mirror of https://github.com/MISP/misp-galaxy
commit
94ec98d544
|
@ -82,18 +82,6 @@
|
||||||
"uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be",
|
"uuid": "1cb7e1cc-d695-42b1-92f4-fd0112a3c9be",
|
||||||
"value": "Comment Crew"
|
"value": "Comment Crew"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"description": "The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. Stalker Panda has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States. The attacks appear to be centered on political, media, and engineering sectors. The group appears to have been active since around 2010 and they maintain and upgrade their tools regularly.",
|
|
||||||
"meta": {
|
|
||||||
"attribution-confidence": "50",
|
|
||||||
"country": "CN",
|
|
||||||
"refs": [
|
|
||||||
"https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"uuid": "36843742-adf1-427c-a7c0-067d74b4aeaf",
|
|
||||||
"value": "Stalker Panda"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ",
|
"description": "These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014. ",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -999,6 +987,8 @@
|
||||||
"cfr-suspected-state-sponsor": "Unknown",
|
"cfr-suspected-state-sponsor": "Unknown",
|
||||||
"cfr-suspected-victims": [
|
"cfr-suspected-victims": [
|
||||||
"United States",
|
"United States",
|
||||||
|
"United Kingdom",
|
||||||
|
"France",
|
||||||
"Japan",
|
"Japan",
|
||||||
"Taiwan",
|
"Taiwan",
|
||||||
"India",
|
"India",
|
||||||
|
@ -1009,7 +999,8 @@
|
||||||
"Australia",
|
"Australia",
|
||||||
"Republic of Korea",
|
"Republic of Korea",
|
||||||
"Russia",
|
"Russia",
|
||||||
"Iran"
|
"Iran",
|
||||||
|
"Turkey"
|
||||||
],
|
],
|
||||||
"cfr-target-category": [
|
"cfr-target-category": [
|
||||||
"Government",
|
"Government",
|
||||||
|
@ -1018,23 +1009,33 @@
|
||||||
"cfr-type-of-incident": "Espionage",
|
"cfr-type-of-incident": "Espionage",
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
|
|
||||||
"https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
|
"https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/",
|
||||||
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
|
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
|
||||||
"https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
|
"https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/iron-tiger"
|
"https://www.cfr.org/interactive/cyber-operations/iron-tiger",
|
||||||
|
"https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/",
|
||||||
|
"https://www.secureworks.com/research/bronze-union",
|
||||||
|
"http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states",
|
||||||
|
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
|
||||||
|
"https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
|
||||||
|
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
|
||||||
|
"https://securelist.com/luckymouse-ndisproxy-driver/87914/",
|
||||||
|
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf",
|
||||||
|
"https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
|
||||||
|
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
|
||||||
|
"https://attack.mitre.org/groups/G0027/",
|
||||||
|
"https://www.secureworks.com/research/threat-profiles/bronze-union"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"TG-3390",
|
"TG-3390",
|
||||||
"APT 27",
|
"APT 27",
|
||||||
"TEMP.Hippo",
|
|
||||||
"Group 35",
|
|
||||||
"Bronze Union",
|
|
||||||
"ZipToken",
|
|
||||||
"HIPPOTeam",
|
|
||||||
"APT27",
|
"APT27",
|
||||||
"Operation Iron Tiger",
|
"TEMP.Hippo",
|
||||||
"Iron Tiger APT",
|
"Red Phoenix",
|
||||||
|
"Budworm",
|
||||||
|
"Group 35",
|
||||||
|
"ZipToken",
|
||||||
|
"Iron Tiger",
|
||||||
"BRONZE UNION",
|
"BRONZE UNION",
|
||||||
"Lucky Mouse"
|
"Lucky Mouse"
|
||||||
]
|
]
|
||||||
|
@ -1046,24 +1047,10 @@
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
],
|
],
|
||||||
"type": "similar"
|
"type": "similar"
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "4af45fea-72d3-11e8-846c-d37699506c8d",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
|
"uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
|
||||||
"value": "Emissary Panda"
|
"value": "EMISSARY PANDA"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -3497,58 +3484,6 @@
|
||||||
"uuid": "a9b44750-992c-4743-8922-129880d277ea",
|
"uuid": "a9b44750-992c-4743-8922-129880d277ea",
|
||||||
"value": "DragonOK"
|
"value": "DragonOK"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"description": "Chinese threat group that has extensively used strategic Web compromises to target victims.",
|
|
||||||
"meta": {
|
|
||||||
"attribution-confidence": "50",
|
|
||||||
"cfr-suspected-state-sponsor": " China",
|
|
||||||
"cfr-suspected-victims": [
|
|
||||||
"United States",
|
|
||||||
"United Kingdom",
|
|
||||||
"France"
|
|
||||||
],
|
|
||||||
"cfr-target-category": [
|
|
||||||
"Government",
|
|
||||||
"Private sector"
|
|
||||||
],
|
|
||||||
"cfr-type-of-incident": "Espionage",
|
|
||||||
"country": "CN",
|
|
||||||
"refs": [
|
|
||||||
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
|
|
||||||
"https://attack.mitre.org",
|
|
||||||
"https://www.cfr.org/interactive/cyber-operations/emissary-panda"
