From c5a5fa7cfaa80654016fca510a17be0b1621edf1 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 13 Sep 2022 21:47:14 +0200 Subject: [PATCH] chg: [360net] add 360.net APT list fixes #764 --- README.md | 9 +- clusters/360net.json | 894 +++++++++++++++++++++++++++++++++++++++++++ galaxies/360net.json | 9 + tools/gen_360net.py | 87 +++++ 4 files changed, 998 insertions(+), 1 deletion(-) create mode 100644 clusters/360net.json create mode 100644 galaxies/360net.json create mode 100755 tools/gen_360net.py diff --git a/README.md b/README.md index a5f62872..5f34ce67 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,13 @@ The objective is to have a comment set of clusters for organizations starting an to localized information (which is not shared) or additional information (that can be shared). # Available Galaxy - clusters +## 360.net Threat Actors + +[360.net Threat Actors](https://www.misp-project.org/galaxy.html#_360.net_threat_actors) - Known or estimated adversary groups as identified by 360.net. + +Category: *actor* - source: *https://apt.360.net/aptlist* - total: *42* elements + +[[HTML](https://www.misp-project.org/galaxy.html#_360.net_threat_actors)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/360net.json)] ## Android @@ -463,7 +470,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-project.org/galaxy.html#_threat_actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *398* elements +Category: *actor* - source: *MISP Project* - total: *397* elements [[HTML](https://www.misp-project.org/galaxy.html#_threat_actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)] diff --git a/clusters/360net.json b/clusters/360net.json new file mode 100644 index 00000000..506c0676 --- /dev/null +++ b/clusters/360net.json @@ -0,0 +1,894 @@ +{ + "authors": [ + "360.net" + ], + "category": "actor", + "description": "Known or estimated adversary groups as identified by 360.net.", + "name": "360.net Threat Actors", + "source": "https://apt.360.net/aptlist", + "type": "360net-threat-actor", + "uuid": "20de4abf-f000-48ec-a929-3cdc5c2f3c23", + "values": [ + { + "description": "美国中央情报局(英语:Central Intelligence Agency),总部位于美国弗吉尼亚州的兰利。与苏联国家安全委员会(克格勃)、英国军情六处和以色列摩萨德,并称为“世界四大情报机构”。\n其主要任务是公开和秘密地收集和分析关于国外政府、公司、恐怖组织、个人、政治、文化、科技等方面的情报,协调其它国内情报机构的活动,并把这些情报报告到美国政府各个部门的工作。", + "meta": { + "country": "america", + "refs": [ + "https://apt.360.net/report/apts/96.html", + "https://apt.360.net/report/apts/12.html" + ], + "suspected-victims": [ + "中国" + ], + "synonyms": [ + "Lamberts", + "longhorn" + ], + "target-category": [ + "媒体通讯", + "工业科研", + "航空航天等重要机构" + ] + }, + "uuid": "988e1441-0350-5c39-979d-b0ca99c8d20b", + "value": "CIA - APT-C-39" + }, + { + "description": "海莲花(OceanLotus)APT团伙是一个高度组织化的、专业化的境外国家级黑客组织,其最早由360发现并披露。该组织至少自2012年4月起便针对中国政府、科研院所、海事机构、海域建设、航运企业等相关重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。", + "meta": { + "country": "vietnam", + "refs": [ + "https://apt.360.net/report/apts/1.html", + "https://apt.360.net/report/apts/93.html", + "https://apt.360.net/report/apts/94.html" + ], + "suspected-victims": [ + "中国", + "越南" + ], + "synonyms": [ + "OceanLotus" + ], + "target-category": [ + "政府", + "科研" + ] + }, + "uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb", + "value": "海莲花 - APT-C-00" + }, + { + "description": "摩诃草组织(APT-C-09),又称HangOver、VICEROY TIGER、The Dropping Elephant、Patchwork,是一个来自于南亚地区的境外APT组织,该组织已持续活跃了7年。