From bf0d1d27cae4a9b2aa2b65f1363d15550b337127 Mon Sep 17 00:00:00 2001 From: Siri Bromander Date: Tue, 7 Nov 2017 11:07:23 +0100 Subject: [PATCH] Updated with data from APT Groups and Operations --- clusters/threat-actor.json | 710 ++++++++++++++++++++++++++++++++++--- 1 file changed, 652 insertions(+), 58 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 18832e5b..c44713f3 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11,7 +11,8 @@ "Byzantine Candor", "Group 3", "TG-8223", - "Comment Group" + "Comment Group", + "Brown Fox" ], "country": "CN", "refs": [ @@ -48,10 +49,14 @@ "country": "CN", "refs": [ "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", + "http://www.isightpartners.com/2015/02/codoso/#sthash.VJMDVPQB.dpuf", + "http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html" ], "synonyms": [ "C0d0so", + "APT19", + "APT 19", "Sunshop Group" ] } @@ -76,44 +81,65 @@ }, { "meta": { - "country": "CN" + "country": "CN", + "synonyms": [ + "temp.bottle" + ] }, "value": "Keyhole Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] }, "value": "Wet Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] }, "value": "Foxy Panda", "description": "Adversary group targeting telecommunication and technology organizations." }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] }, "value": "Predator Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] }, "value": "Union Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] }, "value": "Spicy Panda" }, { "meta": { - "country": "CN" + "country": "CN", + "refs": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] }, "value": "Eloquent Panda" }, @@ -169,11 +195,18 @@ "meta": { "synonyms": [ "DUBNIUM", - "Fallout Team" + "Fallout Team", + "Karba", + "Luder", + "Nemim", + "Tapaoux" ], "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", - "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2" + "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", + "https://securelist.com/blog/research/66779/the-darkhotel-apt/", + "http://drops.wooyun.org/tips/11726", + "https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/" ] }, "value": "DarkHotel", @@ -187,6 +220,8 @@ "BeeBus", "Group 22", "DynCalc", + "Calc Team", + "DNSCalc", "Crimson Iron", "APT12", "APT 12" @@ -234,6 +269,7 @@ "TG-0416", "APT 18", "SCANDIUM", + "PLA Navy", "APT18" ], "country": "CN", @@ -269,6 +305,11 @@ "Blackfly", "Lead", "Wicked Spider", + "APT17", + "APT 17", + "Dogfish", + "Deputy Dog", + "Wicked Panda", "Barium" ], "country": "CN", @@ -306,6 +347,8 @@ "meta": { "synonyms": [ "PLA Unit 78020", + "APT 30", + "APT30", "Override Panda", "Camerashy", "APT.Naikon" @@ -338,14 +381,22 @@ "synonyms": [ "Elise" ], - "country": "CN" + "country": "CN", + "refs": [ + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" + ] }, "value": "Lotus Panda" }, { "meta": { + "synonyms": [ + "Black Vine", + "TEMP.Avengers" + ], "country": "CN", "refs": [ + "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/", "http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/" ] }, @@ -358,6 +409,8 @@ "APT 27", "TEMP.Hippo", "Group 35", + "Bronze Union", + "ZipToken", "HIPPOTeam", "APT27", "Operation Iron Tiger" @@ -436,11 +489,13 @@ "Playful Dragon", "APT 15", "Metushy", + "Lurid", "Social Network Team" ], "country": "CN", "refs": [ - "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html" + "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html", + "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/" ] }, "value": "Mirage" @@ -482,7 +537,8 @@ ], "country": "CN", "refs": [ - "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/" + "https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/", + "https://securelist.com/blog/incidents/58209/the-icefog-apt-hits-us-targets-with-java-backdoor/" ] }, "value": "Ice Fog", @@ -543,6 +599,7 @@ "PLA Navy", "APT4", "APT 4", + "Wisp Team", "Getkys", "SykipotGroup", "Wkysol" @@ -569,6 +626,8 @@ "synonyms": [ "APT20", "APT 20", + "APT8", + "APT 8", "TH3Bug" ] }, @@ -605,7 +664,8 @@ "meta": { "country": "CN", "refs": [ - "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india" + "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india", + "http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/" ], "synonyms": [ "APT23", @@ -625,7 +685,8 @@ "Group 26" ], "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf", + "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ] }, "value": "Flying Kitten", @@ -653,11 +714,20 @@ "synonyms": [ "Newscaster", "Parastoo", + "iKittens", "Group 83", "Newsbeef" ], "refs": [ - "https://en.wikipedia.org/wiki/Operation_Newscaster" + "https://en.wikipedia.org/wiki/Operation_Newscaster", + "https://iranthreats.github.io/resources/macdownloader-macos-malware/", + "https://www.isightpartners.com/2014/05/newscaster-iranian-threat-inside-social-media/", + "https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/", + "https://cryptome.org/2012/11/parastoo-hacks-iaea.htm", + "https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf", + "https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/", + "https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf", + "https://github.com/gasgas4/APT_CyberCriminal_Campagin/tree/master/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks" ] }, "value": "Charming