|
|
||||||
],
|
|
||||||
"synonyms": [
|
|
||||||
"TG-3390",
|
|
||||||
"Emissary Panda"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"related": [
|
|
||||||
{
|
|
||||||
"dest-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "4af45fea-72d3-11e8-846c-d37699506c8d",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045",
|
|
||||||
"value": "Threat Group-3390"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.",
|
"description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
@ -4827,7 +4762,7 @@
|
||||||
"value": "APT 22"
|
"value": "APT 22"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes.",
|
"description": "Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"attribution-confidence": "50",
|
"attribution-confidence": "50",
|
||||||
"cfr-suspected-state-sponsor": "China",
|
"cfr-suspected-state-sponsor": "China",
|
||||||
|
@ -4843,6 +4778,7 @@
|
||||||
"cfr-type-of-incident": "Espionage",
|
"cfr-type-of-incident": "Espionage",
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
|
"https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda. pdf",
|
||||||
"https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan",
|
"https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan",
|
||||||
"https://www.secureworks.jp/resources/rp-bronze-butler",
|
"https://www.secureworks.jp/resources/rp-bronze-butler",
|
||||||
"https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/",
|
"https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/",
|
||||||
|
@ -4854,8 +4790,9 @@
|
||||||
"https://www.secureworks.com/research/threat-profiles/bronze-butler"
|
"https://www.secureworks.com/research/threat-profiles/bronze-butler"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Bronze Butler",
|
"BRONZE BUTLER",
|
||||||
"RedBaldKnight"
|
"REDBALDKNIGHT",
|
||||||
|
"STALKER PANDA"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -6124,86 +6061,6 @@
|
||||||
"uuid": "4defbf2e-4f73-11e8-807f-578d61da7568",
|
"uuid": "4defbf2e-4f73-11e8-807f-578d61da7568",
|
||||||
"value": "ZooPark"
|
"value": "ZooPark"
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"description": "Experts assigned the codename of LuckyMouse to the group behind this hack, but they later realized the attackers were an older Chinese threat actor known under various names in the reports of other cyber-security firms, such as Emissary Panda, APT27, Threat Group 3390, Bronze Union, ZipToken, and Iron Tiger",
|
|
||||||
"meta": {
|
|
||||||
"attribution-confidence": "50",
|
|
||||||
"cfr-suspected-state-sponsor": "Unknown",
|
|
||||||
"cfr-suspected-victims": [
|
|
||||||
"United States",
|
|
||||||
"Japan",
|
|
||||||
"Taiwan",
|
|
||||||
"India",
|
|
||||||
"Canada",
|
|
||||||
"China",
|
|
||||||
"Thailand",
|
|
||||||
"Israel",
|
|
||||||
"Australia",
|
|
||||||
"Republic of Korea",
|
|
||||||
"Russia",
|
|
||||||
"Iran"
|
|
||||||
],
|
|
||||||
"cfr-target-category": [
|
|
||||||
"Government",
|
|
||||||
"Private sector"
|
|
||||||
],
|
|
||||||
"cfr-type-of-incident": "Espionage",
|
|
||||||
"refs": [
|
|
||||||
"https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/",
|
|
||||||
"https://www.secureworks.com/research/bronze-union",
|
|
||||||
"http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states",
|
|
||||||
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
|
|
||||||
"https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
|
|
||||||
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
|
|
||||||
"https://securelist.com/luckymouse-ndisproxy-driver/87914/",
|
|
||||||
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf",
|
|
||||||
"https://www.cfr.org/interactive/cyber-operations/iron-tiger",
|
|
||||||
"https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
|
|
||||||
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
|
|
||||||
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
|
|
||||||
"https://attack.mitre.org/groups/G0027/",
|
|
||||||
"https://www.secureworks.com/research/threat-profiles/bronze-union",
|
|
||||||
"https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/"
|
|
||||||
],
|
|
||||||
"synonyms": [
|
|
||||||
"Emissary Panda",
|
|
||||||
"APT27",
|
|
||||||
"APT 27",
|
|
||||||
"Threat Group 3390",
|
|
||||||
"Bronze Union",
|
|
||||||
"Iron Tiger",
|
|
||||||
"TG-3390",
|
|
||||||
"TEMP.Hippo",
|
|
||||||
"Group 35",
|
|
||||||
"ZipToken"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"related": [
|
|
||||||
{
|
|
||||||
"dest-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "834e0acd-d92a-4e38-bb14-dc4159d7cb32",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"dest-uuid": "f1b9f7d6-6ab1-404b-91a6-a1ed1845c045",
|
|
||||||
"tags": [
|
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
|
||||||
],
|
|
||||||
"type": "similar"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"uuid": "4af45fea-72d3-11e8-846c-d37699506c8d",
|
|
||||||
"value": "LuckyMouse"
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"description": "The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.",
|
"description": "The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.",
|
||||||
"meta": {
|
"meta": {
|
||||||
|
|
Loading…
Reference in New Issue