From a61ef2a88f3e77698a5c44e80f1428dca77a48f4 Mon Sep 17 00:00:00 2001 From: Mathieu Beligon Date: Thu, 18 Aug 2022 16:52:08 -0700 Subject: [PATCH] [threat-actors] Fix Axiom/Winnti/Suckfly/APT41 conflicts --- clusters/threat-actor.json | 127 ++++++++++++++++++++++++------------- 1 file changed, 84 insertions(+), 43 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1c7e5ed1..0817ac5b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -607,19 +607,14 @@ "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "United States", - "Netherlands", - "Italy", - "Japan", + "South Korea", + "Universities in Hong Kong", "United Kingdom", - "Belgium", - "Russia", - "Indonesia", - "Germany", - "Switzerland", - "China" + "China", + "Japan", + "Hong Kong" ], "cfr-target-category": [ - "Government", "Private sector" ], "cfr-type-of-incident": "Espionage", @@ -629,7 +624,6 @@ "https://securelist.com/winnti-more-than-just-a-game/37029/", "http://williamshowalter.com/a-universal-windows-bootkit/", "https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/", - "https://www.cfr.org/interactive/cyber-operations/axiom", "https://securelist.com/games-are-over/70991/", "https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a", "https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341", @@ -644,14 +638,11 @@ "https://www.secureworks.com/research/threat-profiles/bronze-export", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer", - "https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf" + "https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf", + "https://www.cfr.org/cyber-operations/winnti-umbrella" ], "synonyms": [ "Winnti Umbrella", - "Winnti Group", - "Suckfly", - "APT41", - "Group72", "Blackfly", "LEAD", "WICKED SPIDER", @@ -691,10 +682,24 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "2943148b-8bc5-4bcb-b85e-f00c2174dd47", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "24110866-cb22-4c85-a7d2-0413e126694b", - "value": "Axiom" + "value": "Winnti" }, { "description": "Adversary group targeting financial, technology, non-profit organisations.", @@ -3656,7 +3661,8 @@ "refs": [ "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", - "https://attack.mitre.org/groups/G0039/" + "https://attack.mitre.org/groups/G0039/", + "https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab" ], "synonyms": [ "G0039" @@ -6288,30 +6294,6 @@ "uuid": "71ef51ca-a791-11e8-a026-07980ca910ca", "value": "Inception Framework" }, - { - "description": "This threat actor targets software companies and political organizations in the United States, China, Japan, and South Korea. It primarily acts to support cyber operations conducted by other threat actors affiliated with Chinese intelligence services.\nBelieved to be associated with the Axiom, APT 17, and Mirage threat actors. Believed to share the same tools and infrastructure as the threat actors that carried out Operation Aurora, the 2015 targeting of video game companies, the 2015 targeting of the Thai government, and the 2017 targeting of Chinese-language news websites", - "meta": { - "attribution-confidence": "50", - "cfr-suspected-state-sponsor": "China", - "cfr-suspected-victims": [ - "United States", - "South Korea", - "United Kingdom", - "China", - "Japan" - ], - "cfr-target-category": [ - "Private sector" - ], - "cfr-type-of-incident": "Espionage", - "country": "CN", - "refs": [ - "https://www.cfr.org/interactive/cyber-operations/winnti-umbrella" - ] - }, - "uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", - "value": "Winnti Umbrella" - }, { "description": "This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.", "meta": { @@ -7683,7 +7665,15 @@ "country": "CN", "refs": [ "https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html", - "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/" + "https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/", + "https://www.mandiant.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation", + "https://www.cfr.org/cyber-operations/apt-41", + "https://attack.mitre.org/groups/G0096/" + ], + "synonyms": [ + "Double Dragon", + "G0096", + "TA415" ] }, "related": [ @@ -7693,6 +7683,13 @@ "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "uses" + }, + { + "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", + "tags": [ + "estimative-language:likelihood-probability=\"very-likely\"" + ], + "type": "similar" } ], "uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", @@ -9882,6 +9879,50 @@ }, "uuid": "e1e70539-8916-45c2-9b01-891c1c5bd8a1", "value": "TA558" + }, + { + "description": "Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.", + "meta": { + "cfr-suspected-state-sponsor": "China", + "cfr-suspected-victims": [ + "United States", + "Netherlands", + "Italy", + "Japan", + "United Kingdom", + "Belgium", + "Russia", + "Indonesia", + "Germany", + "Switzerland", + "China" + ], + "cfr-target-category": [ + "Government", + "Private sector" + ], + "cfr-type-of-incident": "Espionage", + "country": "CN", + "refs": [ + "cfr.org/cyber-operations/axiom", + "https://attack.mitre.org/groups/G0001/" + ], + "synonyms": [ + "Group72", + "G0001" + ] + }, + "related": [ + { + "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], + "uuid": "2943148b-8bc5-4bcb-b85e-f00c2174dd47", + "value": "Axiom" } ], "version": 241