MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'main' into threat-actors/fix-naikon-cluster

pull/749/head
Mathieu Beligon 2022-08-17 13:37:01 -07:00
parent 0d6399aa2b cf4e5c8cf0
commit a6242d4732
2 changed files with 197 additions and 338 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

507
clusters/threat-actor.json
View File

@ -1893,7 +1893,19 @@
"description": "Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.",
"meta": {
"attribution-confidence": "50",
"capabilities": "STONEDRILL wiper, variants of TURNEDUP malware",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"United States",
"Saudi Arabia",
"South Korea"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"mode-of-operation": "IT network limited, information gathering against industrial orgs",
"refs": [
"https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html",
"https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/",
@ -1901,7 +1913,10 @@
"https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage",
"https://www.secureworks.com/research/threat-profiles/cobalt-trinity",
"https://attack.mitre.org/groups/G0064/",
"https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/"
"https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/",
"https://www.cfr.org/interactive/cyber-operations/apt-33",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://dragos.com/adversaries.html"
],
"synonyms": [
"APT 33",
@ -1912,7 +1927,8 @@
"COBALT TRINITY",
"G0064",
"ATK35"
]
],
"victimology": "Petrochemical, Aerospace, Saudi Arabia"
},
"related": [
{
@ -2312,28 +2328,27 @@
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
],
"synonyms": [
"APT 28",
"APT28",
"Pawn Storm",
"PawnStorm",
"FANCY BEAR",
"Sednit",
"SNAKEMACKEREL",
"TsarTeam",
"Tsar Team",
"TG-4127",
"Group-4127",
"STRONTIUM",
"TAG_0700",
"Swallowtail",
"IRON TWILIGHT",
"Group 74",
"SIG40",
"Grizzly Steppe",
"apt_sofacy",
"G0007",
"ATK5",
"Fighting Ursa"
"Fighting Ursa",
"ITG05",
"Blue Athena",
"TA422",
"T-APT-12",
"APT-C-20",
"UAC-0028"
]
},
"related": [
@ -2353,7 +2368,7 @@
}
],
"uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754",
"value": "Sofacy"
"value": "APT28"
},
{
"description": "A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '",
@ -2396,28 +2411,20 @@
"https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/"
],
"synonyms": [
"Dukes",
"Group 100",
"Cozy Duke",
"CozyDuke",
"EuroAPT",
"CozyBear",
"CozyCar",
"Cozer",
"Office Monkeys",
"OfficeMonkeys",
"APT29",
"Cozy Bear",
"COZY BEAR",
"The Dukes",
"Minidionis",
"SeaDuke",
"Hammer Toss",
"YTTRIUM",
"Iron Hemlock",
"IRON HEMLOCK",
"Grizzly Steppe",
"G0016",
"ATK7",
"Cloaked Ursa"
"Cloaked Ursa",
"TA421",
"Blue Kitsune",
"ITG11"
]
},
"related": [
@ -2430,7 +2437,7 @@
}
],
"uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a",
"value": "APT 29"
"value": "APT29"
},
{
"description": "A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'",
@ -2495,14 +2502,11 @@
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
],
"synonyms": [
"Turla",
"Snake",
"Venomous Bear",
"VENOMOUS Bear",
"Group 88",
"Waterbug",
"WRAITH",
"Turla Team",
"Uroburos",
"Pfinet",
"TAG_0530",
@ -2511,10 +2515,12 @@
"Pacifier APT",
"Popeye",
"SIG23",
"Iron Hunter",
"IRON HUNTER",
"MAKERSMARK",
"ATK13",
"G0010"
"G0010",
"ITG12",
"Blue Python"
]
},
"related": [
@ -2534,7 +2540,7 @@
}
],
"uuid": "fa80877c-f509-4daf-8b62-20aba1635f68",
"value": "Turla Group"
"value": "Turla"
},
{
"description": "A Russian group that collects intelligence on the energy industry.",
@ -2574,10 +2580,13 @@
"https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat",
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672",
"https://attack.mitre.org/groups/G0035/",
"https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector"
"https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector",
"https://dragos.com/adversaries.html",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://www.cfr.org/interactive/cyber-operations/dymalloy"
],
"synonyms": [
"Beserk Bear",
"BERSERK BEAR",
"ALLANITE",
"CASTLE",
"DYMALLOY",
@ -2586,11 +2595,13 @@
"Crouching Yeti",
"Group 24",
"Havex",
"CrouchingYeti",
"Koala Team",
"IRON LIBERTY",
"G0035",
"ATK6"
"ATK6",
"ITG15",
"BROMINE",
"Blue Kraken"
]
},
"related": [
@ -2603,7 +2614,7 @@
}
],
"uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee",
"value": "Energetic Bear"
"value": "ENERGETIC BEAR"
},
{
"description": "This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage",
@ -2635,19 +2646,29 @@
"https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid",
"https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks",
"https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/",
"https://attack.mitre.org/groups/G0034/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks",
"https://attack.mitre.org/groups/G0034",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://dragos.com/adversaries.html",
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks",
