Merge pull request #755 from Mathieu4141/threat-actors/fix-winnti

[threat-actors] Fix Axiom/Winnti/Suckfly/APT41 conflicts
pull/761/head
Alexandre Dulaunoy 2022-08-27 08:25:20 +02:00 committed by GitHub
commit 8bea9f3b4b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 85 additions and 151 deletions

View File

@ -486,7 +486,17 @@
"attribution-confidence": "50", "attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China", "cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [ "cfr-suspected-victims": [
"United States" "United States",
"Netherlands",
"Italy",
"Japan",
"United Kingdom",
"Belgium",
"Russia",
"Indonesia",
"Germany",
"Switzerland",
"China"
], ],
"cfr-target-category": [ "cfr-target-category": [
"Government", "Government",
@ -504,18 +514,24 @@
"https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire", "https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire",
"https://www.recordedfuture.com/hidden-lynx-analysis/", "https://www.recordedfuture.com/hidden-lynx-analysis/",
"https://www.secureworks.com/research/threat-profiles/bronze-keystone", "https://www.secureworks.com/research/threat-profiles/bronze-keystone",
"https://attack.mitre.org/groups/G0025/" "https://attack.mitre.org/groups/G0025/",
"cfr.org/cyber-operations/axiom",
"https://attack.mitre.org/groups/G0001/",
"https://www.youtube.com/watch?v=NFJqD-LcpIg"
], ],
"synonyms": [ "synonyms": [
"APT 17",
"Deputy Dog",
"Group 8", "Group 8",
"APT17", "APT17",
"Hidden Lynx", "Hidden Lynx",
"Tailgater Team", "Tailgater Team",
"Dogfish", "Dogfish",
"BRONZE KEYSTONE", "BRONZE KEYSTONE",
"G0025" "G0025",
"Group 72",
"G0001",
"Axiom",
"Earth Baku",
"Amoeba"
] ]
}, },
"related": [ "related": [
@ -526,13 +542,6 @@
], ],
"type": "similar" "type": "similar"
}, },
{
"dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{ {
"dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"tags": [ "tags": [
@ -600,102 +609,6 @@
"uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c", "uuid": "9a683d9c-8f7d-43df-bba2-ad0ca71e277c",
"value": "Wekby" "value": "Wekby"
}, },
{
"description": "The Winnti grouping of activity is large and may actually be a number of linked groups rather than a single discrete entity. Kaspersky describe Winnti as: 'The Winnti group has been attacking companies in the online video game industry since 2009 and is currently still active. The groups objectives are stealing digital certificates signed by legitimate software vendors in addition to intellectual property theft, including the source code of online game projects. The majority of the victims are from South East Asia.'",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"Netherlands",
"Italy",
"Japan",
"United Kingdom",
"Belgium",
"Russia",
"Indonesia",
"Germany",
"Switzerland",
"China"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://securelist.com/winnti-faq-more-than-just-a-game/57585/",
"https://securelist.com/winnti-more-than-just-a-game/37029/",
"http://williamshowalter.com/a-universal-windows-bootkit/",
"https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
"https://www.cfr.org/interactive/cyber-operations/axiom",
"https://securelist.com/games-are-over/70991/",
"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
"https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341",
"https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/",
"https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004",
"https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",
"https://401trg.com/burning-umbrella/",
"https://attack.mitre.org/groups/G0044/",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/",
"https://www.secureworks.com/research/threat-profiles/bronze-atlas",
"https://www.secureworks.com/research/threat-profiles/bronze-export",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
"https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf"
],
"synonyms": [
"Winnti Umbrella",
"Winnti Group",
"Suckfly",
"APT41",
"Group72",
"Blackfly",
"LEAD",
"WICKED SPIDER",
"WICKED PANDA",
"BARIUM",
"BRONZE ATLAS",
"BRONZE EXPORT",
"Red Kelpie",
"G0044"
]
},
"related": [
{
"dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "24110866-cb22-4c85-a7d2-0413e126694b",
"value": "Axiom"
},
{ {
"description": "Adversary group targeting financial, technology, non-profit organisations.", "description": "Adversary group targeting financial, technology, non-profit organisations.",
