From cf727f034ce1d16048b02453cb5205e26bf92d9a Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sun, 26 Feb 2023 01:05:50 +0530 Subject: [PATCH 1/2] add other actor synonyms from Google's report https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf --- clusters/threat-actor.json | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8ddca631..1df65218 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -2339,7 +2339,8 @@ "https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", - "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" + "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/", + "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf" ], "synonyms": [ "Snake", @@ -2361,7 +2362,8 @@ "G0010", "ITG12", "Blue Python", - "SUMMIT" + "SUMMIT", + "UNC4210" ] }, "related": [ @@ -4216,12 +4218,14 @@ "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations", - "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign" + "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign", + "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf" ], "synonyms": [ "COLDRIVER", "SEABORGIUM", - "TA446" + "TA446", + "GOSSAMER BEAR" ] }, "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", @@ -6069,13 +6073,15 @@ "https://www.secureworks.com/research/threat-profiles/bronze-president", "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", - "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" + "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", + "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf" ], "synonyms": [ "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", - "TEMP.HEX" + "TEMP.HEX", + "BASIN" ] }, "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", @@ -9008,7 +9014,11 @@ "country": "CN", "refs": [ "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe", - "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/" + "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/", + "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf" + ], + "synonyms": [ + "UNC3742" ] }, "uuid": "6ee284d9-2742-4468-851c-a61366cc9a20", From 50624af741e09c5e48340649f773890b9b818358 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sat, 25 Feb 2023 20:18:09 +0000 Subject: [PATCH 2/2] add DEV-0147 https://twitter.com/MsftSecIntel/status/1625181255754039318 --- clusters/threat-actor.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1df65218..9e230a81 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10270,6 +10270,22 @@ ], "uuid": "9687a6a9-0a66-4373-b546-60553857a442", "value": "TA2536" + }, + { + "description": "DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't agencies and think tanks in Asia and Europe. DEV-0147 is known to use tools like ShadowPad, a remote access trojan associated with other China-based actors, to maintain persistent access, and QuasarLoader, a webpack loader, to deploy additional malware. DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration.", + "meta": { + "cfr-suspected-victims": [ + "South America", + "Asia", + "European Union" + ], + "country": "CN", + "references": [ + "https://twitter.com/MsftSecIntel/status/1625181255754039318" + ] + }, + "uuid": "85f20141-1c8e-49ac-b963-eaa1fb1f4018", + "value": "DEV-0147" } ], "version": 260