"https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt",
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine",
"https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare",
"https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine",
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back"
],
"synonyms": [
"Sandworm Team",
"Black Energy",
"BlackEnergy",
"Quedagh",
"VOODOO BEAR",
"TEMP.Noble",
"Iron Viking",
"G0034"
"IRON VIKING",
"G0034",
"ELECTRUM",
"TeleBots",
"IRIDIUM",
"Blue Echidna"
]
},
"related": [
@ -2683,50 +2704,6 @@
"uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
"value": "Sandworm"
},
{
"description": "We will refer to the gang behind the malware as TeleBots. However its important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group. TeleBots appear to be associated with Sandworm Team, Iron Viking, Voodoo Bear.",
"meta": {
"attribution-confidence": "50",
"country": "RU",
"refs": [
"http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/",
"https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/",
"https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/",
"https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare/",
"https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/",
"https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/",
"https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/"
],
"synonyms": [
"Sandworm"
]
},
"related": [
{
"dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "b47250ec-2094-4d06-b658-11456e05fe89",
"value": "TeleBots"
},
{
"description": "Groups targeting financial organizations or people with significant financial assets.",
"meta": {
@ -2816,7 +2793,6 @@
"synonyms": [
"TeamSpy",
"Team Bear",
"Berserk Bear",
"Anger Bear",
"IRON LYRIC"
]
@ -2851,23 +2827,6 @@
"uuid": "b737c51f-b579-49d5-a907-743b2e6d03cb",
"value": "BuhTrap"
},
{
"meta": {
"attribution-confidence": "50",
"country": "RU"
},
"related": [
{
"dest-uuid": "82c1c7fa-c67b-4be6-9be8-8aa400ef2445",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "90ef600f-5198-44a9-a2c6-de4b4d9d8624",
"value": "Berserk Bear"
},
{
"description": "FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.",
"meta": {
@ -4214,23 +4173,37 @@
"refs": [
"http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution",
"https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf",
"https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/",
"https://attack.mitre.org/groups/G0047/",
"https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution",
"https://attack.mitre.org/groups/G0047",
"https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon",
"https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf",
"https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/",
"https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal",
"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine",
"https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/",
"https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/",
"https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/",
"https://unit42.paloaltonetworks.com/atoms/tridentursa/"
"https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations",
"https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game",
"https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021",
"https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf",
"https://unit42.paloaltonetworks.com/atoms/tridentursa",
"https://cert.gov.ua/article/1229152",
"https://cert.gov.ua/article/971405",
"https://cert.gov.ua/article/40240",
"https://cert.gov.ua/article/39386",
"https://cert.gov.ua/article/39086",
"https://cert.gov.ua/article/39138",
"https://cert.gov.ua/article/18365"
],
"synonyms": [
"Primitive Bear",
"Shuckworm",
"ACTINIUM",
"DEV-0157",
"Blue Otso",
"BlueAlpha",
"G0047",
"Trident Ursa"
"IRON TILDEN",
"PRIMITIVE BEAR",
"Shuckworm",
"Trident Ursa",
"UAC-0010",
"Winterflounder"
]
},
"related": [
@ -4402,12 +4375,19 @@
{
"description": "The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.",
"meta": {
"country": "RU",
"refs": [
"https://www.f-secure.com/documents/996508/1030745/callisto-group",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag"
"https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe",
"https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations",
"https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign"
],
"synonyms": [
"COLDRIVER"
"COLDRIVER",
"SEABORGIUM",
"TA446"
]
},
"uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f",
@ -4551,49 +4531,6 @@
"uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a",
"value": "PLATINUM"
},
{
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list). Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comprehensive report and this industry report will not get into sensitive technical details but instead focus on information needed for defense and impact awareness.",
"meta": {
"capabilities": "CRASHOVERRIDE",
