From d155f1e05d013e3629e3cfed419a163ec1f097a2 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Wed, 6 Dec 2023 17:42:33 -0800
Subject: [PATCH] [threat-actors] Add UNC215

---
 clusters/threat-actor.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2820e30..859eefc 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13703,6 +13703,18 @@
       },
       "uuid": "590ecec6-4047-4d0f-9143-2e367700423d",
       "value": "UNC2447"
+    },
+    {
+      "description": "UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, minimizing forensic evidence, and incorporating false flags. UNC215's targets are located globally, with a particular focus on the Middle East, Europe, Asia, and North America.",
+      "meta": {
+        "country": "CN",
+        "refs": [
+          "https://www.esentire.com/security-advisories/ransomware-hackers-attack-a-top-safety-testing-org-using-tactics-and-techniques-borrowed-from-chinese-espionage-groups",
+          "https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html"
+        ]
+      },
+      "uuid": "9795249f-8954-4632-830f-7e1f0ebc1dd5",
+      "value": "UNC215"
     }
   ],
   "version": 295