摩诃草组织最早由Norman安全公司于2013年曝光,随后又有其他安全厂商持续追踪并披露该组织的最新活动。摩诃草组织主要针对中国、巴基斯坦等亚洲地区国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2009年11月,至今还非常活跃。在针对中国地区的攻击中,该组织主要针对政府机构、科研教育领域进行攻击,其中以科研教育领域为主。", + "meta": { + "country": "india", + "refs": [ + "https://apt.360.net/report/apts/110.html", + "https://apt.360.net/report/apts/6.html" + ], + "suspected-victims": [ + "中国及中国驻外大使馆" + ], + "synonyms": [ + "HangOver", + "VICEROY TIGER", + "The Dropping Elephant", + "Patchwork" + ], + "target-category": [ + "外交军事", + "关键制造基础设施", + "政府金融等重要机构" + ] + }, + "uuid": "231a81cd-4e24-590b-b084-1a4715b30d67", + "value": "摩诃草 - APT-C-09" + }, + { + "description": "从2014年11月起至今,黄金鼠组织(APT-C-27)对叙利亚地区展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台从开始的Windows平台逐渐扩展至Android平台", + "meta": { + "country": "mideast", + "refs": [ + "https://apt.360.net/report/apts/100.html", + "https://apt.360.net/report/apts/98.html", + "https://apt.360.net/report/apts/26.html" + ], + "suspected-victims": [ + "叙利亚" + ], + "synonyms": [], + "target-category": [ + "军事", + "政府" + ] + }, + "uuid": "b3b6f113-fe2c-5d75-ba41-b333ce726f4a", + "value": "黄金鼠 - APT-C-27" + }, + { + "description": "Lazarus组织是来自朝鲜的APT组织,该组织长期对韩国、美国、中国、印度等国家进行渗透攻击,此外还对全球的金融机构进行攻击,堪称全球金融机构的最大威胁。该组织最早的攻击活动可以追溯到2007年。", + "meta": { + "country": "korea", + "refs": [ + "https://apt.360.net/report/apts/9.html", + "https://apt.360.net/report/apts/101.html", + "https://apt.360.net/report/apts/90.html" + ], + "suspected-victims": [ + "中国", + "韩国", + "美国", + "印度等国家" + ], + "synonyms": [ + "APT38" + ], + "target-category": [ + "工业科研", + "外交外贸", + "媒体金融", + "核设施" + ] + }, + "uuid": "e6f4af06-fbb5-5471-82ae-b0bdb4d446ce", + "value": "Lazarus - APT-C-26" + }, + { + "description": "黄金雕组织的活动主要影响中亚地区,大部分集中在哈萨克坦国境内,攻击目标涉及教育行业、政府机关人员、科研人员、媒体工作人员、部分商务工业、军方人员、宗教人员、政府异见人士和外交人员等。该组织使用社会工程学、物理接触、无线电监听等方式进行网络攻击,同时也采购了HackingTeam、NSO Group等网络军火商的武器,具备0day漏洞的高级入侵能力。360参照中亚地区擅长驯养猎鹰进行狩猎的习俗特性,将该组织命名为黄金雕(APT-C-34)", + "meta": { + "country": "kaz", + "refs": [ + "https://apt.360.net/report/apts/11.html" + ], + "suspected-victims": [], + "synonyms": [], + "target-category": [] + }, + "uuid": "03e70e52-ec27-5961-bb53-d4c8c737addc", + "value": "黄金雕 - APT-C-34" + }, + { + "description": "从2018年4月起至今,一个疑似来自南美洲的APT组织盲眼鹰(APT-C-36)针对哥伦比亚政府机构和大型公司(金融、石油、制造等行业)等重要领域展开了有组织、有计划、针对性的长期不间断攻击。", + "meta": { + "country": "namerica", + "refs": [ + "https://apt.360.net/report/apts/83.html" + ], + "suspected-victims": [], + "synonyms": [], + "target-category": [] + }, + "uuid": "c111ae65-f889-56b0-b266-f54342977da5", + "value": "盲眼鹰 - APT-C-36" + }, + { + "description": "2018年11月25日,360高级威胁应对团队就在全球范围内第一时间发现了一起针对俄罗斯的APT攻击行动,攻击目标则指向俄罗斯总统办公室所属的医疗机构,此次攻击行动使用了Flash 0day漏洞cve-2018-15982和Hacking Team的RCS后门程序,结合被攻击目标医疗机构的职能特色,360将此次APT攻击命名为“毒针”行动。", + "meta": { + "country": "kaz", + "refs": [ + "https://apt.360.net/report/apts/10.html" + ], + "suspected-victims": [ + "俄罗斯" + ], + "synonyms": [], + "target-category": [ + "政府" + ] + }, + "uuid": "5ae4eb64-5431-5b5c-987b-891e7ab5858c", + "value": "毒针 - APT-C-31" + }, + { + "description": "2016年7月,360发现一起针对伊朗Android手机用户长达两年之久的APT攻击活动。