"mode-of-operation": "Electric grid disruption and long-term persistence",
"refs": [
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://dragos.com/adversaries.html"
],
"since": "2016",
"synonyms": [
"Sandworm"
],
"victimology": "Ukraine, Electric Utilities"
},
"related": [
{
"dest-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "b47250ec-2094-4d06-b658-11456e05fe89",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c",
"value": "ELECTRUM"
},
{
"description": "Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.",
"meta": {
@ -5667,23 +5604,6 @@
"uuid": "7d78ec00-dfdc-4a80-a4da-63f1ae63bd7f",
"value": "MoneyTaker"
},
{
"description": "Were already used to the fact that complex cyberattacks use 0-day vulnerabilities, bypassing digital signature checks, virtual file systems, non-standard encryption algorithms and other tricks. Sometimes, however, all of this may be done in much simpler ways, as was the case in the malicious campaign that we detected a while ago we named it Microcin after microini, one of the malicious components used in it.",
"meta": {
"refs": [
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf",
"https://securelist.com/apt-trends-report-q2-2019/91897/",
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/",
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/"
],
"synonyms": [
"SixLittleMonkeys"
]
},
"uuid": "0a6b31cd-54cd-4f82-9b87-aab780604632",
"value": "Microcin"
},
{
"description": "Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.",
"meta": {
@ -6042,83 +5962,6 @@
"uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
"value": "CHRYSENE"
},
{
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).\nThis threat actor targets industrial control systems in Turkey, Europe, and North America.\n Believed to be linked to Crouching Yeti",
"meta": {
"attribution-confidence": "50",
"capabilities": "GOODOR, DORSHEL, KARAGANY, Mimikatz",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-victims": [
"Turkey"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
"refs": [
"https://dragos.com/adversaries.html",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://www.cfr.org/interactive/cyber-operations/dymalloy"
],
"since": "2016",
"synonyms": [
"Dragonfly 2.0",
"Dragonfly2",
"Berserker Bear"
],
"victimology": "Turkey, Europe, US"
},
"uuid": "a08ab076-33c1-4350-b021-650c34277f2d",
"value": "DYMALLOY"
},
{
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"attribution-confidence": "50",
"capabilities": "STONEDRILL wiper, variants of TURNEDUP malware",
"cfr-suspected-state-sponsor": "Iran (Islamic Republic of)",
"cfr-suspected-victims": [
"United States",
"Saudi Arabia",
"South Korea"
],
"cfr-target-category": [
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "IR",
"mode-of-operation": "IT network limited, information gathering against industrial orgs",
"refs": [
"https://dragos.com/adversaries.html",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf",
"https://www.cfr.org/interactive/cyber-operations/apt-33"
],
"since": "2016",
"synonyms": [
"APT33"
],
"victimology": "Petrochemical, Aerospace, Saudi Arabia"
},
"related": [
{
"dest-uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
},
{
"dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10",
"tags": [
"estimative-language:likelihood-probability=\"likely\""
],
"type": "similar"
}
],
"uuid": "accd848b-b8f4-46ba-a408-9063b35cfbf2",
"value": "MAGNALLIUM"
},
{
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
@ -6327,33 +6170,66 @@
"description": "This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Unknown",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"South Africa",
"Malaysia",
"Afghanistan",
"Armenia",
"Azerbaijan",
"Belarus",
"Belgium",
"Czech Republic",
"Greece",
"India",
"Iran",
"Italy",
"Kazakhstan",
"Kenya",
"Malaysia",
"Russia",
"South Africa",
"Suriname",
"United Kingdom"
"Turkmenistan",
"Ukraine",
"United Kingdom",
"United States",
"Vietnam"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/inception-framework",
"https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf",
"https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack/",
"https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack",
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf",
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/",
"https://securelist.com/the-red-october-campaign/57647",
"https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740",
"https://securelist.com/red-october-part-two-the-modules/57645",
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083",
"https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899",
"https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability",
"https://securelist.com/recent-cloud-atlas-activity/92016",
"https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies",
"https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/",
"https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf",
