From b72868b6cd2cde73c0134f99c9190b782728d88c Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 01/12] [threat-actors] Add UNC2717 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4a31f36..4ec3dc0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13639,6 +13639,18 @@ }, "uuid": "5e32baed-f4b5-4149-8540-7515ad8c4dc0", "value": "Daixin Team" + }, + { + "description": "UNC2717 is a threat actor that engages in espionage activities aligned with Chinese government priorities. They demonstrate advanced tradecraft and take measures to avoid detection, making it challenging for network defenders to identify their tools and intrusion methods. UNC2717, along with other Chinese APT actors, has been observed stealing credentials, email communications, and intellectual property. They have targeted global government agencies using malware such as HARDPULSE, QUIETPULSE, and PULSEJUMP.", + "meta": { + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html", + "http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" + ] + }, + "uuid": "f1d90b54-4821-41ff-8e07-ac650e0454b7", + "value": "UNC2717" } ], "version": 295 From 69a94b6c1e7aa8f5defea991f0b8a9c38ea1579e Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 02/12] [threat-actors] Add UNC2659 --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4ec3dc0..bba0fb6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13651,6 +13651,16 @@ }, "uuid": "f1d90b54-4821-41ff-8e07-ac650e0454b7", "value": "UNC2717" + }, + { + "description": "UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites.", + "meta": { + "refs": [ + "http://internal-www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html" + ] + }, + "uuid": "697cb051-5315-4026-bf4c-553b49f817a9", + "value": "UNC2659" } ], "version": 295 From 3719022d914ec32eaffde53f8a30a46e6e5b46c6 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 03/12] [threat-actors] Add AeroBlade --- clusters/threat-actor.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index bba0fb6..2ddefc6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13661,6 +13661,16 @@ }, "uuid": "697cb051-5315-4026-bf4c-553b49f817a9", "value": "UNC2659" + }, + { + "description": "AeroBlade is a previously unknown threat actor that has been targeting an aerospace organization in the United States. Their objective appears to be conducting commercial and competitive cyber espionage. They employ spear-phishing as a delivery mechanism, using weaponized documents with embedded remote template injection techniques and malicious VBA macro code. The attacks have been ongoing since September 2022, with multiple phases identified in the attack chain. The origin and precise objective of AeroBlade remain unknown.", + "meta": { + "refs": [ + "https://blogs.blackberry.com/en/2023/11/aeroblade-on-the-hunt-targeting-us-aerospace-industry" + ] + }, + "uuid": "47739f40-c80c-435a-bedc-0d2b38e87ddc", + "value": "AeroBlade" } ], "version": 295 From 668fb80aec1efd0011d52aa8f669ec563fb0d766 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 04/12] [threat-actors] Add WIP19 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2ddefc6..3e923fe 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13671,6 +13671,17 @@ }, "uuid": "47739f40-c80c-435a-bedc-0d2b38e87ddc", "value": "AeroBlade" + }, + { + "description": "WIP19 is a Chinese-speaking threat group involved in espionage targeting the Middle East and Asia. They utilize a stolen certificate to sign their malware, including SQLMaggie, ScreenCap, and a credential dumper. The group has been observed targeting telecommunications and IT service providers, using toolsets authored by WinEggDrop. WIP19's activities suggest they are after specific information and are part of the broader Chinese espionage landscape.", + "meta": { + "country": "CN", + "refs": [ + "https://www.sentinelone.com/labs/wip19-espionage-new-chinese-apt-targets-it-service-providers-and-telcos-with-signed-malware/" + ] + }, + "uuid": "21bb2dab-4125-4ae8-8966-c7381659e180", + "value": "WIP19" } ], "version": 295 From ebd216e31597dcac18897b51f3170262fc786077 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 05/12] [threat-actors] Add UNC2447 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3e923fe..51b059a 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13682,6 +13682,19 @@ }, "uuid": "21bb2dab-4125-4ae8-8966-c7381659e180", "value": "WIP19" + }, + { + "description": "UNC2447 is a financially motivated threat actor with ties to multiple hacker groups. They have been observed deploying ransomware, including FiveHands and Hello Kitty, and engaging in double extortion tactics. They have been active since at least May 2020 and target organizations in Europe and North America.", + "meta": { + "refs": [ + "https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html", + "http://internal-www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html", + "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs" + ] + }, + "uuid": "590ecec6-4047-4d0f-9143-2e367700423d", + "value": "UNC2447" } ], "version": 295 From 79210345d06d13299942fe55d0f644511afeaf8e Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 06/12] [threat-actors] Add RomCom aliases --- clusters/threat-actor.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 51b059a..2820e30 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11185,11 +11185,19 @@ "value": "APT-C-60" }, { - "description": "RomCom", + "description": "ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.", "meta": { "refs": [ "https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass", - "https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries" + "https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries", + "https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html", + "https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/", + "https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection", + "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html" + ], + "country": "RU", + "synonyms": [ + "Storm-0978" ] }, "uuid": "ba9e1ed2-e142-48d0-a593-f73ac6d59ccd", From d155f1e05d013e3629e3cfed419a163ec1f097a2 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 