攻击者借助社交软件Telegram分享经过伪装的ArmaRat木马,入侵成功后攻击者可以完全控制用户手机,并对用户手机进行实时监控。由于该木马演变过程中C&C及代码结构均出现“arma”关键字,所以我们将该组织命名为“ArmaRat”。", + "meta": { + "country": "mideast", + "refs": [ + "https://apt.360.net/report/apts/48.html" + ], + "suspected-victims": [ + "伊朗" + ], + "synonyms": [], + "target-category": [ + "政府" + ] + }, + "uuid": "e66dfa3d-3295-503c-bdea-64d88e2b310d", + "value": "ArmaRat - APT-C-33" + }, + { + "description": "从2015年7月起至今,军刀狮组织(APT-C-38)在中东地区展开了有组织、有计划、针对性的不间断攻击,其攻击平台为Windows和Android。由于军刀狮组织的攻击目标有一个主要的特色目标是西亚中东某国的库尔德人,另Windows端RAT包含的PDB路径下出现多次的“Saber”,而亚洲狮为该中东国家的代表动物,结合该组织的一些其它特点以及360对 APT 组织的命名规则,我们将该组织命名为军刀狮(APT-C-38)。", + "meta": { + "country": "mideast", + "refs": [ + "https://apt.360.net/report/apts/30.html" + ], + "suspected-victims": [ + "中东地区" + ], + "synonyms": [], + "target-category": [ + "政府" + ] + }, + "uuid": "671197ae-ba70-5a81-90a5-1ba5e2ad6f76", + "value": "军刀狮 - APT-C-38" + }, + { + "description": "拍拍熊组织(APT-C-37)针对极端组织“伊斯兰国”展开了有组织、有计划、针对性的长期不间断攻击,其攻击平台为Windows和Android。", + "meta": { + "country": "mideast", + "refs": [ + "https://apt.360.net/report/apts/103.html", + "https://apt.360.net/report/apts/28.html" + ], + "suspected-victims": [ + "ISIS" + ], + "synonyms": [], + "target-category": [ + "军事", + "政府" + ] + }, + "uuid": "74f08d5a-e94d-53cb-bdd7-31d2f8c8db2b", + "value": "拍拍熊 - APT-C-37" + }, + { + "description": "APT-C-15是一个来自于中东地区的境外APT组织。 APT-C-15组织主要针对埃及,以色列等中东地区进行网络间谍活动,以窃取敏感信息为主。 活跃时间主要集中在2014年6月到2015年11月期间,相关攻击活动最早可以追溯到2011年12月。主要采用利用社交网络进行水坑攻击。", + "meta": { + "country": "mideast", + "refs": [ + "https://apt.360.net/report/apts/8.html" + ], + "suspected-victims": [ + "埃及", + "以色列" + ], + "synonyms": [], + "target-category": [ + "政府" + ] + }, + "uuid": "55177506-57bf-503e-8a24-9ed06bd28f16", + "value": "人面狮 - APT-C-15" + }, + { + "description": "美人鱼组织(APT-C-07),来自于中东的境外APT组织,已持续活跃了9年。 主要针对政府机构进行网络间谍活动,以窃取敏感信息为目的,已经证实有针对丹麦外交部的攻击。", + "meta": { + "country": "mideast", + "refs": [ + "https://apt.360.net/report/apts/4.html" + ], + "suspected-victims": [ + "丹麦" + ], + "synonyms": [], + "target-category": [ + "政府", + "外交" + ] + }, + "uuid": "51954972-101b-5213-971c-b335ceb810ea", + "value": "美人鱼 - APT-C-07" + }, + { + "description": "2016年1月起至今,双尾蝎组织对巴勒斯坦教育机构、军事机构等重要领域展开了有组织、有计划、有针对性的长时间不间断攻击。攻击平台包括 Windows 与 Android,攻击范围主要为中东地区", + "meta": { + "country": "mideast", + "refs": [ + "https://apt.360.net/report/apts/27.html" + ], + "suspected-victims": [ + "巴勒斯坦", + "中国等驻外大使馆" + ], + "synonyms": [], + "target-category": [ + "政府", + "IT", + "军事", + "教育" + ] + }, + "uuid": "ce0bcfbd-9924-5c82-9ad3-845db745e7f7", + "value": "双尾蝎 - APT-C-23" + }, + { + "description": "从2011年开始持续至今,高级攻击组织蓝宝菇(APT-C-12)对我国政府、军工、科研、金融等重点单位和部门进行了持续的网络间谍活动。该组织主要关注核工业和科研等相关信息。被攻击目标主要集中在中国大陆境内。", + "meta": { + "country": "taiwan", + "refs": [ + "https://apt.360.net/report/apts/7.html" + ], + "suspected-victims": [ + "中国" + ], + "synonyms": [ + "核危机行动(Operation NuclearCrisis)" + ], + "target-category": [ + "政府", + "航空航天、教育", + null, + "军事" + ] + }, + "uuid": "7094494b-a91b-532f-9968-082fa683bfc4", + "value": "蓝宝菇 - APT-C-12" + }, + { + "description": "从2007年开始至今,360追日团队发现毒云藤组织对中国国防、政府、科技、教育以及海事机构等重点单位和部门进行了长达数十年的网络间谍活动。