"https://unit42.paloaltonetworks.com/atoms/clean-ursa/"
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf",
"https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf",
"https://unit42.paloaltonetworks.com/atoms/clean-ursa",
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas",
"https://www.cfr.org/cyber-operations/red-october",
"https://attack.mitre.org/groups/G0100"
],
"synonyms": [
"Clean Ursa"
"Clean Ursa",
"Cloud Atlas",
"OXYGEN",
"G0100",
"ATK116",
"Blue Odin"
]
},
"uuid": "71ef51ca-a791-11e8-a026-07980ca910ca",
@ -6549,73 +6425,6 @@
"uuid": "75ae52b2-bca3-11e8-af90-a78f33eee6c1",
"value": "Operation BugDrop"
},
{
"description": "This threat actor targets governments, diplomatic missions, academics, and energy and aerospace organizations for the purpose of espionage. Also known as the Rocra and believed to be the same threat actor as Cloud Atlas",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"Belgium",
"Armenia",
"Ukraine",
"Belarus",
"Kazakhstan",
"India",
"Iran",
"United States",
"Greece",
"Azerbaijan",
"Afghanistan",
"Turkmenistan",
"Vietnam",
"Italy"
],
"cfr-target-category": [
"Government",
"Private sector"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/red-october"
],
"synonyms": [
"the Rocra"
]
},
"uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0",
"value": "Red October"
},
{
"description": "This threat actor targets governments and diplomatic organizations for espionage purposes.",
"meta": {
"attribution-confidence": "50",
"cfr-suspected-state-sponsor": "Russian Federation",
"cfr-suspected-victims": [
"Russia",
"India",
"Kazakhstan",
"Czech Republic",
"Belarus"
],
"cfr-target-category": [
"Government"
],
"cfr-type-of-incident": "Espionage",
"country": "RU",
"refs": [
"https://www.cfr.org/interactive/cyber-operations/cloud-atlas",
"https://attack.mitre.org/groups/G0100/"
],
"synonyms": [
"ATK116",
"G0100"
]
},
"uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126",
"value": "Cloud Atlas"
},
{
"description": "This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission. ",
"meta": {
@ -9886,11 +9695,19 @@
"country": "CN",
"refs": [
"https://securelist.com/microcin-is-here/97353",
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636",
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia",
"https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign",
"https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan",
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf"
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf",
"https://securelist.com/apt-trends-report-q2-2019/91897",
"https://securelist.com/apt-trends-report-q2-2020/97937",
"https://securelist.com/it-threat-evolution-q2-2020/98230",
"https://securelist.com/apt-trends-report-q3-2021/104708"
],
"synonyms": [
"SixLittleMonkeys"
]
},
"uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717",
@ -9957,12 +9774,29 @@
"meta": {
"attribution-confidence": "75",
"cfr-suspected-state-sponsor": "China",
"cfr-suspected-victims": [
"China",
"Hong Kong",
"Kazakhstan",
"Taiwan",
"Philippines"
],
"cfr-target-category": [
"Private Sector"
"Private Sector",
"Gambling companies",
"Gaming",
"Information technology",
"Telecommunications",
"Government",
"Transportation systems",
"Dissident"
],
"country": "CN",
"refs": [
"https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf"
"https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf",
"https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
"https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies",
"https://github.com/avast/ioc/tree/master/OperationDragonCastling"
]
},
"uuid": "a3831248-5e2f-492d-8bb6-5e82c2f6481d",
@ -9977,7 +9811,6 @@
],
"country": "CN",
"refs": [
"https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf",
"https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf"
]
},
@ -10020,5 +9853,5 @@
"value": "Goblin Panda"
}
],
"version": 239
"version": 241
}

28
clusters/tool.json
View File

@ -8485,6 +8485,32 @@
"uuid": "f43a3828-a3b6-11ec-80e1-55a8e5815c2c",
"value": "BadPotato"
},
{
"description": "A simple RAT used by Vicious Panda",
"meta": {
"refs": [
"https://securelist.com/microcin-is-here/97353",
"https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636",
"https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia",
"https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia",
"https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign"
],
"synonyms": [
"Mikroceen"
],
"type": [
"RAT"
]
},
"related": [
{
"dest-uuid": "68d8c25b-8595-4c20-a5c7-a11a2a34b717",
"type": "used-by"
}
],
"uuid": "7d17dabf-a68e-4eda-a18f-26868ced8e73",
"value": "Microcin"
},
{
"description": "The Esile campaign was named after certain strings found in the unpacked malware file that it sends out. All of the malware related to this campaign are detected as BKDR_ESILE variants.",
"meta": {
@ -8509,5 +8535,5 @@
"value": "Esile"
}
],
"version": 150
"version": 152
}