Merge pull request #822 from r0ny123/patch-1

add other actor synonyms from Google's report https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf
pull/833/head
Alexandre Dulaunoy 2023-02-25 23:22:17 +01:00 committed by GitHub
commit aaf944a11c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 33 additions and 7 deletions

View File

@ -2339,7 +2339,8 @@
"https://www.secureworks.com/research/threat-profiles/iron-hunter", "https://www.secureworks.com/research/threat-profiles/iron-hunter",
"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/", "https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/" "https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf"
], ],
"synonyms": [ "synonyms": [
"Snake", "Snake",
@ -2361,7 +2362,8 @@
"G0010", "G0010",
"ITG12", "ITG12",
"Blue Python", "Blue Python",
"SUMMIT" "SUMMIT",
"UNC4210"
] ]
}, },
"related": [ "related": [
@ -4216,12 +4218,14 @@
"https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe", "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe",
"https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag",
"https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations", "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations",
"https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign" "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf"
], ],
"synonyms": [ "synonyms": [
"COLDRIVER", "COLDRIVER",
"SEABORGIUM", "SEABORGIUM",
"TA446" "TA446",
"GOSSAMER BEAR"
] ]
}, },
"uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f",
@ -6069,13 +6073,15 @@
"https://www.secureworks.com/research/threat-profiles/bronze-president", "https://www.secureworks.com/research/threat-profiles/bronze-president",
"https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military", "https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military",
"https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf", "https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf",
"https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf" "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf"
], ],
"synonyms": [ "synonyms": [
"BRONZE PRESIDENT", "BRONZE PRESIDENT",
"HoneyMyte", "HoneyMyte",
"Red Lich", "Red Lich",
"TEMP.HEX" "TEMP.HEX",
"BASIN"
] ]
}, },
"uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339", "uuid": "78bf726c-a9e6-11e8-9e43-77249a2f7339",
@ -9008,7 +9014,11 @@
"country": "CN", "country": "CN",
"refs": [ "refs": [
"https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe", "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe",
"https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/" "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe/",
"https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf"
],
"synonyms": [
"UNC3742"
] ]
}, },
"uuid": "6ee284d9-2742-4468-851c-a61366cc9a20", "uuid": "6ee284d9-2742-4468-851c-a61366cc9a20",
@ -10260,6 +10270,22 @@
], ],
"uuid": "9687a6a9-0a66-4373-b546-60553857a442", "uuid": "9687a6a9-0a66-4373-b546-60553857a442",
"value": "TA2536" "value": "TA2536"
},
{
"description": "DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't agencies and think tanks in Asia and Europe. DEV-0147 is known to use tools like ShadowPad, a remote access trojan associated with other China-based actors, to maintain persistent access, and QuasarLoader, a webpack loader, to deploy additional malware. DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration.",
"meta": {
"cfr-suspected-victims": [
"South America",
"Asia",
"European Union"
],
"country": "CN",
"references": [
"https://twitter.com/MsftSecIntel/status/1625181255754039318"
]
},
"uuid": "85f20141-1c8e-49ac-b963-eaa1fb1f4018",
"value": "DEV-0147"
} }
], ],
"version": 260 "version": 260