该组织主要关注军工、中美关系、两岸关系和海洋相关领域。", + "meta": { + "country": "taiwan", + "refs": [ + "https://apt.360.net/report/apts/2.html" + ], + "suspected-victims": [ + "中国" + ], + "synonyms": [ + "穷奇", + "白海豚", + "绿斑" + ], + "target-category": [ + "政府", + "科研", + "国防", + "海事机构等重要机构" + ] + }, + "uuid": "98df38d1-f83c-5c28-ad11-75aa6b493fe7", + "value": "毒云藤 - APT-C-01" + }, + { + "description": "Darkhotel(APT-C-06)组织是一个长期针对企业高管、国防工业、电子工业等重要机构实施网络间谍攻击活动的APT组织。2014年11月,卡巴斯基实验室的安全专家首次发现了Darkhotel APT组织,并声明该组织至少从2010年就已经开始活跃,目标基本锁定在韩国、中国、俄罗斯和日本。", + "meta": { + "country": "southKorea", + "refs": [ + "https://apt.360.net/report/apts/3.html", + "https://apt.360.net/report/apts/97.html" + ], + "suspected-victims": [ + "中国", + "日本", + "俄罗斯", + "朝鲜半岛" + ], + "synonyms": [ + "Luder", + "Karba", + "Tapaoux", + "Dubnium", + "SIG25" + ], + "target-category": [ + "军事", + "外贸外交", + "工业能源", + "科研等重要机构" + ] + }, + "uuid": "f52ab8b8-71f2-5a88-946f-853dc3441efe", + "value": "Darkhotel - APT-C-06" + }, + { + "description": "APT28(APT-C-20),又称Pawn Storm、Sofacy、Sednit、Fancy Bear和Strontium。APT28组织被怀疑幕后和俄罗斯政府有关,该组织相关攻击时间最早可以追溯到2007年。其主要目标包括国防工业、军队、政府组织和媒体", + "meta": { + "country": "russia", + "refs": [ + "https://apt.360.net/report/apts/120.html", + "https://apt.360.net/report/apts/72.html" + ], + "suspected-victims": [ + "美国", + "欧洲", + "乌克兰" + ], + "synonyms": [ + "Pawn Storm", + "Sofacy Group", + "Sednit", + "Fancy Bear", + "STRONTIUM" + ], + "target-category": [ + "媒体", + "国防工业", + "政府", + "军事等重要机构" + ] + }, + "uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd", + "value": "奇幻熊 - APT-C-20" + }, + { + "description": "沙虫组织的主要目标领域有:政府、教育、能源机构和电信运营商,进一步主要针对欧美国家政府、北约,以及乌克兰政府展开间谍活动,其攻击在2018年呈上升趋势。该组织经常利用鱼叉式网络钓鱼方法。", + "meta": { + "country": "russia", + "refs": [ + "https://apt.360.net/report/apts/87.html", + "https://apt.360.net/report/apts/69.html" + ], + "suspected-victims": [ + "欧美国家", + "乌克兰", + "北约" + ], + "synonyms": [ + "SandWorm" + ], + "target-category": [ + "政府", + "教育", + "能源机构", + "电信运营商" + ] + }, + "uuid": "0fdab65b-3e2b-5fd8-be36-cc18c7bcc1d7", + "value": "沙虫 - APT-C-13" + }, + { + "description": "肚脑虫组织(APT-C-35),是一个来自于印度的境外APT组织,该组织已持续活跃了3年。 肚脑虫组织主要针对巴基斯坦,南亚等国家地区进行网络间谍活动,以窃取敏感信息为主。 相关攻击活动最早可以追溯到2016年,至今还非常活跃。", + "meta": { + "country": "india", + "refs": [ + "https://apt.360.net/report/apts/102.html", + "https://apt.360.net/report/apts/32.html" + ], + "suspected-victims": [ + "巴基斯坦等南亚国家" + ], + "synonyms": [ + "donot" + ], + "target-category": [ + "政府" + ] + }, + "uuid": "7592ce56-59df-5cbc-9251-6928ff23e6a5", + "value": "肚脑虫 - APT-C-35" + }, + { + "description": "蔓灵花组织利用鱼叉邮件以及系统漏洞等方式,主要攻击政府、电力和工业相关单位,以窃取敏感信息为主。国外样本最早出现在2013年11月,样本编译时间集中出现在2015年7月至2016年9月期间,2016年网络安全公司Forcepoint最早报告了这一组织,随后被多次发现,至今还非常活跃。", + "meta": { + "country": "india", + "refs": [ + "https://apt.360.net/report/apts/5.html" + ], + "suspected-victims": [ + "中国", + "巴基斯坦" + ], + "synonyms": [], + "target-category": [ + "工业", + "电力", + "政府" + ] + }, + "uuid": "4d76da10-0bfe-51d4-b071-61593c8f1983", + "value": "蔓灵花 - APT-C-08" + }, + { + "description": "索伦之眼组织(APT-C-16),又称Sauron、Strider。