07/12] [threat-actors] Add UNC215 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2820e30..859eefc 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13703,6 +13703,18 @@ }, "uuid": "590ecec6-4047-4d0f-9143-2e367700423d", "value": "UNC2447" + }, + { + "description": "UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, minimizing forensic evidence, and incorporating false flags. UNC215's targets are located globally, with a particular focus on the Middle East, Europe, Asia, and North America.", + "meta": { + "country": "CN", + "refs": [ + "https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups", + "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html" + ] + }, + "uuid": "9795249f-8954-4632-830f-7e1f0ebc1dd5", + "value": "UNC215" } ], "version": 295 From cf7cdcbc2b8ae871719e320740c6b8cf5c5718d2 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 08/12] [threat-actors] Add DEV-0569 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 859eefc..de7435e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13715,6 +13715,19 @@ }, "uuid": "9795249f-8954-4632-830f-7e1f0ebc1dd5", "value": "UNC215" + }, + { + "description": "DEV-0569, also known as Storm-0569, is a threat actor group that has been observed deploying the Royal ransomware. They utilize malicious ads and phishing techniques to distribute malware and gain initial access to networks. The group has been linked to the distribution of payloads such as Batloader and has forged relationships with other threat actors. DEV-0569 has targeted various sectors, including healthcare, communications, manufacturing, and education in the United States and Brazil.", + "meta": { + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-new-ways-to-deliver-royal-ransomware-various-payloads/" + ], + "synonyms": [ + "Storm-0569" + ] + }, + "uuid": "e883458d-496f-4a94-b916-4b7b83e3d525", + "value": "DEV-0569" } ], "version": 295 From 228bbcc21ded437101f2a6a91a125c4b39e2fb19 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 09/12] [threat-actors] Add UAC-0118 --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index de7435e..9e8a144 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13728,6 +13728,22 @@ }, "uuid": "e883458d-496f-4a94-b916-4b7b83e3d525", "value": "DEV-0569" + }, + { + "description": "From Russia with Love, is a threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily engage in DDoS attacks and have targeted critical infrastructure, media, energy, and government entities. FRwL has been linked to the use of the Somnia ransomware, which they employ as a wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.", + "meta": { + "refs": [ + "https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/", + "https://spixnet.at/cybersecurity-blog/2022/11/15/russian-hacktivists-hit-ukrainian-orgs-with-ransomware-but-no-ransom-demands/", + "https://outpost24.com/blog/ics-attack-classifications/" + ], + "synonyms": [ + "FRwL", + "FromRussiaWithLove" + ] + }, + "uuid": "d869486a-ec70-4a74-897e-31aa7b3df48d", + "value": "UAC-0118" } ], "version": 295 From 47f0b31a320a041e18d709810429dc26db3a00b4 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 10/12] [threat-actors] Add UAC-0050 --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 9e8a144..3d2a291 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13744,6 +13744,19 @@ }, "uuid": "d869486a-ec70-4a74-897e-31aa7b3df48d", "value": "UAC-0118" + }, + { + "description": "UAC-0050 is a threat actor that has been active since 2020, targeting government agencies in Ukraine. They have been distributing the Remcos RAT malware through phishing campaigns, using tactics such as impersonating the Security Service of Ukraine and sending emails with malicious attachments. The group has also been linked to other hacking collectives, such as UAC-0096, and has previously used remote administration tools like Remote Utilities. The motive behind their attacks is likely espionage.", + "meta": { + "refs": [ + "https://cert.gov.ua/article/3931296", + "https://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine/", + "https://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/", + "https://cert.gov.ua/article/3804703" + ] + }, + "uuid": "e3ff56b6-2663-46bd-9e5c-017a350896d9", + "value": "UAC-0050" } ], "version": 295 From fdac01cd89ad165dedf785735f5cfcfc4be6de0a Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:42:33 -0800 Subject: [PATCH 11/12] [threat-actors] Add UNC2630 --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3d2a291..09fa9a8 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13757,6 +13757,18 @@ }, "uuid": "e3ff56b6-2663-46bd-9e5c-017a350896d9", "value": "UAC-0050" + }, + { + "description": "UNC2630 is a threat actor believed to be affiliated with the Chinese government. They engage in cyber espionage activities, targeting organizations aligned with Beijing's strategic objectives. UNC2630 demonstrates advanced tradecraft and employs various malware families, including SLOWPULSE and RADIALPULSE, to compromise Pulse Secure VPN appliances. They also utilize modified binaries and scripts to maintain persistence and move laterally within compromised networks.", + "meta": { + "country": "CN", + "refs": [ + "https://www.fireeye.com/blog/threat-research/2021/05/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices.html", + "http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html" + ] + }, + "uuid": "86dfe64e-7101-4d45-bb94-efc40c5e14fe", + "value": "UNC2630" } ], "version": 295 From 6f3b85399b7858a60fed2ca3201caa933bb00f9a Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Wed, 6 Dec 2023 17:59:16 -0800 Subject: [PATCH 12/12] [threat-actors] jq --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 09fa9a8..b7434c9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11187,6 +11187,7 @@ { "description": "ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.", "meta": { + "country": "RU", "refs": [ "https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass", "https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries", @@ -11195,7 +11196,6 @@ "https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html" ], - "country": "RU", "synonyms": [ "Storm-0978" ]