"meta": { "meta": {
@ -3530,10 +3443,16 @@
"refs": [ "refs": [
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
"https://attack.mitre.org/groups/G0039/" "https://attack.mitre.org/groups/G0039/",
"https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab",
"http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild",
"https://www.secureworks.com/research/threat-profiles/bronze-olive"
], ],
"synonyms": [ "synonyms": [
"G0039" "G0039",
"APT22",
"BRONZE OLIVE",
"Group 46"
] ]
}, },
"related": [ "related": [
@ -4675,22 +4594,6 @@
"uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795",
"value": "APT5" "value": "APT5"
}, },
{
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild",
"https://www.secureworks.com/research/threat-profiles/bronze-olive"
],
"synonyms": [
"APT22",
"BRONZE OLIVE"
]
},
"uuid": "7a2457d6-148a-4ce1-9e79-aa43352ee842",
"value": "APT 22"
},
{ {
"description": "Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.", "description": "Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.",
"meta": { "meta": {
@ -6162,30 +6065,6 @@
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
"value": "Inception Framework" "value": "Inception Framework"
}, },
{
"description": "This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.\nBelieved to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"United States",
"South Korea",
"United Kingdom",
"China",
"Japan"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/winnti-umbrella"
]
},
"uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10",
"value": "Winnti Umbrella"
},
{ {
"description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.", "description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.",
"meta": { "meta": {
@ -7530,7 +7409,9 @@
"meta": { "meta": {
"cfr-suspected-state-sponsor": "People's Republic of China", "cfr-suspected-state-sponsor": "People's Republic of China",
"cfr-suspected-victims": [ "cfr-suspected-victims": [
"China",
"France", "France",
"Hong Kong",
"India", "India",
"Italy", "Italy",
"Japan", "Japan",
@ -7558,14 +7439,53 @@
"Intergovernmental", "Intergovernmental",
"Media and Entertainment", "Media and Entertainment",
"Pharmaceuticals", "Pharmaceuticals",
"Private sector",
"Retail", "Retail",
"Telecommunications", "Telecommunications",
"Travel" "Travel"
], ],
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://securelist.com/winnti-faq-more-than-just-a-game/57585/",
"https://securelist.com/winnti-more-than-just-a-game/37029/",
"http://williamshowalter.com/a-universal-windows-bootkit/",
"https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/",
"https://securelist.com/games-are-over/70991/",
"https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a",
"https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341",
"https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/",
"https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004",
"https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/",
"https://401trg.com/burning-umbrella/",
"https://attack.mitre.org/groups/G0044/",
"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/",
"https://www.secureworks.com/research/threat-profiles/bronze-atlas",
"https://www.secureworks.com/research/threat-profiles/bronze-export",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer",
"https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf",
"https://www.cfr.org/cyber-operations/winnti-umbrella",
"https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html",
"https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/",
"https://www.mandiant.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation",
"https://www.cfr.org/cyber-operations/apt-41",
"https://attack.mitre.org/groups/G0096/"
],
"synonyms": [
"Double Dragon",
"G0096",
"TA415",
"Blackfly",
"Grayfly",
"LEAD",
"BARIUM",
"WICKED SPIDER",
"WICKED PANDA",
"BRONZE ATLAS",
"BRONZE EXPORT",
"Red Kelpie",
"G0044"
] ]
}, },
"related": [ "related": [
@ -7575,6 +7495,20 @@
"estimative-language:likelihood-probability=\"very-likely\"" "estimative-language:likelihood-probability=\"very-likely\""
], ],
"type": "uses" "type": "uses"
},
{
"dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb",
"tags": [
"estimative-language:likelihood-probability=\"very-likely\""
],
"type": "similar"
},
{
"dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
} }
], ],
"uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6",