该组织主要针对中国、俄罗斯等多个国家进行网络间谍活动,其中以窃取敏感信息为主。相关攻击活动最早可以追溯到2010年,至今还非常活跃。该组织整个攻击过程中是高度隐蔽,且针对性极强,对特定目标采用定制的恶意程序或通信设施,不会重复使用相关攻击资源。相关恶意代码复杂度可以与方程式(Equation)媲美,其综合能力不弱于震网(Stuxnet)、火焰(Flame)等APT组织。", + "meta": { + "country": "america", + "refs": [ + "https://apt.360.net/report/apts/70.html" + ], + "suspected-victims": [ + "中国", + "俄罗斯", + "比利时", + "瑞典" + ], + "synonyms": [ + "Sauron", + "Strider" + ], + "target-category": [ + "军事", + "外交", + "政府等重要机构" + ] + }, + "uuid": "24ce266c-1860-5e04-a107-48d1d39f8ebf", + "value": "索伦之眼 - APT-C-16" + }, + { + "description": "潜行者组织主要搜集东南亚国家政府机构、国防部门、情报机构等机构敏感信息,其中针对我国就进行了超十年左右的网络攻击。主要针对政府、通信等领域重点单位,攻击最早可以关联追溯到2009年,最早的样本编译时间为2008年,攻击活动一直持续至今。", + "meta": { + "country": "southeast", + "refs": [ + "https://apt.360.net/report/apts/82.html" + ], + "suspected-victims": [ + "中国及东南亚" + ], + "synonyms": [], + "target-category": [ + "政府", + "外交", + "通讯", + "智库" + ] + }, + "uuid": "4a2a754b-e59b-5f31-b9ca-1d0f920185b2", + "value": "潜行者 - APT-C-30" + }, + { + "description": "“响尾蛇”APT组织又名T-APT-04,疑似来自印度,其最早活跃时间可追溯到2012年,主要针对巴基斯坦等南亚国家的军事目标进行定向攻击。", + "meta": { + "country": "india", + "refs": [ + "https://apt.360.net/report/apts/92.html" + ], + "suspected-victims": [ + "巴基斯坦" + ], + "synonyms": [ + "SideWinder" + ], + "target-category": [ + "政府", + "军事" + ] + }, + "uuid": "3dada716-34c3-506e-aa3a-1889bd975b4b", + "value": "响尾蛇 - APT-C-24" + }, + { + "description": "APT-C-28组织,又名ScarCruft、APT37 (Reaper)、Group123,是一个来自于东北亚地区的境外APT组织,其相关攻击活动最早可追溯到2012年,且至今依然保持活跃状态。APT-C-28组织主要针对韩国等亚洲国家进行网络间谍活动,其中以窃取战略军事、政治、经济利益相关的情报和敏感数据为主。", + "meta": { + "country": "korea", + "refs": [ + "https://apt.360.net/report/apts/79.html" + ], + "suspected-victims": [ + "俄罗斯", + "中国等周边国家" + ], + "synonyms": [ + "APT37(Reaper)", + "Group123" + ], + "target-category": [ + "政府", + "媒体" + ] + }, + "uuid": "96c3508e-f5f9-52b4-9d1e-b246d68f643d", + "value": "ScarCruft - APT-C-28" + }, + { + "description": "Turla组织的主要目标有外交、政治、私企,攻击目标遍布全球,其中以欧洲地区为主,国内也有中招用户。在攻击手法上是俄罗斯网军中技术实力很强的主力部队,曾经有过攻击卫星的历史。", + "meta": { + "country": "russia", + "refs": [ + "https://apt.360.net/report/apts/88.html", + "https://apt.360.net/report/apts/81.html" + ], + "suspected-victims": [ + "中国", + "俄罗斯", + "驻欧美国家外交机关" + ], + "synonyms": [ + "uroburos" + ], + "target-category": [ + "外交", + "金融", + "工业" + ] + }, + "uuid": "1972273e-2152-558c-b575-222c6d2f3e10", + "value": "Turla - APT-C-29" + }, + { + "description": "Carbanak(即Anunak)攻击组织,是一个跨国网络犯罪团伙。2013年起,该犯罪团伙总计向全球约30个国家和地区的100家银行、电子支付系统和其他金融机构发动了攻击,目前相关攻击活动还很活跃。", + "meta": { + "country": "russia", + "refs": [ + "https://apt.360.net/report/apts/68.html" + ], + "suspected-victims": [ + "全球" + ], + "synonyms": [ + "Anunak" + ], + "target-category": [ + "外贸", + "金融" + ] + }, + "uuid": "a4aba29f-fb91-50d9-bdf9-2b184922a200", + "value": "Carbanak - APT-C-11" + }, + { + "description": "“飞鲨”行动相关攻击行动最早可以追溯到2013年1月,持续活跃到2014年3月,主要针对中国航空航天领域,目的是窃取目标用户敏感数据信息,近期暂无监控到相关攻击事件。", + "meta": { + "country": "india", + "refs": [ + "https://apt.360.net/report/apts/71.html" + ], + "suspected-victims": [ + "中国" + ], + "synonyms": [], + "target-category": [ + "基础设施", + "IT", + "教育", + "科研", + "航空航天" + ] + }, + "uuid": "c47e631c-a3d7-509b-a87f-a7e87f8fab6c", + "value": "飞鲨 - APT-C-17" + }, + { + "description": "APT-C-40(方程式)是史上最强网络犯罪组织。