Merge pull request #917 from Mathieu4141/threat-actors/abf6de28-2204-4585-9066-1f6271e7897b

[threat-actors] Add 5 actors
2024-01-23 06:38:17 +01:00 · 2024-01-23 06:38:17 +01:00 · 9f5554ab9f
parent 3f142f52ab b8a504c174
commit 9f5554ab9f
1 changed files with 78 additions and 1 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -11078,7 +11078,11 @@
      "description": "Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.",
      "meta": {
        "refs": [
-          "https://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/"
+          "https://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/",
+          "https://asec.ahnlab.com/en/60440/"
+        ],
+        "synonyms": [
+          "Mimo"
        ]
      },
      "uuid": "fd82cd40-9306-4285-8fae-ad29a9711603",
@ -14036,6 +14040,79 @@
      },
      "uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3",
      "value": "UTA0178"
+    },
+    {
+      "description": "TAG-28 is a Chinese state-sponsored threat actor that has been targeting Indian organizations, including media conglomerates and government agencies. They have been using the Winnti malware, which is commonly shared among Chinese state-sponsored groups. TAG-28's main objective is to gather intelligence on Indian targets, potentially for espionage purposes.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group"
+        ]
+      },
+      "uuid": "6c706d8b-95a4-428d-9de5-b68b29b1893c",
+      "value": "TAG-28"
+    },
+    {
+      "description": "Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally within compromised networks.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/",
+          "https://www.crowdstrike.com/global-threat-report/"
+        ],
+        "synonyms": [
+          "Ethereal Panda"
+        ]
+      },
+      "uuid": "50ee2b1b-979e-4507-8747-8597a95938f6",
+      "value": "Flax Typhoon"
+    },
+    {
+      "description": "The Cyber Partisans, a hacktivist group based in Belarus, has been involved in various cyber-attacks targeting organizations and infrastructure in Belarus and Ukraine. They have hacked and wiped the network of the Belarusian Telegraph Agency, targeted the Belarusian Red Cross, and conducted ransomware attacks on the Belarusian Railway and Belarusian State University. The group aims to expose alleged crimes committed by pro-government organizations and disrupt operations supporting the Russian military operation against Ukraine. They have also leaked stolen data to journalists and expressed support for Ukraine.",
+      "meta": {
+        "country": "BY",
+        "refs": [
+          "https://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/",
+          "https://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack",
+          "https://therecord.media/cyber-partisans-belarusian-state-university-attack",
+          "https://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/",
+          "https://therecord.media/this-app-will-self-destruct-how-belarusian-hackers-created-an-alternative-telegram-for-activists/"
+        ]
+      },
+      "uuid": "a9f894c6-70ab-4174-b470-5999fe93d4f3",
+      "value": "Cyber Partisans"
+    },
+    {
+      "description": "Caliente Bandits is a highly active threat group that targets multiple industries, including finance and entertainment. They distribute the Bandook remote access trojan using Spanish-language lures through low-volume email campaigns. The group primarily impacts individuals with Spanish surnames and conducts reconnaissance to obtain employee data. They masquerade as companies in South America and use Hotmail or Gmail email addresses.",
+      "meta": {
+        "refs": [
+          "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook"
+        ],
+        "synonyms": [
+          "TA2721"
+        ]
+      },
+      "uuid": "6a77a337-bfa0-416c-8c06-1d489d0d6838",
+      "value": "Caliente Bandits"
+    },
+    {
+      "description": "Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://blog.sekoia.io/iran-cyber-threat-overview/",
+          "https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/",
+          "https://www.ic3.gov/Media/News/2022/220126.pdf",
+          "https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/"
+        ],
+        "synonyms": [
+          "Emennet Pasargad",
+          "Holy Souls",
+          "NEPTUNIUM"
+        ]
+      },
+      "uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb",
+      "value": "Cotton Sandstorm"
    }
  ],
  "version": 297