+      "value": "MAGNALLIUM",
+      "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
+      "meta": {
+        "refs": [
+          "https://dragos.com/adversaries.html"
+        ],
+        "mode-of-operation": "IT network limited, information gathering against industrial orgs",
+        "since": "2016",
+        "capabilities": "STONEDRILL wiper, variants of TURNEDUP malware",
+        "victimology": "Petrochemical, Aerospace, Saudi Arabia",
+        "synonyms": [
+          "APT33"
+        ]
+      },
+      "uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2"
+    },
+    {
+      "value": "XENOTIME",
+      "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
+      "meta": {
+        "refs": [
+          "https://dragos.com/adversaries.html"
+        ],
+        "mode-of-operation": "Focused on physical destruction and long-term persistence",
+        "since": "2014",
+        "capabilities": "TRISIS, custom credential harvesting",
+        "victimology": "Oil and Gas, Middle East",
+        "synonyms": []
+      },
+      "uuid": "3dddc77e-a52a-466a-bf1c-1463e352077f"
    }
  ],
  "name": "Threat actor",
@ -2559,5 +2679,5 @@
  ],
  "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
  "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 38
+  "version": 39
 }