MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

update threat actor galaxy

pull/416/head
Deborah Servili 2019-06-14 16:06:09 +02:00
parent b040f9f57b
commit 98f0572d51
No known key found for this signature in database
GPG Key ID: 7E3A832850D4D7D1
1 changed files with 169 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

209
clusters/threat-actor.json
View File

@ -291,16 +291,19 @@
"country": "CN",
"refs": [
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf",
"https://www.cfr.org/interactive/cyber-operations/putter-panda"
"https://www.cfr.org/interactive/cyber-operations/putter-panda",
"https://attack.mitre.org/groups/G0024/"
],
"synonyms": [
"PLA Unit 61486",
"APT 2",
"APT2",
"Group 36",
"APT-2",
"MSUpdater",
"4HCrew",
"SULPHUR",
"SearchFire",
"TG-6952"
]
},
@ -1390,7 +1393,12 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2"
"http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf",
"https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/",
"https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html",
"https://attack.mitre.org/groups/G0011/"
],
"synonyms": [
"PittyTiger",
@ -1412,7 +1420,8 @@
{
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/"
"https://unit42.paloaltonetworks.com/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/",
"http://2014.zeronights.org/assets/files/slides/roaming_tiger_zeronights_2014.pdf"
]
},
"uuid": "1fb177c1-472a-4147-b7c4-b5269b11703d",
@ -1625,11 +1634,12 @@
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india",
"https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/",
"http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/"
],
"synonyms": [
"APT23",
"APT 23",
"KeyBoy"
]
},
@ -2315,7 +2325,43 @@
"https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
"https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/",
"https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
"https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware"
"https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware",
"https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
"http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament",
"https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f",
"https://www.bbc.com/news/technology-37590375",
"https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html",
"https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff",
"https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/",
"https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT",
"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
"https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/",
"https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/",
"http://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630",
"http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
"https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/",
"file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
"https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/",
"https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/",
"https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/",
"https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html",
"https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
"https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/",
"https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/",
"https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN",
"https://www.bbc.co.uk/news/technology-45257081",
"https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
"https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf",
"https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae",
"https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf",
"https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
"https://en.wikipedia.org/wiki/Fancy_Bear",
"https://attack.mitre.org/groups/G0007/"
],
"synonyms": [
"APT 28",
@ -2333,7 +2379,9 @@
"TAG_0700",
"Swallowtail",
"IRON TWILIGHT",
"Group 74"
"Group 74",
"SIG40",
"Grizzly Steppe"
]
},
"related": [
@ -2595,7 +2643,11 @@
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.us-cert.gov/ncas/alerts/TA17-163A",
"https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid",
"https://www.cfr.org/interactive/cyber-operations/black-energy"
"https://www.cfr.org/interactive/cyber-operations/black-energy",
"https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
"https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/",
"https://attack.mitre.org/groups/G0034/"
],
"synonyms": [
"Sandworm Team",
@ -2603,7 +2655,8 @@
"BlackEnergy",
"Quedagh",
"Voodoo Bear",
"TEMP.Noble"
"TEMP.Noble",
"Iron Viking"
]
},
"related": [
@ -3005,6 +3058,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "50cd027f-df14-40b2-aa22-bf5de5061163",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "linked-to"
}
],
"uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
@ -3084,11 +3144,13 @@
"https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france",
"http://www.cyphort.com/evilbunny-malware-instrumented-lua/",
"http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/",
"https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html",
"https://www.cfr.org/interactive/cyber-operations/snowglobe"
"https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope",
"https://www.cfr.org/interactive/cyber-operations/snowglobe",
"https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/"
],
"synonyms": [
"Animal Farm"
"Animal Farm",
"Snowglobe"
]
},
"uuid": "3b8e7462-c83f-4e7d-9511-2fe430d80aab",
@ -3194,7 +3256,10 @@
"description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer.",
"meta": {
"refs": [
"https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/"
"https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/",
