From af6241fd20e5809a28a45a9598bde8a7962bf770 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 27 May 2019 11:47:05 +0200 Subject: [PATCH 1/5] update Anchor Panda Threat Actor --- clusters/rat.json | 29 ++++------------------------ clusters/threat-actor.json | 39 +++++++++++++++++++++++++++++++++++++- clusters/tool.json | 34 +++++++++++---------------------- 3 files changed, 53 insertions(+), 49 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index d32547a1..c22ebfe3 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -93,32 +93,11 @@ }, "related": [ { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], - "type": "similar" - }, - { - "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" + "type": "used-by" } ], "uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", @@ -669,11 +648,11 @@ }, "related": [ { - "dest-uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], - "type": "similar" + "type": "used-by" } ], "uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3", diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f8a872cf..2bd85677 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1165,7 +1165,7 @@ "value": "Mirage" }, { - "description": "PLA Navy", + "description": "PLA Navy\nAnchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. \nNot surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", @@ -1194,6 +1194,43 @@ "ALUMINUM" ] }, + "related": [ + { + "dest-uuid": "255a59a7-db2d-44fc-9ca9-5859b65817c3", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cb8c8253-4024-4cc9-8989-b4a5f95f6c2f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + }, + { + "dest-uuid": "32a67552-3b31-47bb-8098-078099bbc813", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "uses" + } + ], "uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "value": "Anchor Panda" }, diff --git a/clusters/tool.json b/clusters/tool.json index c7917a5f..77ca6b1e 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -142,32 +142,11 @@ }, "related": [ { - "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], - "type": "similar" - }, - { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" + "type": "used-by" } ], "uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", @@ -1022,6 +1001,15 @@ "Gh0stRat, GhostRat" ] }, + "related": [ + { + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "cb8c8253-4024-4cc9-8989-b4a5f95f6c2f", "value": "Gh0st Rat" }, From 0bb1420ab74bdf10225d2b21dac9d785269e51c3 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 27 May 2019 16:38:01 +0200 Subject: [PATCH 2/5] update threat-actor galaxy --- clusters/threat-actor.json | 24 +++++++++++++++++++----- clusters/tool.json | 9 +++++++++ 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 2bd85677..a5fd331d 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -411,7 +411,8 @@ "country": "CN", "refs": [ "http://www.crowdstrike.com/blog/whois-numbered-panda/", - "https://www.cfr.org/interactive/cyber-operations/apt-12" + "https://www.cfr.org/interactive/cyber-operations/apt-12", + "https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html" ], "synonyms": [ "Numbered Panda", @@ -439,6 +440,7 @@ "value": "IXESHE" }, { + "description": "Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.", "meta": { "attribution-confidence": "50", "cfr-suspected-state-sponsor": "China", @@ -454,6 +456,10 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html", "https://www.cfr.org/interactive/cyber-operations/apt-16" + ], + "synonyms": [ + "APT16", + "SVCMONDR" ] }, "uuid": "1f73e14f-b882-4032-a565-26dc653b0daf", @@ -485,7 +491,8 @@ "Group 8", "APT17", "Hidden Lynx", - "Tailgater Team" + "Tailgater Team", + "Dogfish" ] }, "related": [ @@ -4351,9 +4358,11 @@ "value": "Danti" }, { + "description": "We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. \nAPT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. \nIn one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies", "meta": { "refs": [ - "https://www.fireeye.com/current-threats/apt-groups.html" + "https://www.fireeye.com/current-threats/apt-groups.html", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" ] }, "uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", @@ -4957,9 +4966,13 @@ "value": "Cyber fighters of Izz Ad-Din Al Qassam" }, { + "description": "The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data.\nThe FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.\n“This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost.\nDetails regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks.\n“Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,”Deepen said.", "meta": { "attribution-confidence": "50", "country": "CN", + "refs": [ + "https://threatpost.com/fbi-quietly-admits-to-multi-year-apt-attack-sensitive-data-stolen/117267/" + ], "synonyms": [ "1.php Group", "APT6" @@ -5360,7 +5373,7 @@ "value": "Orangeworm" }, { - "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).", + "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that ALLANITE operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities.\nALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities.\nALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.", "meta": { "capabilities": "Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec", "mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection", @@ -5370,7 +5383,8 @@ ], "since": "2017", "synonyms": [ - "Palmetto Fusion" + "Palmetto Fusion", + "Allanite" ], "victimology": "Electric utilities, US and UK" }, diff --git a/clusters/tool.json b/clusters/tool.json index 77ca6b1e..52278ab9 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -177,6 +177,15 @@ "Backdoor" ] }, + "related": [ + { + "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "used-by" + } + ], "uuid": "32a67552-3b31-47bb-8098-078099bbc813", "value": "Torn RAT" }, From 940762e0c5c3fff21eaf039e8d97dd1db3fcff7e Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 28 May 2019 09:22:26 +0200 Subject: [PATCH 3/5] update threat actor --- clusters/rat.json | 28 ++++++++++++++++++++++++++++ clusters/threat-actor.json | 13 +++++++++++-- 2 files changed, 39 insertions(+), 2 deletions(-) diff --git a/clusters/rat.json b/clusters/rat.json index c22ebfe3..687961cd 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -92,6 +92,34 @@ ] }, "related": [ + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a5fd331d..a928bcbd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1471,6 +1471,7 @@ "value": "Impersonating Panda" }, { + "description": "We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.\nIn contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.", "meta": { "attribution-confidence": "50", "country": "CN", @@ -1852,7 +1853,11 @@ "refs": [ "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" ], - "synonyms": [] + "synonyms": [ + "APT 33", + "Elfin", + "MAGNALLIUM" + ] }, "related": [ { @@ -2301,7 +2306,9 @@ "Minidionis", "SeaDuke", "Hammer Toss", - "YTTRIUM" + "YTTRIUM", + "Iron Hemlock", + "Grizzly Steppe" ] }, "related": [ @@ -4080,9 +4087,11 @@ "synonyms": [ "OceanLotus Group", "Ocean Lotus", + "OceanLotus", "Cobalt Kitty", "APT-C-00", "SeaLotus", + "Sea Lotus", "APT-32", "APT 32", "Ocean Buffalo" From 77d20739db3ef64d47fd8b151125ef31cda17c07 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 28 May 2019 09:24:29 +0200 Subject: [PATCH 4/5] update threat actor --- clusters/rat.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/clusters/rat.json b/clusters/rat.json index 687961cd..aadcfbec 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -675,6 +675,13 @@ ] }, "related": [ + { + "dest-uuid": "225fa6cf-dc9c-4b86-873b-cdf1d9dd3738", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104", "tags": [ From bf19ed9d8dd995bad5169bc8850121bac85d2765 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Tue, 28 May 2019 09:26:24 +0200 Subject: [PATCH 5/5] fix merge mistakes --- clusters/tool.json | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/clusters/tool.json b/clusters/tool.json index 52278ab9..8ee717e0 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -147,6 +147,34 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "used-by" + }, + { + "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",