From 189c3066a503c706e307c56575ffba7d33309609 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 4 Jun 2019 16:32:39 +0200
Subject: [PATCH 1/4] update threat actor

---
 clusters/threat-actor.json | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 52a55d7..27a3e18 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -45,7 +45,14 @@
           "https://en.wikipedia.org/wiki/PLA_Unit_61398",
           "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf",
           "https://www.cfr.org/interactive/cyber-operations/pla-unit-61398",
-          "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf"
+          "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf",
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/",
+          "https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html",
+          "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/",
+          "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf",
+          "https://www.symantec.com/connect/blogs/apt1-qa-attacks-comment-crew",
+          "https://attack.mitre.org/groups/G0006/",
+          "https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html"
         ],
         "synonyms": [
           "Comment Panda",
@@ -58,7 +65,9 @@
           "TG-8223",
           "Comment Group",
           "Brown Fox",
-          "GIF89a"
+          "GIF89a",
+          "ShadyRAT",
+          "Shanghai Group"
         ]
       },
       "related": [
@@ -4606,7 +4615,9 @@
           "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/",
           "http://www.clearskysec.com/copykitten-jpost/",
           "http://www.clearskysec.com/tulip/",
-          "https://www.cfr.org/interactive/cyber-operations/copykittens"
+          "https://www.cfr.org/interactive/cyber-operations/copykittens",
+          "https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf",
+          "https://attack.mitre.org/groups/G0052/"
         ],
         "synonyms": [
           "Slayer Kitten"
@@ -5243,7 +5254,8 @@
         "attribution-confidence": "50",
         "country": "LB",
         "refs": [
-          "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
+          "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+          "https://attack.mitre.org/groups/G0070/"
         ]
       },
       "uuid": "3d449c83-4426-431a-b06a-cb4f8a0fca94",

From b809b9cfbb994f449e5ba41d3349c7c8e431942d Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 6 Jun 2019 11:58:19 +0200
Subject: [PATCH 2/4] update threat actor darkhotel (nemim might be a typo)

---
 clusters/threat-actor.json | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 27a3e18..c87410c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -375,10 +375,13 @@
         "refs": [
           "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
           "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
-          "https://securelist.com/blog/research/66779/the-darkhotel-apt/",
+          "https://securelist.com/blog/research/66779/the-darkhotel-apt/",,
+          "https://securelist.com/the-darkhotel-apt/66779/"
           "http://drops.wooyun.org/tips/11726",
           "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/",
-          "https://www.cfr.org/interactive/cyber-operations/darkhotel"
+          "https://www.cfr.org/interactive/cyber-operations/darkhotel",
+          "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians",
+          "https://attack.mitre.org/groups/G0012/>"
         ],
         "synonyms": [
           "DUBNIUM",
@@ -386,9 +389,12 @@
           "Karba",
           "Luder",
           "Nemim",
+          "Nemin"
           "Tapaoux",
           "Pioneer",
-          "Shadow Crane"
+          "Shadow Crane",
+          "APT-C-06",
+          "SIG25"
         ]
       },
       "related": [

From 185763a63ae258996972489f3ce3c4ea108b2b31 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 6 Jun 2019 16:34:09 +0200
Subject: [PATCH 3/4] update threat actor

---
 clusters/threat-actor.json | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index c87410c..6ec6e3c 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5853,7 +5853,10 @@
         "refs": [
           "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/",
           "https://mobile.twitter.com/360TIC/status/1083289987339042817",
-          "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/"
+          "https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/",
+          "https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/",
+          "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/",
+          "https://attack.mitre.org/groups/G0079/"
         ],
         "synonyms": [
           "LazyMeerkat"

From 1f2e59addb1e2b5cd26f5e106d26cba8f7a14d93 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 7 Jun 2019 16:34:43 +0200
Subject: [PATCH 4/4] update Threat actor galaxy

---
 clusters/threat-actor.json | 42 ++++++++++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 8 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 6ec6e3c..888f4af 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -375,13 +375,13 @@
         "refs": [
           "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
           "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2",
-          "https://securelist.com/blog/research/66779/the-darkhotel-apt/",,
-          "https://securelist.com/the-darkhotel-apt/66779/"
+          "https://securelist.com/blog/research/66779/the-darkhotel-apt/",
+          "https://securelist.com/the-darkhotel-apt/66779/",
           "http://drops.wooyun.org/tips/11726",
           "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/",
           "https://www.cfr.org/interactive/cyber-operations/darkhotel",
           "https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians",
-          "https://attack.mitre.org/groups/G0012/>"
+          "https://attack.mitre.org/groups/G0012/"
         ],
         "synonyms": [
           "DUBNIUM",
@@ -389,7 +389,7 @@
           "Karba",
           "Luder",
           "Nemim",
-          "Nemin"
+          "Nemin",
           "Tapaoux",
           "Pioneer",
           "Shadow Crane",
@@ -711,7 +711,25 @@
         "refs": [
           "http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf",
           "http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf",
-          "https://www.cfr.org/interactive/cyber-operations/deep-panda"
+          "https://www.cfr.org/interactive/cyber-operations/deep-panda",
+          "https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/",
+          "https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/",
+          "https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/",
+          "https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/",
+          "https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/",
+          "https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/",
+          "https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/",
+          "https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/",
+          "https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442",
+          "https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html",
+          "https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/",
+          "https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/",
+          "https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html",
+          "https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/",
+          "https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695",
+          "https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/",
+          "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf",
+          "https://attack.mitre.org/groups/G0009/"
         ],
         "synonyms": [
           "Deep Panda",
@@ -5058,7 +5076,9 @@
           "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View",
           "https://www.ci-project.org/blog/2017/3/4/arid-viper",
           "http://blog.talosintelligence.com/2017/06/palestine-delphi.html",
-          "https://www.threatconnect.com/blog/kasperagent-malware-campaign/"
+          "https://www.threatconnect.com/blog/kasperagent-malware-campaign/",
+          "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812",
+          "<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf"
         ],
         "synonyms": [
           "Desert Falcon",
@@ -5885,7 +5905,9 @@
           "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/"
         ],
         "synonyms": [
-          "DoNot Team"
+          "DoNot Team",
+          "Donot Team",
+          "APT-C-35"
         ]
       },
       "uuid": "b9dc4e81-909f-4324-8b25-a0f359cd88e0",
@@ -6369,7 +6391,11 @@
       "description": "Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.\nBased on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling \"DNSpionage,\" supports HTTP and DNS communication with the attackers.\nIn a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful.\nIn this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as \"help wanted\" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.",
       "meta": {
         "refs": [
-          "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html"
+          "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html",
+          "https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html",
+          "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html",
+          "https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/",
+          "https://krebsonsecurity.com/tag/dnspionage/"
         ]
       },
       "uuid": "608a903a-8145-4fd1-84bc-235e278480bf",