"https://securelist.com/operation-daybreak/75100/",
"https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/",
"https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/"
],
"synonyms": [
"Operation Daybreak",
@ -3249,17 +3314,23 @@
"cfr-type-of-incident": "Espionage",
"country": "IN",
"refs": [
"https://securelist.com/blog/research/75328/the-dropping-elephant-actor/",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries",
"https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign",
"https://www.cymmetria.com/patchwork-targeted-attack/"
"https://www.cymmetria.com/patchwork-targeted-attack/",
"https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf",
"https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/",
"https://attack.mitre.org/groups/G0040/",
"https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf",
"https://securelist.com/the-dropping-elephant-actor/75328/",
"https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
],
"synonyms": [
"Chinastrats",
"Patchwork",
"Monsoon",
"Sarit",
"Quilted Tiger"
"Quilted Tiger",
"APT-C-09"
]
},
"related": [
@ -3282,13 +3353,14 @@
"value": "Dropping Elephant"
},
{
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.",
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the groups motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same.\nThe attacks began over four years ago and their targeting pattern suggests that this adversarys primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved.\nThe attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the Peoples Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC.\nScarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://attack.mitre.org/wiki/Groups",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
"https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/",
"https://attack.mitre.org/groups/G0029/"
]
},
"related": [
@ -3309,8 +3381,9 @@
"attribution-confidence": "50",
"country": "BR",
"refs": [
"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/",
"https://attack.mitre.org/wiki/Groups"
"https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/",
"https://attack.mitre.org/wiki/Groups",
"https://attack.mitre.org/groups/G0033/"
]
},
"related": [
@ -3867,10 +3940,10 @@
"attribution-confidence": "50",
"country": "TR",
"refs": [
"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users",
"https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/",
"https://attack.mitre.org/groups/G0055/"
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users",
"https://attack.mitre.org/groups/G0055/",
"https://attack.mitre.org/groups/G0056/"
],
"synonyms": [
"StrongPity"
@ -3957,12 +4030,12 @@
"value": "Chafer"
},
{
"description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term PassCV to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. Wed like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs theyve begun development on. ",
"description": "The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term PassCV to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. Wed like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs theyve begun development on.",
"meta": {
"attribution-confidence": "50",
"country": "CN",
"refs": [
"https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies"
"https://threatvector.cylance.com/en_us/home/digitally-signed-malware-targeting-gaming-companies.html"
]
},
"uuid": "ceae0bc4-eb5f-4184-b949-a6f7d6f0f965",
@ -4081,7 +4154,9 @@
"country": "IR",
"refs": [
"https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon",
"https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/"
"https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/",
"https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/",
"https://www.clearskysec.com/greenbug/"
]
},
"related": [
@ -4187,7 +4262,7 @@
"value": "Infy"
},
{
"description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.",
"description": "Sima is a group of suspected Iranian origin targeting Iranians in diaspora.\nIn February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Directors biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.",
"meta": {
"attribution-confidence": "50",
"country": "IR",
@ -4378,7 +4453,8 @@
"meta": {
"refs": [
"http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf",
"https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/"
"https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/",
"https://attack.mitre.org/groups/G0068/"
],
"synonyms": [
"TwoForOne"
@ -4991,9 +5067,12 @@
"value": "Kimsuki"
},
{
"description": "While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the groups backdoors. Cylance tracks this threat group internally as Snake Wine.\nThe Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.",
"meta": {
"refs": [
"https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html"
"https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html",
"https://threatvector.cylance.com/en_us/home/the-deception-project-a-new-japanese-centric-threat.html",
"https://www.jpcert.or.jp/magazine/acreport-ChChes.html"
]
},
"uuid": "7b6ba207-94de-4f94-bc7f-52cd0dafade5",
@ -5515,7 +5594,10 @@
"http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
"https://twitter.com/mstoned7/status/966126706107953152",
"https://www.cfr.org/interactive/cyber-operations/apt-37",
"https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/"
"https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/",
"https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/",
"https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html",
"https://attack.mitre.org/groups/G0067/"
],
"synonyms": [
"APT 37",
@ -5528,7 +5610,8 @@
"Ricochet Chollima",
"StarCruft",
"Operation Daybreak",
"Operation Erebus."