Kitten", @@ -692,7 +762,8 @@ "synonyms": [ "TEMP.Beanie", "Operation Woolen Goldfish", - "Thamar Reservoir" + "Thamar Reservoir", + "Timberworm" ], "country": "IR", "refs": [ @@ -700,7 +771,10 @@ "https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf", "http://www.clearskysec.com/thamar-reservoir/", "https://citizenlab.org/2015/08/iran_two_factor_phishing/", - "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" + "https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf", + "https://www.symantec.com/connect/blogs/shamoon-multi-staged-destructive-attacks-limited-specific-targets", + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://en.wikipedia.org/wiki/Rocket_Kitten" ] }, "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.", @@ -714,10 +788,15 @@ "Tarh Andishan", "Alibaba", "2889", - "TG-2889" + "TG-2889", + "Cobalt Gypsy", + "Ghambar", + "Cutting Kitten" ], "refs": [ - "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf" + "http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf", + "https://www.secureworks.com/research/the-curious-case-of-mia-ash", + "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/" ] }, "value": "Cleaver", @@ -763,11 +842,17 @@ "STRONTIUM", "TAG_0700", "Swallowtail", - "IRON TWILIGHT" + "IRON TWILIGHT", + "Group 74" ], "country": "RU", "refs": [ - "https://en.wikipedia.org/wiki/Sofacy_Group" + "https://en.wikipedia.org/wiki/Sofacy_Group", + "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf", + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf", + "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/" ] }, "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.", @@ -790,11 +875,15 @@ "Cozy Bear", "The Dukes", "Minidionis", - "SeaDuke" + "SeaDuke", + "Hammer Toss" ], "country": "RU", "refs": [ - "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/" + "https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf", + "https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf", + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" ] }, "value": "APT 29", @@ -819,7 +908,13 @@ "refs": [ "https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf", "https://www.circl.lu/pub/tr-25/", - "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec" + "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://securelist.com/analysis/publications/65545/the-epic-turla-operation/", + "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", + "https://securelist.com/blog/research/67962/the-penquin-turla-2/", + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" ], "country": "RU" }, @@ -838,7 +933,10 @@ ], "country": "RU", "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/" + "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", + "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", + "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/" ] }, "description": "A Russian group that collects intelligence on the energy industry.", @@ -851,11 +949,16 @@ "Black Energy", "BlackEnergy", "Quedagh", - "Voodoo Bear" + "Voodoo Bear", + "TEMP.Noble" ], "country": "RU", "refs": [ - "http://www.isightpartners.com/2014/10/cve-2014-4114/" + "http://www.isightpartners.com/2014/10/cve-2014-4114/", + "http://www.isightpartners.com/2016/01/ukraine-and-sandworm-team/", + "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", + "https://www.us-cert.gov/ncas/alerts/TA17-163A", + "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid" ] }, "value": "Sandworm" @@ -865,6 +968,9 @@ "country": "RU", "refs": [ "http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" + ], + "synonyms": [ + "Sandworm" ] }, "value": "TeleBots", @@ -880,7 +986,13 @@ "country": "RU", "refs": [ "https://en.wikipedia.org/wiki/Carbanak", - "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor" + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", + "https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf", + "http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf", + "https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks", + "https://blog.cyber4sight.com/2017/04/similarities-between-carbanak-and-fin7-malware-suggest-actors-are-closely-related/", + "https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns" ], "motive": "Cybercrime" }, @@ -892,7 +1004,8 @@ "synonyms": [ "TeamSpy", "Team Bear", - "Berserk Bear" + "Berserk Bear", + "Anger Bear" ], "country": "RU", "refs": [ @@ -969,11 +1082,20 @@ "country": "KP", "synonyms": [ "Operation DarkSeoul", - "Hidden Cobra" + "Dark Seoul", + "Hidden Cobra", + "Hastati Group", + "Andariel", + "Unit 121", + "Bureau 121", + "NewRomanic Cyber