该团伙已活跃近20年,并且在攻击复杂性和攻击技巧方面超越了历史上所有的网络攻击组织,并被认为是著名的震网(Stuxnet)和火焰(Flame)病毒幕后的操纵者。", + "meta": { + "country": "america", + "refs": [ + "https://apt.360.net/report/apts/85.html" + ], + "suspected-victims": [ + "中国", + "俄罗斯", + "伊朗", + "巴基斯坦" + ], + "synonyms": [], + "target-category": [ + "关键制", + "工业科研", + "航空航天", + "政府军事等重要机构" + ] + }, + "uuid": "54034021-1998-5ddf-93e7-f1f56d172f99", + "value": "方程式 - APT-C-40" + }, + { + "description": "透明部落(Transparent Tribe)别名APT36、ProjectM、C-Major,是一个具有南亚背景的APT组织,其长期针对周边国家和地区(特别是印度)的政治、军事进行定向攻击活动,其开发有自己的专属木马CrimsonRAT,还曾被发现广泛传播USB蠕虫。TransparentTribe也曾经对Donot的恶意文档宏代码进行模仿,两者高度相似。之前透明部落也曾经模仿响尾蛇组织进行攻击。其一直针对印度的政府、公共部门、各行各业包括但不限于医疗、电力、金融、制造业等进行攻击和信息窥探。", + "meta": { + "country": "southeast", + "refs": [], + "suspected-victims": [ + "印度" + ], + "synonyms": [ + "APT36", + "ProjectM", + "C-Major" + ], + "target-category": [ + "政府", + "军事" + ] + }, + "uuid": "084517bc-b8e7-5c86-a218-3f19e1379f3e", + "value": "透明部落 - APT-C-56" + }, + { + "description": "在2020年起,我们发现南亚地区中新的境外APT组织活动,最早活跃可追溯到2020年1月,至今还很活跃。该APT组织的攻击活动主要针对巴基斯坦、孟加拉等国家的国家机构、军工、科研、国防等重要领域进行攻击。与南亚地区中活跃的蔓灵花、响尾蛇等APT组织暂无关联,属于新的攻击组织。\n该APT组织通过鱼叉邮件配合社会工程学手段进行渗透,向目标设备传播恶意程序,暗中控制目标设备,持续窃取设备上的敏感文件。由于其使用的C2、载荷下发、窃取的数据存储等均依赖于云服务,且使用的木马为python语言编写,所以我们将其命名为腾云蛇,编号为APT-C-61。", + "meta": { + "country": "southeast", + "refs": [], + "suspected-victims": [ + "巴基斯坦", + "孟加拉" + ], + "synonyms": [], + "target-category": [ + "政府", + "军事", + "科研", + "国防" + ] + }, + "uuid": "724da0c4-ca9e-54be-a15c-8204472d8c99", + "value": "腾云蛇 - APT-C-61" + }, + { + "description": "Kimsuky 是位于朝鲜的APT组织,又名(Mystery Baby, Baby Coin, Smoke Screen, BabyShark, Cobra Venom)等,最早由Kaspersky在2013年披露,该组织长期针对于韩国的智囊团、政府外交、新闻组织、教育学术组织等进行攻击,在过去几年里,他们将攻击目标扩大到包括美国、俄罗斯和欧洲各国在内的国家。主要目的为窃取情报、间谍活动等。该组织十分活跃,常用的攻击载荷为带有漏洞的hwp文件、恶意宏文件、释放载荷的PE文件等。", + "meta": { + "country": "korea", + "refs": [], + "suspected-victims": [ + "韩国" + ], + "synonyms": [], + "target-category": [ + "政府", + "教育", + "外交", + "媒体" + ] + }, + "uuid": "84e18657-3995-5837-88f1-f823520382a8", + "value": "Kimsuky - APT-C-55" + }, + { + "description": "2019年初,国外安全厂商披露了一起疑似卢甘斯克背景的APT组织针对乌克兰政府的定向攻击活动,根据相关报告分析该组织的攻击活动至少可以追溯到2014年,曾大量通过网络钓鱼、水坑攻击等方式针对乌克兰政府机构进行攻击。", + "meta": { + "country": "Ukraine", + "refs": [ + "https://apt.360.net/report/apts/169.html" + ], + "suspected-victims": [ + "乌克兰" + ], + "synonyms": [ + "APT-C-46" + ], + "target-category": [ + "政府" + ] + }, + "uuid": "a97037e7-7c3b-5cc2-ab4c-bd0432bc247a", + "value": "卢甘斯克组织 - APT-C-46" + }, + { + "description": "360 安全大脑检测到多起 ClickOnce 恶意程序的攻击活动,通过 360 高级威胁研究院的深入研判分析,发现这是一起来自半岛地区未被披露 APT 组织的攻击行动,该组织的攻击活动最早可以追溯到 2018 年。目前没有任何安全厂商公开披露该组织的攻击活动,360根据用ClickOnce 攻击技术的谐音,将其命名为“旺刺”组织。", + "meta": { + "country": "korea", + "refs": [ + "https://apt.360.net/report/apts/168.html" + ], + "suspected-victims": [ + "中国", + "朝鲜半岛" + ], + "synonyms": [ + "APT-C-47" + ], + "target-category": [ + "商贸机构" + ] + }, + "uuid": "0660d5e2-f8cf-5d5e-95c8-e5af7115979e", + "value": "旺刺组织 - APT-C-47" + }, + { + "description": "Domestic Kitten组织(APT-C-50)最早被国外安全厂商披露,自2016年以来一直在进行广泛而有针对性的攻击,攻击目标包括伊朗内部持不同政见者和反对派力量,以及ISIS的拥护者和主要定居在伊朗西部的库尔德少数民族。