From 3f9bd89958e5c335ade8aa629fedc48e97360d41 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 22 Jan 2024 10:01:13 -0800 Subject: [PATCH 1/6] [threat-actors] Add TAG-28 --- clusters/threat-actor.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 4a3578b..3bb828b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14036,6 +14036,17 @@ }, "uuid": "f288f686-b5b3-4c86-9960-5f8fb18709a3", "value": "UTA0178" + }, + { + "description": "TAG-28 is a Chinese state-sponsored threat actor that has been targeting Indian organizations, including media conglomerates and government agencies. They have been using the Winnti malware, which is commonly shared among Chinese state-sponsored groups. TAG-28's main objective is to gather intelligence on Indian targets, potentially for espionage purposes.", + "meta": { + "country": "CN", + "refs": [ + "https://www.recordedfuture.com/blog/china-linked-tag-28-targets-indias-the-times-group" + ] + }, + "uuid": "6c706d8b-95a4-428d-9de5-b68b29b1893c", + "value": "TAG-28" } ], "version": 297 From bd7252ccef5637cbd1fadf0d7964aa5b011a9ee4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 22 Jan 2024 10:01:13 -0800 Subject: [PATCH 2/6] [threat-actors] Add Flax Typhoon --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 3bb828b..de524a3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14047,6 +14047,21 @@ }, "uuid": "6c706d8b-95a4-428d-9de5-b68b29b1893c", "value": "TAG-28" + }, + { + "description": "Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally within compromised networks.", + "meta": { + "country": "CN", + "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/", + "https://www.crowdstrike.com/global-threat-report/" + ], + "synonyms": [ + "Ethereal Panda" + ] + }, + "uuid": "50ee2b1b-979e-4507-8747-8597a95938f6", + "value": "Flax Typhoon" } ], "version": 297 From 412f1885f29df6225b67b7f736de152ab9808a74 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 22 Jan 2024 10:01:13 -0800 Subject: [PATCH 3/6] [threat-actors] Add Hezb aliases --- clusters/threat-actor.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index de524a3..d3b7b07 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11078,7 +11078,11 @@ "description": "Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.", "meta": { "refs": [ - "https://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/" + "https://www.pwndefend.com/2022/06/04/cve-2022-26134-honeypot-payload-analysis-example/", + "https://asec.ahnlab.com/en/60440/" + ], + "synonyms": [ + "Mimo" ] }, "uuid": "fd82cd40-9306-4285-8fae-ad29a9711603", From 95b2a2e18825af6575cfa2adba13874544ef4b10 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 22 Jan 2024 10:01:13 -0800 Subject: [PATCH 4/6] [threat-actors] Add Cyber Partisans --- clusters/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index d3b7b07..02df590 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14066,6 +14066,21 @@ }, "uuid": "50ee2b1b-979e-4507-8747-8597a95938f6", "value": "Flax Typhoon" + }, + { + "description": "The Cyber Partisans, a hacktivist group based in Belarus, has been involved in various cyber-attacks targeting organizations and infrastructure in Belarus and Ukraine. They have hacked and wiped the network of the Belarusian Telegraph Agency, targeted the Belarusian Red Cross, and conducted ransomware attacks on the Belarusian Railway and Belarusian State University. The group aims to expose alleged crimes committed by pro-government organizations and disrupt operations supporting the Russian military operation against Ukraine. They have also leaked stolen data to journalists and expressed support for Ukraine.", + "meta": { + "country": "BY", + "refs": [ + "https://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/", + "https://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack", + "https://therecord.media/cyber-partisans-belarusian-state-university-attack", + "https://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/", + "https://therecord.media/this-app-will-self-destruct-how-belarusian-hackers-created-an-alternative-telegram-for-activists/" + ] + }, + "uuid": "a9f894c6-70ab-4174-b470-5999fe93d4f3", + "value": "Cyber Partisans" } ], "version": 297 From b61a0a60a2b354a22db8ba92b1117d3b612b39fe Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 22 Jan 2024 10:01:13 -0800 Subject: [PATCH 5/6] [threat-actors] Add Caliente Bandits --- clusters/threat-actor.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 02df590..585d6c2 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14081,6 +14081,19 @@ }, "uuid": "a9f894c6-70ab-4174-b470-5999fe93d4f3", "value": "Cyber Partisans" + }, + { + "description": "Caliente Bandits is a highly active threat group that targets multiple industries, including finance and entertainment. They distribute the Bandook remote access trojan using Spanish-language lures through low-volume email campaigns. The group primarily impacts individuals with Spanish surnames and conducts reconnaissance to obtain employee data. They masquerade as companies in South America and use Hotmail or Gmail email addresses.", + "meta": { + "refs": [ + "https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook" + ], + "synonyms": [ + "TA2721" + ] + }, + "uuid": "6a77a337-bfa0-416c-8c06-1d489d0d6838", + "value": "Caliente Bandits" } ], "version": 297 From b8a504c174b2927986aafda1a3815845324f9bd4 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Mon, 22 Jan 2024 10:01:13 -0800 Subject: [PATCH 6/6] [threat-actors] Add Cotton Sandstorm --- clusters/threat-actor.json | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 585d6c2..09c327c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -14094,6 +14094,25 @@ }, "uuid": "6a77a337-bfa0-416c-8c06-1d489d0d6838", "value": "Caliente Bandits" + }, + { + "description": "Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury", + "meta": { + "country": "IR", + "refs": [ + "https://blog.sekoia.io/iran-cyber-threat-overview/", + "https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/", + "https://www.ic3.gov/Media/News/2022/220126.pdf", + "https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/" + ], + "synonyms": [ + "Emennet Pasargad", + "Holy Souls", + "NEPTUNIUM" + ] + }, + "uuid": "bbb389f2-344f-4ca8-a9c9-902061f88deb", + "value": "Cotton Sandstorm" } ], "version": 297