Army Team", + "Bluenoroff" ], "refs": [ "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/", - "https://www.us-cert.gov/ncas/alerts/TA17-164A" + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securelist.com/lazarus-under-the-hood/77908/", + "http://www.mcafee.com/us/resources/white-papers/wp-dissecting-operation-troy.pdf" ] }, "value": "Lazarus Group", @@ -1007,7 +1129,10 @@ "synonyms": [ "TunisianCyberArmy" ], - "country": "TN" + "country": "TN", + "refs": [ + "https://www.crowdstrike.com/blog/regional-conflict-and-cyber-blowback/" + ] }, "value": "Corsair Jackal" }, @@ -1016,7 +1141,11 @@ "meta": { "country": "FR", "refs": [ - "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/" + "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/", + "https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france", + "http://www.cyphort.com/evilbunny-malware-instrumented-lua/", + "http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/", + "https://blog.gdatasoftware.com/blog/article/babar-espionage-software-finally-found-and-put-under-the-microscope.html" ], "synonyms": [ "Animal Farm" @@ -1059,7 +1188,7 @@ "synonyms": [ "FruityArmor" ], - "country": "AE" + "country": "UAE" }, "value": "Stealth Falcon", "description": "Group targeting Emirati journalists, activists, and dissidents." @@ -1111,7 +1240,9 @@ ], "refs": [ "https://securelist.com/blog/research/75328/the-dropping-elephant-actor/", - "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" + "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", + "https://blogs.forcepoint.com/security-labs/monsoon-analysis-apt-campaign", + "https://www.cymmetria.com/patchwork-targeted-attack/" ] }, "description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.", @@ -1155,7 +1286,11 @@ ], "refs": [ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", - "https://attack.mitre.org/wiki/Groups" + "https://attack.mitre.org/wiki/Groups", + "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", + "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/", + "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", + "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor" ], "country": "CN" }, @@ -1224,7 +1359,8 @@ { "meta": { "refs": [ - "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", + "http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" ], "country": "CN" }, @@ -1242,7 +1378,7 @@ }, { "meta": { - "country": "LY" + "country": "LBY" }, "description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.", "value": "Libyan Scorpions" @@ -1262,9 +1398,22 @@ { "meta": { "refs": [ - "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html", + "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "http://www.clearskysec.com/oilrig/", + "https://cert.gov.il/Updates/Alerts/SiteAssets/CERT-IL-ALERT-W-120.pdf", + "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "http://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability%20", + "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/" ], - "country": "IR" + "country": "IR", + "synonyms": [ + "Twisted Kitten", + "Cobalt Gypsy" + ] }, "value": "OilRig", "description": "Iranian threat agent OilRig has been targeting multiple organisations in Israel and other countries in the Middle East since the end of 2015." @@ -1307,6 +1456,7 @@ ], "synonyms": [ "Gaza Hackers Team", + "Gaza cybergang", "Operation Molerats", "Extreme Jackal", "Moonlight" @@ -1324,7 +1474,7 @@ "synonyms": [ "StrongPity" ], - "country": "TR" + "country": "TU" } }, { @@ -1379,7 +1529,7 @@ "value": "Sath-ı Müdafaa", "description": "A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.", "meta": { - "country": "TR", + "country": "TU", "motive": "Hacktivists-Nationalists" } }, @@ -1387,7 +1537,7 @@ "value": "Aslan Neferler Tim", "description": "Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam", "meta": { - "country": "TR", + "country": "TU", "synonyms": [ "Lion Soldiers Team", "Phantom Turk" @@ -1399,7 +1549,7 @@ "value": "Ayyıldız Tim", "description": "Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.", "meta": { - "country": "TR", + "country": "TU", "synonyms": [ "Crescent and Star" ], @@ -1410,7 +1560,7 @@ "value": "TurkHackTeam", "description": "Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations. ", "meta": { - "country": "TR", + "country": "TU", "synonyms": [ "Turk Hack Team" ], @@ -1424,6 +1574,11 @@ "country": "US", "refs": [ "https://en.wikipedia.org/wiki/Equation_Group" + ], + "synonyms": [ + "Tilded Team", + "Lamberts", + "EQGRP" ] } }, @@ -1432,8 +1587,10 @@ "description": "Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.", "meta": { "refs": [ - "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon" - ] + "https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" + ], + "country": "IR" } }, { @@ -1449,7 +1606,8 @@ "meta": { "country": "CN", "synonyms": [ - "Zhenbao" + "Zhenbao", + "TEMP.Zhenbao" ], "refs": [ "http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242" @@ -1465,7 +1623,10 @@ "Operation Mermaid" ], "refs": [ - "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf" + "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", + "https://iranthreats.github.io/", + "http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/", + "https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/" ] }, "value": "Infy", @@ -1475,7 +1636,8 @@ "meta": { "country": "IR", "refs": [ - "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf" + "https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf", + "https://iranthreats.github.io/" ] }, "value": "Sima", @@ -1483,12 +1645,13 @@ }, { "meta": { - "country": "CN", + "country": "CHN", "synonyms": [ "Cloudy Omega" ], "refs": [ - "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/" + "https://securelist.com/blog/research/71876/new-activity-of-the-blue-termite-apt/", + "http://www.kaspersky.com/about/news/virus/2015/Blue-Termite-A-Sophisticated-Cyber-Espionage-Campaign-is-After-High-Profile-Japanese-Targets" ] }, "value": "Blue Termite", @@ -1496,7 +1659,7 @@ }, { "meta": { - "country": "UA", + "country": "UKR", "refs": [ "http://www.welivesecurity.com/2016/05/18/groundbait" ] @@ -1507,7 +1670,8 @@ { "meta": { "refs": [ - "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7" + "https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7", + "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/" ], "country": "US" }, @@ -1528,11 +1692,17 @@ "synonyms": [ "OceanLotus Group", "Ocean Lotus", + "Cobalt Kitty", + "APT-C-00", + "SeaLotus", "APT-32", "APT 32" ], "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" + "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", + "https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/", + "https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/", + "https://www.brighttalk.com/webcast/10703/261205" ] }, "value": "APT32", @@ -1571,6 +1741,9 @@ "refs": [ "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf", "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/" + ], + "synonyms": [ + "TwoForOne" ] } }, @@ -1581,6 +1754,9 @@ "refs": [ "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + ], + "synonyms": [ + "Sandworm" ] } }, @@ -1618,6 +1794,424 @@ "Cobalt gang" ] } + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts#.WS3IBVFV4no.twitter" + ] + }, + "value": "TA459" + }, + { + "meta": { + "refs": [ + "https://www.threatconnect.com/blog/russia-hacks-bellingcat-mh17-investigation/#.V-wnrubaeEU.twitter" + ], + "country": "RU" + }, + "value": "Cyber Berkut" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403?emailToken=JRrydPtyYnqTg9EyZsw31FwuZ7JNEOKCXF7LaW/HM1DLsjnUp6e6wLgph560pnmiTAN/5ssf7moyADPQj2p2Gc+YkL1yi0zhIiUM9M6aj1HTYQ==", + "https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/" + ] + }, + "value": "Tonto Team" + }, + { + "value": "Danti", + "meta": { + "refs": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ] + } + }, + { + "value": "APT5", + "meta": { + "refs": [ + "https://www.fireeye.com/current-threats/apt-groups.html" + ] + } + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "APT22" + ], + "refs": [ + "http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild" + ] + }, + "value": "APT 22" + }, + { + "meta": { + "synonyms": [ + "Bronze Butler" + ], + "country": "CN", + "refs": [ + "https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan", + "https://www.secureworks.jp/resources/rp-bronze-butler", + "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/", + "http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html" + ] + }, + "value": "Tick" + }, + { + "meta": { + "synonyms": [ + "APT26", + "Hippo Team", + "JerseyMikes" + ], + "country": "CN" + }, + "value": "APT 26" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Sabre Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.darkreading.com/attacks-and-breaches/crowdstrike-falcon-traces-attacks-back-to-hackers/d/d-id/1110402?" + ] + }, + "value": "Big Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + ] + }, + "value": "Poisonous Panda" + }, + { + "value": "Ghost Jackal", + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + } + }, + { + "meta": { + "country": "KP", + "refs": [ + "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + ] + }, + "value": "TEMP.Hermit" + }, + { + "meta": { + "synonyms": [ + "Superman" + ], + "country": "CN", + "refs": [ + "https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/", + "https://www.threatconnect.com/china-superman-apt/" + ] + }, + "value": "Mofang" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Slayer Kitten" + ], + "refs": [ + "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf", + "https://blog.domaintools.com/2017/03/hunt-case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastructure/", + "http://www.clearskysec.com/copykitten-jpost/", + "http://www.clearskysec.com/tulip/" + ] + }, + "value": "CopyKittens" + }, + { + "value": "EvilPost", + "meta": { + "refs": [ + "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + ] + } + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/" + ] + }, + "value": "SVCMONDR", + "description": "The referenced link links this group to Temper Panda" + }, + { + "value": "Test Panda", + "meta": { + "country": "CN", + "refs": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + } + }, + { + "meta": { + "country": "IR", + "refs": [ + "https://securelist.com/blog/incidents/33693/the-madi-campaign-part-i-5/", + "https://securelist.com/blog/incidents/33701/the-madi-campaign-part-ii-53/" + ] + }, + "value": "Madi" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + }, + "value": "Electric Panda" + }, + { + "meta": { + "country": "CN", + "synonyms": [ + "PLA Navy", + "Sykipot" + ], + "refs": [ + "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments", + "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/", + "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919" + ] + }, + "value": "Maverick Panda" + }, + { + "meta": { + "country": "KP", + "refs": [ + "http://securelist.com/analysis/57915/the-kimsuky-operation-a-north-korean-apt/" + ] + }, + "value": "Kimsuki" + }, + { + "value": "Snake Wine", + "meta": { + "refs": [ + "https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html" + ] + } + }, + { + "value": "Careto", + "meta": { + "refs": [ + "https://securelist.com/blog/research/58254/the-caretomask-apt-frequently-asked-questions/" + ], + "synonyms": [ + "The Mask" + ] + } + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem" + ] + }, + "value": "Gibberish Panda" + }, + { + "meta": { + "country": "KP", + "refs": [ + "http://news.softpedia.com/news/korean-energy-and-transportation-targets-attacked-by-oniondog-apt-501534.shtml" + ] + }, + "value": "OnionDog" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Group 41" + ], + "refs": [ + "http://www.crowdstrike.com/blog/whois-clever-kitten/" + ] + }, + "value": "Clever Kitten" + }, + { + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Andromeda Spider" + }, + { + "value": "Cyber Caliphate Army", + "meta": { + "refs": [ + "https://en.wikipedia.org/wiki/Islamic_State_Hacking_Division", + "https://ent.siteintelgroup.com/index.php?option=com_customproperties&view=search&task=tag&bind_to_category=content:37&tagId=697" + ], + "synonyms": [ + "Islamic State Hacking Division", + "CCA", + "United Cyber Caliphate", + "UUC" + ] + } + }, + { + "meta": { + "country": "RU", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Magnetic Spider" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Pointed-Dagger.pdf" + ] + }, + "value": "Group 27" + }, + { + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Singing Spider" + }, + { + "meta": { + "country": "IR", + "synonyms": [ + "Fraternal Jackal" + ], + "refs": [ + "http://pastebin.com/u/QassamCyberFighters", + "http://ddanchev.blogspot.com.es/2012/09/dissecting-operation-ababil-osint.html" + ] + }, + "value": "Cyber fighters of Izz Ad-Din Al Qassam" + }, + { + "meta": { + "synonyms": [ + "1.php Group", + "APT6" + ], + "country": "CN" + }, + "value": "APT 6" + }, + { + "value": "AridViper", + "meta": { + "refs": [ + "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf", + "http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html", + "https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/", + "https://ti.360.com/upload/report/file/APTSWXLVJ8fnjoxck.pdf", + "https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/", + "https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/", + "https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View", + "https://www.ci-project.org/blog/2017/3/4/arid-viper", + "http://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "https://www.threatconnect.com/blog/kasperagent-malware-campaign/" + ], + "synonyms": [ + "Desert Falcon", + "Arid Viper", + "APT-C-23" + ] + } + }, + { + "meta": { + "refs": [ + "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + ] + }, + "value": "Dextorous Spider" + }, + { + "value": "Unit 8200", + "meta": { + "country": "IL", + "refs": [ + "https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/", + "https://archive.org/details/Stuxnet" + ], + "synonyms": [ + "Duqu Group" + ] + } + }, + { + "meta": { + "refs": [ + "https://securelist.com/introducing-whitebear/81638/" + ], + "synonyms": [ + "Skipper Turla" + ], + "country": "RU" + }, + "value": "White Bear" + }, + { + "meta": { + "country": "CN", + "refs": [ + "http://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf" + ] + }, + "value": "Pale Panda" + }, + { + "meta": { + "country": "CN", + "refs": [ + "https://www.isightpartners.com/2016/02/threatscape-media-highlights-update-week-of-february-17th/" + ] + }, + "value": "Mana Team" } ], "name": "Threat actor", @@ -1632,5 +2226,5 @@ ], "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", - "version": 26 -} + "version": 27 +} \ No newline at end of file