MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [threat-actor] fixed

pull/935/head
Alexandre Dulaunoy 2024-02-16 18:41:46 +01:00
parent 2eaef99824
commit 7ed94eb865
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 85 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
clusters/threat-actor.json
View File

@ -4226,26 +4226,7 @@
{
"description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”",
"meta": {
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
"https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/",
"https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/",
"https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website",
"https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html",
"https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html",
"https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks",
"https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/",
"https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf",
"https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
"https://securelist.com/gaza-cybergang-updated-2017-activity/82765/",
"https://www.kaspersky.com/blog/gaza-cybergang/26363/",
"https://attack.mitre.org/groups/G0021/",
"https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"cfr-type-of-incident": "Espionage",
"cfr-suspected-state-sponsor": "Palestine",
"country": "PS",
"cfr-suspected-victims": [
"United States",
"Israel",
@ -4267,6 +4248,25 @@
"Legal",
"Military"
],
"cfr-type-of-incident": "Espionage",
"country": "PS",
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html",
"https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/",
"https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/",
"https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website",
"https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html",
"https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html",
"https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks",
"https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/",
"https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf",
"https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf",
"https://securelist.com/gaza-cybergang-updated-2017-activity/82765/",
"https://www.kaspersky.com/blog/gaza-cybergang/26363/",
"https://attack.mitre.org/groups/G0021/",
"https://www.secureworks.com/research/threat-profiles/aluminum-saratoga",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"synonyms": [
"Gaza Hackers Team",
"Gaza cybergang",
@ -6065,22 +6065,14 @@
},
{
"meta": {
"refs": [
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf",
"http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html",
"https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/",
"https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/",
"https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/",
"https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View",
"http://blog.talosintelligence.com/2017/06/palestine-delphi.html",
"https://www.threatconnect.com/blog/kasperagent-malware-campaign/",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"cfr-type-of-incident": "Espionage",
"cfr-suspected-state-sponsor": "Palestine",
"country": "PS",
"cfr-suspected-victims": [
"United States",
"Israel",
"Palestine",
"Middle East",
"Europe"
],
"cfr-target-category": [
"Government",
"Defense",
@ -6096,12 +6088,20 @@
"Legal",
"Military"
],
"cfr-suspected-victims": [
"United States",
"Israel",
"Palestine",
"Middle East",
"Europe"
"cfr-type-of-incident": "Espionage",
"country": "PS",
"refs": [
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf",
"http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html",
"https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/",
"https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/",
"https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/",
"https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View",
"http://blog.talosintelligence.com/2017/06/palestine-delphi.html",
"https://www.threatconnect.com/blog/kasperagent-malware-campaign/",
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"synonyms": [
"Desert Falcon",
@ -8527,18 +8527,8 @@
{
"description": "Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.",
"meta": {
"country": "IR",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-type-of-incident": "Espionage",
"attribution-confidence": "50",
"refs": [
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
"https://www.secureworks.com/research/threat-profiles/cobalt-lyceum",
"https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/",
"https://www.clearskysec.com/siamesekitten/",
"https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"Israel",
"Middle East"
@ -8552,6 +8542,16 @@
"Military",
"Defense"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign",
"https://www.secureworks.com/research/threat-profiles/cobalt-lyceum",
"https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/",
"https://www.clearskysec.com/siamesekitten/",
"https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"synonyms": [
"COBALT LYCEUM",
"HEXANE",
@ -8709,18 +8709,8 @@
{
"description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.",
"meta": {
"country": "IR",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"attribution-confidence": "50",
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain",
"https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897",
"https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html",
"https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"cfr-type-of-incident": "Espionage",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"United States",
"Israel",
@ -8744,6 +8734,16 @@
"Rail",
"Transportation"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain",
"https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897",
"https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html",
"https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"synonyms": [
"IMPERIAL KITTEN",
"Yellow Liderc",
@ -11889,6 +11889,7 @@
"description": "Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"Australia",
"Europe",
@ -11912,9 +11913,8 @@
"NGOs",
"Pharmaceuticals"
],
"country": "IR",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-type-of-incident": "Espionage",
"country": "IR",
"refs": [
"https://www.mandiant.com/resources/blog/apt42-charms-cons-compromises",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
@ -14383,10 +14383,8 @@
{
"description": "Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury",
"meta": {
"country": "IR",
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-type-of-incident": "Information Operations",
"cfr-suspected-victims": [
"United States",
"Israel",
@ -14403,6 +14401,8 @@
"Rail",
"Energy"
],
"cfr-type-of-incident": "Information Operations",
"country": "IR",
"refs": [
"https://blog.sekoia.io/iran-cyber-threat-overview/",
"https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/",
@ -15138,18 +15138,18 @@
{
"description": "Recent campaigns suggest Hamas-linked actors may be advancing their\nTTPs to include intricate social engineering lures specially crafted to\nappeal to a niche group of high value targets. In September 2023, a Palestine-based group likely linked to Hamas targeted Israeli software engineers\nusing an elaborate social engineering ruse that ultimately installed malware\nand stole cookies. The attackers, which Googles Threat Analysis Group (TAG) tracks as BLACKATOM, posed as employees of legitimate companies\nand reached out via LinkedIn to invite targets to apply for software development freelance opportunities. Targets included software engineers in\nthe Israeli military, as well as Israels aerospace and defense industry",
"meta": {
"country": "PS",
"cfr-type-of-incident": "Espionage",
"cfr-suspected-state-sponsor": "Palestine",
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Palestine",
"cfr-suspected-victims": [
"Israel"
],
"cfr-target-category": [
"Military",
"Defense",
"Transportation"
],
"cfr-suspected-victims": [
"Israel"
],
"cfr-type-of-incident": "Espionage",
"country": "PS",
"refs": [
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
]
@ -15160,18 +15160,8 @@
{
"description": "BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008. While the adversarys most prominent activity is the July and September 2022 disruptive attacks targeting Albanian government infrastructure and the use of the HomelandJustice persona to leak stolen data, BANISHED KITTEN has likely targeted dissidents using the AllinOneNeo malware family.",
"meta": {
"country": "IR",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"attribution-confidence": "50",
"refs": [
"https://www.crowdstrike.com/adversaries/banished-kitten/",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"cfr-type-of-incident": [
"Espionage",
"Information Operations",
"Sabotage"
],
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"United States",
"Israel",
@ -15189,6 +15179,16 @@
"NGOs",
"Civil Society"
],
"cfr-type-of-incident": [
"Espionage",
"Information Operations",
"Sabotage"
],
"country": "IR",
"refs": [
"https://www.crowdstrike.com/adversaries/banished-kitten/",
"https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf"
],
"synonyms": [
"DUNE",
"Storm-0842"
@ -15198,5 +15198,5 @@
"value": "BANISHED KITTEN"
}
],
"version": 300
}
"version": 301
}