add: threat actors from Dragos Inc. (based on https://dragos.com/adversaries.html)

pull/203/head
Alexandre Dulaunoy 2018-05-03 21:22:09 +02:00
parent 8498243005
commit 6b1d7d2201
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 121 additions and 1 deletions

View File

@ -2545,6 +2545,126 @@
]
},
"uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c"
},
{
"value": "ALLANITE",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection",
"since": "2017",
"capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec",
"victimology": "Electric utilities, US and UK",
"synonyms": [
"Palmetto Fusion"
]
},
"uuid": "a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470"
},
{
"value": "CHRYSENE",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "IT compromise, information gathering and recon against industrial orgs",
"since": "2017",
"capabilities": "Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR",
"victimology": "Oil and Gas, Manufacturing, Europe, MENA, North America",
"synonyms": [
"OilRig",
"Greenbug"
]
},
"uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1"
},
{
"value": "COVELLITE",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs",
"since": "2017",
"capabilities": "Encoded binaries in documents, evasion techniques",
"victimology": "Electric Utilities, US",
"synonyms": [
"Lazarus",
"Hidden Cobra"
]
},
"uuid": "027a1428-6e79-4a4b-82b9-e698e8525c2b"
},
{
"value": "DYMALLOY",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
"since": "2016",
"capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz",
"victimology": "Turkey, Europe, US",
"synonyms": [
"Dragonfly2",
"Berserker Bear"
]
},
"uuid": "a08ab076-33c1-4350-b021-650c34277f2d"
},
{
"value": "ELECTRUM",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "Electric grid disruption and long-term persistence",
"since": "2016",
"capabilities": "CRASHOVERRIDE",
"victimology": "Ukraine, Electric Utilities",
"synonyms": [
"Sandworm"
]
},
"uuid": "a2d44915-6cff-43cf-8a53-f4850058ad05"
},
{
"value": "MAGNALLIUM",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "IT network limited, information gathering against industrial orgs",
"since": "2016",
"capabilities": "STONEDRILL wiper, variants of TURNEDUP malware",
"victimology": "Petrochemical, Aerospace, Saudi Arabia",
"synonyms": [
"APT33"
]
},
"uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2"
},
{
"value": "XENOTIME",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html"
],
"mode-of-operation": "Focused on physical destruction and long-term persistence",
"since": "2014",
"capabilities": "TRISIS, custom credential harvesting",
"victimology": "Oil and Gas, Middle East",
"synonyms": []
},
"uuid": "3dddc77e-a52a-466a-bf1c-1463e352077f"
}
],
"name": "Threat actor",
@ -2559,5 +2679,5 @@
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 38
"version": 39
}