From a046e8094d0774df31957b15f2121174c3dff9b3 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 18 Aug 2022 11:36:45 -0700 Subject: [PATCH] Merge APT30 and Naikon --- ...mitre-enterprise-attack-intrusion-set.json | 14 --- clusters/mitre-intrusion-set.json | 14 --- clusters/threat-actor.json | 89 ++----------------- 3 files changed, 8 insertions(+), 109 deletions(-) diff --git a/clusters/mitre-enterprise-attack-intrusion-set.json b/clusters/mitre-enterprise-attack-intrusion-set.json index ad15c6c..fa82698 100644 --- a/clusters/mitre-enterprise-attack-intrusion-set.json +++ b/clusters/mitre-enterprise-attack-intrusion-set.json @@ -1215,13 +1215,6 @@ ], "type": "similar" }, - { - "dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "tags": [ @@ -1414,13 +1407,6 @@ ], "type": "similar" }, - { - "dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "tags": [ diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 4997bd1..f4ddeaf 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -9232,13 +9232,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "tags": [ @@ -18420,13 +18413,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 5b81f2c..fd3d7cd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -812,7 +812,11 @@ "https://attack.mitre.org/groups/G0019/", "https://www.secureworks.com/research/threat-profiles/bronze-geneva", "https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d", - "https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/" + "https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/", + "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://attack.mitre.org/wiki/Group/G0013", + "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf" ], "synonyms": [ "PLA Unit 78020", @@ -820,7 +824,9 @@ "Camerashy", "Lotus Panda", "BRONZE GENEVA", - "G0019" + "G0019", + "APT 30", + "G0013" ] }, "related": [ @@ -838,13 +844,6 @@ ], "type": "similar" }, - { - "dest-uuid": "f26144c5-8593-4e78-831a-11f6452d809b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "tags": [ @@ -3486,78 +3485,6 @@ "uuid": "f3179cfb-9c86-4980-bd6b-e4fa74adaaa7", "value": "ProjectSauron" }, - { - "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "China", - "cfr-suspected-victims": [ - "India", - "Saudi Arabia", - "Vietnam", - "Myanmar", - "Singapore", - "Thailand", - "Malaysia", - "Cambodia", - "China", - "Phillipines", - "South Korea", - "United States", - "Indonesia", - "Laos" - ], - "cfr-target-category": [ - "Government", - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "country": "CN", - "refs": [ - "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", - "https://attack.mitre.org/wiki/Group/G0013", - "https://www.cfr.org/interactive/cyber-operations/apt-30", - "https://www.mandiant.com/sites/default/files/2021-09/rpt-apt30.pdf" - ], - "synonyms": [ - "APT30", - "G0013" - ] - }, - "related": [ - { - "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], - "uuid": "f26144c5-8593-4e78-831a-11f6452d809b", - "value": "APT 30" - }, { "description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns", "meta": {