From 91255413d8166552f847191ab0a319764ac70cd9 Mon Sep 17 00:00:00 2001
From: Daniel Plohmann <daniel.plohmann@mailbox.org>
Date: Thu, 16 Feb 2023 14:30:05 +0100
Subject: [PATCH] adding Google names for RU threat actors

https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/
---
 clusters/threat-actor.json | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7e6a9e62..0da18326 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2160,7 +2160,8 @@
           "https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/",
           "https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/",
           "https://unit42.paloaltonetworks.com/atoms/fighting-ursa/",
-          "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
+          "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
+          "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
         ],
         "synonyms": [
           "Pawn Storm",
@@ -2183,7 +2184,8 @@
           "TA422",
           "T-APT-12",
           "APT-C-20",
-          "UAC-0028"
+          "UAC-0028",
+          "FROZENLAKE"
         ]
       },
       "related": [
@@ -2336,7 +2338,8 @@
           "https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/",
           "https://www.secureworks.com/research/threat-profiles/iron-hunter",
           "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
-          "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
+          "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
+          "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
         ],
         "synonyms": [
           "Snake",
@@ -2357,7 +2360,8 @@
           "ATK13",
           "G0010",
           "ITG12",
-          "Blue Python"
+          "Blue Python",
+          "SUMMIT"
         ]
       },
       "related": [
@@ -2494,7 +2498,8 @@
           "https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine",
           "https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare",
           "https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine",
-          "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back"
+          "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back",
+          "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
         ],
         "synonyms": [
           "Quedagh",
@@ -2505,7 +2510,8 @@
           "ELECTRUM",
           "TeleBots",
           "IRIDIUM",
-          "Blue Echidna"
+          "Blue Echidna",
+          "FROZENBARENTS"
         ]
       },
       "related": [
@@ -8248,11 +8254,13 @@
           "https://twitter.com/hatr/status/1377220336597483520",
           "https://www.mandiant.com/resources/unc1151-linked-to-belarus-government",
           "https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers",
-          "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
+          "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
+          "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
         ],
         "synonyms": [
           "UNC1151",
-          "TA445"
+          "TA445",
+          "PUSHCHA"
         ]
       },
       "uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5",
@@ -8955,14 +8963,16 @@
           "https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/",
           "https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/",
           "https://unit42.paloaltonetworks.com/atoms/nascentursa/",
-          "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer"
+          "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer",
+          "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/"
         ],
         "synonyms": [
           "UNC2589",
           "TA471",
           "UAC-0056",
           "Nascent Ursa",
-          "Nodaria"
+          "Nodaria",
+          "FROZENVISTA"
         ]
       },
       "uuid": "c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f",