值得注意的是,所有攻击目标都是伊朗公民。伊斯兰革命卫队(IRGC)、情报部、内政部等伊朗政府机构可能为该组织提供支持", + "meta": { + "country": "Iran", + "refs": [ + "https://apt.360.net/report/apts/166.html" + ], + "suspected-victims": [ + "伊朗", + "阿富汗", + "伊拉克", + "英国" + ], + "synonyms": [ + "APT-C-50" + ], + "target-category": [ + "政府" + ] + }, + "uuid": "a6636926-ffe4-5974-9be0-34ab5dcbd59f", + "value": "DomesticKitten - APT-C-50" + }, + { + "description": "APT-C-32", + "meta": { + "country": "Israel", + "refs": [], + "suspected-victims": [], + "synonyms": [], + "target-category": [] + }, + "uuid": "bf77827a-e0f1-504f-815c-4bccfe72b644", + "value": "SandCat - APT-C-32" + }, + { + "description": "APT-C-48", + "meta": { + "country": "india", + "refs": [], + "suspected-victims": [ + "中国" + ], + "synonyms": [], + "target-category": [ + "教育", + "军事" + ] + }, + "uuid": "34d75138-389f-5555-85e9-f3ca5a9cce8f", + "value": "APT_CNC - APT-C-48" + }, + { + "description": "蓝色魔眼(APT-C-41),又被称为Promethium、StrongPity,该APT组织最早的攻击活动可以追溯到2012年。该组织主要针对意大利、土耳其、比利时、叙利亚、欧洲等地区和国家进行攻击活动。360安全大脑监测到该组织在2020年1月首次针对中国进行了攻击活动,并捕获到了该组织最新V4版本的攻击组件。经过360高级威胁研究院的深入分析研判,此次攻击的针对性极强,是该组织罕见地针对我国相关重要机构发起的首起定向攻击行动。由于是首次捕获和披露该组织对我国的攻击,我们为其分配了新的编号APT-C-41,并根据该组织活跃地区的文化特色将其命名为“蓝色魔眼”。", + "meta": { + "country": "trq", + "refs": [ + "https://apt.360.net/report/apts/158.html" + ], + "suspected-victims": [ + "欧洲", + "意大利", + "土耳其", + "比利时", + "叙利亚" + ], + "synonyms": [ + "StrongPity" + ], + "target-category": [ + "基础设施" + ] + }, + "uuid": "75122408-5db4-5ac2-a156-88a8f149e738", + "value": "蓝色魔眼 - APT-C-41" + }, + { + "description": "Machete", + "meta": { + "country": "namerica", + "refs": [ + "https://apt.360.net/report/apts/159.html" + ], + "suspected-victims": null, + "synonyms": [ + "Machete" + ], + "target-category": null + }, + "uuid": "d0b9840d-efe2-5200-89d1-2f1a37737e30", + "value": "Machete - APT-C-43" + }, + { + "description": "APT-C-53", + "meta": { + "country": "russia", + "refs": [], + "suspected-victims": [], + "synonyms": [], + "target-category": [] + }, + "uuid": "ca52d879-f02b-531e-89ff-817ffc23ce35", + "value": "Gamaredon - APT-C-53" + }, + { + "description": "360烽火实验室联合360高级威胁研究院发现一起针对阿拉伯语地区的长达三年的多次网络攻击活动。该攻击活动自2017年10月开始至今,攻击平台主要为Windows和Android。通过分析,我们发现此次攻击活动来自阿尔及利亚,主要利用钓鱼网站和第三方文件托管网站进行载荷投递,并且使用社交媒体进行传播,受害者主要分布在阿拉伯语地区,其中包含疑似具有军事背景的相关人员。根据此次攻击活动的伪装对象和攻击目标,我们认为该组织目的是为了获取情报先机。根据该组织所属国家的地理位置以及其他特点,我们将其命名为北非狐(APT-C-44)。", + "meta": { + "country": "algeria", + "refs": [ + "https://apt.360.net/report/apts/157.html" + ], + "suspected-victims": null, + "synonyms": [], + "target-category": null + }, + "uuid": "367bfb72-da65-5886-a333-389299470722", + "value": "北非狐 - APT-C-44" + }, + { + "description": "WellMess组织是一个一直未被业界认定的APT组织,多方面数据显示该组织在2017至2019年间的攻击活动开始频繁活跃,其中日本互联网应急响应中心于2018年曾报道过该组织的相关攻击活动,但并未将其归属为APT组织。\n\n在2019年,360高级威胁研究院捕获发现了WellMess组织一系列的APT攻击活动,这一系列的攻击活动最早开始于2017年12月,一直持续到2019年12月。