"Operation Erebus",
"Venus 121"
]
},
"related": [
@ -5545,6 +5628,13 @@
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "linked-to"
}
],
"uuid": "50cd027f-df14-40b2-aa22-bf5de5061163",
@ -5652,7 +5742,8 @@
"description": "Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia.\nFirst identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.",
"meta": {
"refs": [
"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia"
"https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia",
"https://attack.mitre.org/groups/G0071/"
]
},
"uuid": "35d71626-4794-11e8-b74d-bbcbe48fee3c",
@ -6036,11 +6127,14 @@
"cfr-type-of-incident": "Espionage",
"country": "CN",
"refs": [
"https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
"https://www.cfr.org/interactive/cyber-operations/rancor"
"https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/",
"https://www.cfr.org/interactive/cyber-operations/rancor",
"https://attack.mitre.org/groups/G0075/"
],
"synonyms": [
"Rancor group"
"Rancor group",
"Rancor",
"Rancor Group"
]
},
"uuid": "79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b",
@ -6152,7 +6246,7 @@
"value": "TempTick"
},
{
"description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.",
"description": "This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage.\nBased on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on.\nOperation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital).\nWith deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Unknown",
@ -6192,7 +6286,8 @@
"cfr-type-of-incident": "Espionage",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/operation-parliament",
"https://securelist.com/operation-parliament-who-is-doing-what/85237/"
"https://securelist.com/operation-parliament-who-is-doing-what/85237/",
"https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html"
]
},
"uuid": "e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d",
@ -6783,11 +6878,14 @@
"value": "Cold River"
},
{
"description": "a relatively new threat actor thats been operating since mid-2016",
"description": "a relatively new threat actor thats been operating since mid-2016\nGroup-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD.\nSilence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.",
"meta": {
"refs": [
"https://reaqta.com/2019/01/silence-group-targeting-russian-banks/"
]
"https://reaqta.com/2019/01/silence-group-targeting-russian-banks/",
"https://www.group-ib.com/blog/silence",
"https://securelist.com/the-silence/83009/"
],
"synonyms": "Silence"
},
"uuid": "0d5e17fd-7a71-47fd-b4bc-867cdb833726",
"value": "Silence group"
@ -7054,7 +7152,7 @@
"value": "Whitefly"
},
{
"description": " This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.",
"description": "This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.",
"meta": {
"refs": [
"https://blog.talosintelligence.com/2019/04/seaturtle.html"
@ -7221,6 +7319,37 @@
},
"uuid": "e502802e-8d0a-11e9-bd72-9f046529b3fd",
"value": "Lucky Cat"
},
{
"description": "There are several groups actively and profitably targeting businesses in Russia. A trend that we have seen unfold before our eyes lately is these cybercriminals use of simple backdoors to gain a foothold in their targets networks. Once they have this access, a lot of the work is done manually, slowly getting to understand the network layout and deploying custom tools the criminals can use to steal funds from these entities. Some of the groups that best exemplify these trends are Buhtrap, Cobalt and Corkow.\nThe group discussed in this white paper is part of this new trend. We call this new group RTM; it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighboring countries.",
"meta": {
"refs": [
"https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf",
"https://attack.mitre.org/groups/G0048/"
]
},
"uuid": "88100602-8e8b-11e9-bb7c-1bf20b58e305",
"value": "RTM"
},
{
"description": "Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows attackers, which leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the Peoples Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence. The investigation is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The investigation employed a fusion methodology, combining technical interrogation techniques, data analysis, and field research, to track and uncover the Shadow cyber espionage network.",
"meta": {
"refs": [
"https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf"
]
},
"uuid": "ef800f1c-8e90-11e9-972c-53e01614f101",
"value": "Shadow Network"
},
{
"description": "While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named Slingshot, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.\nWhile for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to MikroTik routers and placed a component downloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this infected the administrator of the router.\nWe believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).",
"meta": {
"refs": [
"https://securelist.com/apt-slingshot/84312/"
]
},
"uuid": "4fcbd08a-8ea6-11e9-8bf2-970182ab6bb5",
"value": "Slingshot"
}
],
"version": 114