update threat actor galaxy

2019-06-11 11:57:04 +02:00 · 2019-06-11 11:57:04 +02:00 · d6b458520b
parent 1f2e59addb
commit d6b458520b
1 changed files with 97 additions and 19 deletions
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@ -157,7 +157,9 @@
    {
      "meta": {
        "refs": [
-          "https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf"
+          "https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf",
+          "https://www.symantec.com/connect/blogs/inside-back-door-attack",
+          "https://attack.mitre.org/groups/G0031/"
        ]
      },
      "related": [
@ -1400,10 +1402,15 @@
        "cfr-type-of-incident": "Espionage",
        "country": "CN",
        "refs": [
-          "https://www.cfr.org/interactive/cyber-operations/sneaky-panda"
+          "https://www.cfr.org/interactive/cyber-operations/sneaky-panda",
+          "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
+          "https://attack.mitre.org/groups/G0066/"
        ],
        "synonyms": [
-          "Sneaky Panda"
+          "Sneaky Panda",
+          "Elderwood",
+          "Elderwood Gang",
+          "SIG22"
        ]
      },
      "related": [
@ -2474,7 +2481,16 @@
          "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
          "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
          "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
-          "https://www.cfr.org/interactive/cyber-operations/crouching-yeti"
+          "https://www.cfr.org/interactive/cyber-operations/crouching-yeti",
+          "https://ssu.gov.ua/sbu/control/uk/publish/article?art_id=170951&cat_i=39574",
+          "https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA",
+          "https://dragos.com/wp-content/uploads/CrashOverride-01.pdf",
+          "https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html",
+          "https://www.riskiq.com/blog/labs/energetic-bear/",
+          "https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
+          "https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat",
+          "https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672",
+          "https://attack.mitre.org/groups/G0035/"
        ],
        "synonyms": [
          "Dragonfly",
@ -2628,7 +2644,18 @@
          "https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
          "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf",
          "https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf",
-          "https://attack.mitre.org/groups/G0008/"
+          "https://attack.mitre.org/groups/G0008/",
+          "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
+          "https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/",
+          "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
+          "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
+          "http://blog.morphisec.com/fin7-attacks-restaurant-industry",
+          "https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
+          "http://blog.morphisec.com/fin7-attack-modifications-revealed",
+          "http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
+          "https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
+          "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
+          "https://attack.mitre.org/groups/G0046/"
        ],
        "synonyms": [
          "Carbanak",
@ -2735,7 +2762,8 @@
          "https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623",
          "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html",
          "https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf",
-          "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html"
+          "https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html",
+          "https://attack.mitre.org/groups/G0085/"
        ],
        "synonyms": [
          "FIN4"
@ -3218,11 +3246,13 @@
        "refs": [
          "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
          "https://attack.mitre.org/wiki/Groups",
-          "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
-          "http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
          "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor",
          "http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor",
-          "https://www.cfr.org/interactive/cyber-operations/moafee"
+          "https://www.cfr.org/interactive/cyber-operations/moafee",
+          "https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
+          "https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
+          "https://www.phnompenhpost.com/national/kingdom-targeted-new-malware",
+          "https://attack.mitre.org/groups/G0017/"
        ],
        "synonyms": [
          "Moafee"
@ -3468,7 +3498,12 @@
      "description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.",
      "meta": {
        "refs": [
-          "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
+          "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf",
+          "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
+          "https://attack.mitre.org/groups/G0037/"
+        ],
+        "synonyms": [
+          "Skeleton Spider"
        ]
      },
      "related": [
@ -3477,7 +3512,7 @@
          "tags": [
            "estimative-language:likelihood-probability=\"likely\""
          ],
-          "type": "similar"
+          "type": "similar",
        }
      ],
      "uuid": "647894f6-1723-4cba-aba4-0ef0966d5302",
@ -3886,12 +3921,18 @@
        "country": "US",
        "refs": [
          "https://en.wikipedia.org/wiki/Equation_Group",
-          "https://www.cfr.org/interactive/cyber-operations/equation-group"
+          "https://www.cfr.org/interactive/cyber-operations/equation-group",
+          "https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/",
+          "https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0",
+          "https://en.wikipedia.org/wiki/Stuxnet",
+          "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf",
+          "https://attack.mitre.org/groups/G0020/"
        ],
        "synonyms": [
          "Tilded Team",
          "Lamberts",
-          "EQGRP"
+          "EQGRP",
+          "Longhorn"
        ]
      },
      "related": [
@ -4296,7 +4337,9 @@
          "https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
          "https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html",
          "https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf",
-          "http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf"
+          "http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf",
+          "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
+          "https://attack.mitre.org/groups/G0061"
        ]
      },
      "related": [
@ -4339,9 +4382,10 @@
        ],
        "cfr-type-of-incident": "Espionage",
        "refs": [
-          "https://securelist.com/blog/research/66108/el-machete/",
+          "https://securelist.com/el-machete/66108/",
          "https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html",
-          "https://www.cfr.org/interactive/cyber-operations/machete"
+          "https://www.cfr.org/interactive/cyber-operations/machete",
+          "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html"
        ],
        "synonyms": [
          "Machete"
@ -5773,15 +5817,27 @@
          "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
          "https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
          "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
-          "https://securelist.com/luckymouse-ndisproxy-driver/87914/"
+          "https://securelist.com/luckymouse-ndisproxy-driver/87914/",
+          "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf",
+          "https://www.cfr.org/interactive/cyber-operations/iron-tiger",
+          "https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
+          "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
+          "https://securelist.com/luckymouse-hits-national-data-center/86083/",
+          "https://www.secureworks.com/research/bronze-union",
+          "https://attack.mitre.org/groups/G0027/"
        ],
        "synonyms": [
          "Emissary Panda",
          "APT27",
+          "APT 27",
          "Threat Group 3390",
          "Bronze Union",
          "ZipToken",
-          "Iron Tiger"
+          "Iron Tiger",
+          "TG-3390",
+          "TEMP.Hippo",
+          "Group 35",
+          "ZipToken"
        ]
      },
      "related": [
@ -6910,7 +6966,29 @@
      },
      "uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
      "value": "BlackTech"
+    },
+    {
+      "value": "FIN5",
+      "description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.",
+      "meta": {
+        "refs": [
+          "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?",
+          "https://attack.mitre.org/groups/G0053/"
+        ]
+      },
+      "uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70"
+    },
+    {
+      "value": "FIN10",
+      "description": "FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.",
+      "meta": {
+        "refs": [
+          "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf",
+          "https://attack.mitre.org/groups/G0051/"
+        ]
+      },
+      "uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79"
    }
  ],
-  "version": 111
+  "version": 112
 }