在对WellMess组织的攻击研判过程中,我们确定这是一个具备自身独特攻击特点和精密攻击技战术的APT组织,为其分配了APT-C-42的专属APT组织编号。", + "meta": { + "country": "russia", + "refs": [ + "https://apt.360.net/report/apts/136.html" + ], + "suspected-victims": null, + "synonyms": [], + "target-category": [ + "IT通信行业" + ] + }, + "uuid": "6560f0cf-bbbd-5bb7-8dad-b4c8ea23704f", + "value": "WellMess - APT-C-42" + } + ], + "version": 1 +} diff --git a/galaxies/360net.json b/galaxies/360net.json new file mode 100644 index 00000000..275ea08b --- /dev/null +++ b/galaxies/360net.json @@ -0,0 +1,9 @@ +{ + "description": "Known or estimated adversary groups as identified by 360.net.", + "icon": "user-secret", + "name": "360.net Threat Actors", + "namespace": "360net", + "type": "360net-threat-actor", + "uuid": "20de4abf-f000-48ec-a929-3cdc5c2f3c23", + "version": 1 +} diff --git a/tools/gen_360net.py b/tools/gen_360net.py new file mode 100755 index 00000000..b2c3eeca --- /dev/null +++ b/tools/gen_360net.py @@ -0,0 +1,87 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# +# +# A simple convertor of the https://apt.360.net to a MISP Galaxy datastructure. +# Copyright (C) 2022 MISP Project +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as +# published by the Free Software Foundation, either version 3 of the +# License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +import os +import uuid +import json +import requests + +import argparse + +parser = argparse.ArgumentParser(description="Create the 360.net APTlist based on their website data.") +args = parser.parse_args() + +r = requests.get("https://apt.360.net/apts/list", timeout=5) +list_data = r.json() + +clusters = [] +for actor in list_data['data']['list']: + country_code = actor['location']['code'] # LATER find a magic way to convert this to a 2-letter country code + try: + refs = [actor['article']['full_url']] + except TypeError: + refs = [] + for ref in actor['recommends']: + refs.append(ref['url']) + refs = list(set(refs)) + clusters.append({ + 'value': f"{actor['name']} - {actor['code']}", + 'description': actor['description'], + 'uuid': str(uuid.uuid5(uuid.UUID("9319371e-2504-4128-8410-3741cebbcfd3"), actor['code'])), + 'meta': { + 'synonyms': actor['alias'], + 'country': country_code, + 'refs': refs, + 'target-category': actor['attack_industry'], + 'suspected-victims': actor['attack_region'], + # LATER find a way to convert attack-method to MITRE ATT&CK + } + }) + +json_galaxy = { + 'icon': "user-secret", + 'name': "360.net Threat Actors", + 'description': "Known or estimated adversary groups as identified by 360.net.", + 'namespace': "360net", + 'type': "360net-threat-actor", + 'uuid': "20de4abf-f000-48ec-a929-3cdc5c2f3c23", + 'version': 1 +} + +json_cluster = { + 'authors': ["360.net"], + 'category': 'actor', + 'name': "360.net Threat Actors", + 'description': "Known or estimated adversary groups as identified by 360.net.", + 'source': 'https://apt.360.net/aptlist', + 'type': "360net-threat-actor", + 'uuid': "20de4abf-f000-48ec-a929-3cdc5c2f3c23", + 'values': clusters, + 'version': 1 +} + +# save the Galaxy and Cluster file +with open(os.path.join('..', 'galaxies', '360net.json'), 'w') as f: + json.dump(json_galaxy, f, indent=2) + +with open(os.path.join('..', 'clusters', '360net.json'), 'w') as f: + json.dump(json_cluster, f, indent=2) + +print("All done, please don't forget to ./jq_all_the_things.sh, commit, and then ./validate_all.sh.")