From 0dd2f95a50f4b2fda5273da680733fd25c6d51b4 Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Fri, 15 Dec 2023 12:28:38 +0100 Subject: [PATCH 1/2] new threat actor - Sandman APT new threat actor - Sandman APT --- clusters/threat-actor.json | 40 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index a00fe33..f9cfe23 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13785,6 +13785,46 @@ }, "uuid": "86dfe64e-7101-4d45-bb94-efc40c5e14fe", "value": "UNC2630" + }, + { + "description": "First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.", + "meta": { + "cfr-suspected-victims": [ + "Middle East", + "Southeast Asian", + "France", + "Egypt", + "Sudan", + "South Sudan" + "Libya", + "Turkey", + "Saudi Arabia", + "Oman", + "Yemen", + "Sri Lanka", + "India", + "Pakistan", + "Iran", + "Afghanistan", + "Kuwait", + "Iraq", + "United Arab Emirates" + ], + "cfr-target-category": [ + "Government", + "Telecommunications" + ], + "attribution-confidence": "50", + "country": "CN", + "cfr-suspected-state-sponsor": "China", + "cfr-type-of-incident": "Espionage", + "references": [ + "https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/", + "https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/" + ] + }, + "uuid": "00b84012-fa25-4942-ad64-c76be24828a8", + "value": "Sandman APT" } ], "version": 295 From c3061256792b324e271faf988f7ca8e22aba3939 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 18 Dec 2023 14:43:21 +0100 Subject: [PATCH 2/2] fix: [threat-actor] fix JSON --- clusters/threat-actor.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f9cfe23..e9b6cc9 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -13789,13 +13789,15 @@ { "description": "First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.", "meta": { + "attribution-confidence": "50", + "cfr-suspected-state-sponsor": "China", "cfr-suspected-victims": [ "Middle East", "Southeast Asian", "France", "Egypt", "Sudan", - "South Sudan" + "South Sudan", "Libya", "Turkey", "Saudi Arabia", @@ -13814,10 +13816,8 @@ "Government", "Telecommunications" ], - "attribution-confidence": "50", - "country": "CN", - "cfr-suspected-state-sponsor": "China", "cfr-type-of-incident": "Espionage", + "country": "CN", "references": [ "https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/", "https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/" @@ -13827,5 +13827,5 @@ "value": "Sandman APT" } ], - "version": 295 + "version": 296 }