From c90c60cb13caaf8be99c20c01848979f856be054 Mon Sep 17 00:00:00 2001 From: Rony Date: Mon, 19 Jul 2021 20:14:36 +0530 Subject: [PATCH 1/6] adding references for APT40 & APT31 --- clusters/threat-actor.json | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 97fe3eb4..4732a47d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5751,7 +5751,15 @@ "https://www.secureworks.com/research/threat-profiles/bronze-mohawk", "https://www.mycert.org.my/portal/advisory?id=MA-774.022020", "https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign", - "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/" + "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/", + "https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion", + "https://www.justice.gov/opa/press-release/file/1412916/download", + "https://www.justice.gov/opa/press-release/file/1412921/download", + "https://us-cert.cisa.gov/ncas/alerts/aa21-200a", + "https://us-cert.cisa.gov/ncas/alerts/aa21-200b", + "https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking", + "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", + "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory" ], "synonyms": [ "TEMP.Periscope", @@ -7205,7 +7213,15 @@ "https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains", "https://www.secureworks.com/research/threat-profiles/bronze-vinewood", "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report", - "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" + "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf", + "https://research.checkpoint.com/2021/the-story-of-jian", + "https://supo.fi/-/suojelupoliisi-tunnisti-eduskuntaan-kohdistuneen-kybervakoiluoperaation-apt31-ksi", + "https://poliisi.fi/-/eduskunnan-tietojarjestelmiin-kohdistuneen-tietomurron-tutkinnassa-selvitetaan-yhteytta-apt31-toimijaan", + "https://pst.no/alle-artikler/pressemeldinger/etterforskningen-av-datanettverksoperasjonen-mot-fylkesmannsembetene-er-avsluttet", + "https://www.nrk.no/norge/pst_-har-etterretning-om-at-kinesisk-gruppe-stod-bak-dataangrep-mot-statsforvaltere-1.15540601", + "https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking", + "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", + "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/" ], "synonyms": [ "APT 31", From fb9a41f8e98066352ed6620153239277255b0605 Mon Sep 17 00:00:00 2001 From: Rony Date: Mon, 19 Jul 2021 20:33:35 +0530 Subject: [PATCH 2/6] from Gov Canada & MFA Japan --- clusters/threat-actor.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4732a47d..051190e6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5757,6 +5757,8 @@ "https://www.justice.gov/opa/press-release/file/1412921/download", "https://us-cert.cisa.gov/ncas/alerts/aa21-200a", "https://us-cert.cisa.gov/ncas/alerts/aa21-200b", + "https://www.mofa.go.jp/mofaj/press/danwa/page6_000583.html", + "https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html", "https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking", "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory" From 52e7d5a0a90c0652b212acace0fcf4f7df75dff6 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 21 Jul 2021 18:28:40 +0530 Subject: [PATCH 3/6] multiple updates to apt40, apt31 & hafnium --- clusters/threat-actor.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 051190e6..a4e301d5 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5757,10 +5757,12 @@ "https://www.justice.gov/opa/press-release/file/1412921/download", "https://us-cert.cisa.gov/ncas/alerts/aa21-200a", "https://us-cert.cisa.gov/ncas/alerts/aa21-200b", - "https://www.mofa.go.jp/mofaj/press/danwa/page6_000583.html", "https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html", "https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking", "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", + "https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks", + "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", + "https://www.mofa.go.jp/press/danwa/press6e_000312.html" "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory" ], "synonyms": [ @@ -7223,7 +7225,10 @@ "https://www.nrk.no/norge/pst_-har-etterretning-om-at-kinesisk-gruppe-stod-bak-dataangrep-mot-statsforvaltere-1.15540601", "https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking", "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", + "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/" + "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003" + "https://twitter.com/bkMSFT/status/1417823714922610689" ], "synonyms": [ "APT 31", @@ -8401,7 +8406,10 @@ "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md", "https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server", "https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite", - "https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk" + "https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk", + "https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks", + "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", + "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From 32ea60d721b1a76637eacc72a4d048368762c790 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 21 Jul 2021 18:31:05 +0530 Subject: [PATCH 4/6] fix --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a4e301d5..8e39e59b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -5762,7 +5762,7 @@ "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", "https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks", "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", - "https://www.mofa.go.jp/press/danwa/press6e_000312.html" + "https://www.mofa.go.jp/press/danwa/press6e_000312.html", "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory" ], "synonyms": [ From 9ecfecc063a433bca8a759a819eb5fbee50755ff Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 21 Jul 2021 18:41:18 +0530 Subject: [PATCH 5/6] another fix --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8e39e59b..9a38618d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7227,7 +7227,7 @@ "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/" - "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003" + "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", "https://twitter.com/bkMSFT/status/1417823714922610689" ], "synonyms": [ From 636ccdedcd605ab1b7b7f5d10232728ac44680e3 Mon Sep 17 00:00:00 2001 From: Rony Date: Wed, 21 Jul 2021 18:47:56 +0530 Subject: [PATCH 6/6] Update threat-actor.json --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9a38618d..f245a4e2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7226,7 +7226,7 @@ "https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking", "https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking", "https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china", - "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/" + "https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/", "https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003", "https://twitter.com/bkMSFT/status/1417823714922610689" ],