mirror of https://github.com/MISP/misp-galaxy
update threat actor galaxy
parent
1f2e59addb
commit
d6b458520b
|
@ -157,7 +157,9 @@
|
||||||
{
|
{
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf"
|
"https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf",
|
||||||
|
"https://www.symantec.com/connect/blogs/inside-back-door-attack",
|
||||||
|
"https://attack.mitre.org/groups/G0031/"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -1400,10 +1402,15 @@
|
||||||
"cfr-type-of-incident": "Espionage",
|
"cfr-type-of-incident": "Espionage",
|
||||||
"country": "CN",
|
"country": "CN",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.cfr.org/interactive/cyber-operations/sneaky-panda"
|
"https://www.cfr.org/interactive/cyber-operations/sneaky-panda",
|
||||||
|
"https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf",
|
||||||
|
"https://attack.mitre.org/groups/G0066/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Sneaky Panda"
|
"Sneaky Panda",
|
||||||
|
"Elderwood",
|
||||||
|
"Elderwood Gang",
|
||||||
|
"SIG22"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -2474,7 +2481,16 @@
|
||||||
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
|
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf",
|
||||||
"http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
|
"http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans",
|
||||||
"https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
|
"https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/crouching-yeti"
|
"https://www.cfr.org/interactive/cyber-operations/crouching-yeti",
|
||||||
|
"https://ssu.gov.ua/sbu/control/uk/publish/article?art_id=170951&cat_i=39574",
|
||||||
|
"https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA",
|
||||||
|
"https://dragos.com/wp-content/uploads/CrashOverride-01.pdf",
|
||||||
|
"https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html",
|
||||||
|
"https://www.riskiq.com/blog/labs/energetic-bear/",
|
||||||
|
"https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks",
|
||||||
|
"https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat",
|
||||||
|
"https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672",
|
||||||
|
"https://attack.mitre.org/groups/G0035/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Dragonfly",
|
"Dragonfly",
|
||||||
|
@ -2628,7 +2644,18 @@
|
||||||
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
|
"https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested",
|
||||||
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf",
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf",
|
||||||
"https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf",
|
"https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf",
|
||||||
"https://attack.mitre.org/groups/G0008/"
|
"https://attack.mitre.org/groups/G0008/",
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html",
|
||||||
|
"https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/",
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html",
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html",
|
||||||
|
"http://blog.morphisec.com/fin7-attacks-restaurant-industry",
|
||||||
|
"https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/",
|
||||||
|
"http://blog.morphisec.com/fin7-attack-modifications-revealed",
|
||||||
|
"http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign",
|
||||||
|
"https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/",
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html",
|
||||||
|
"https://attack.mitre.org/groups/G0046/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Carbanak",
|
"Carbanak",
|
||||||
|
@ -2735,7 +2762,8 @@
|
||||||
"https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623",
|
"https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623",
|
||||||
"https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html",
|
"https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html",
|
||||||
"https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf",
|
"https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf",
|
||||||
"https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html"
|
"https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html",
|
||||||
|
"https://attack.mitre.org/groups/G0085/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"FIN4"
|
"FIN4"
|
||||||
|
@ -3218,11 +3246,13 @@
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
|
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
|
||||||
"https://attack.mitre.org/wiki/Groups",
|
"https://attack.mitre.org/wiki/Groups",
|
||||||
"http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
|
|
||||||
"http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
|
|
||||||
"https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor",
|
"https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor",
|
||||||
"http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor",
|
"http://www.morphick.com/resources/news/deep-dive-dragonok-rambo-backdoor",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/moafee"
|
"https://www.cfr.org/interactive/cyber-operations/moafee",
|
||||||
|
"https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/",
|
||||||
|
"https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/",
|
||||||
|
"https://www.phnompenhpost.com/national/kingdom-targeted-new-malware",
|
||||||
|
"https://attack.mitre.org/groups/G0017/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Moafee"
|
"Moafee"
|
||||||
|
@ -3468,7 +3498,12 @@
|
||||||
"description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.",
|
"description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.",
|
||||||
"meta": {
|
"meta": {
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf",
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html",
|
||||||
|
"https://attack.mitre.org/groups/G0037/"
|
||||||
|
],
|
||||||
|
"synonyms": [
|
||||||
|
"Skeleton Spider"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -3477,7 +3512,7 @@
|
||||||
"tags": [
|
"tags": [
|
||||||
"estimative-language:likelihood-probability=\"likely\""
|
"estimative-language:likelihood-probability=\"likely\""
|
||||||
],
|
],
|
||||||
"type": "similar"
|
"type": "similar",
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"uuid": "647894f6-1723-4cba-aba4-0ef0966d5302",
|
"uuid": "647894f6-1723-4cba-aba4-0ef0966d5302",
|
||||||
|
@ -3886,12 +3921,18 @@
|
||||||
"country": "US",
|
"country": "US",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://en.wikipedia.org/wiki/Equation_Group",
|
"https://en.wikipedia.org/wiki/Equation_Group",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/equation-group"
|
"https://www.cfr.org/interactive/cyber-operations/equation-group",
|
||||||
|
"https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/",
|
||||||
|
"https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0",
|
||||||
|
"https://en.wikipedia.org/wiki/Stuxnet",
|
||||||
|
"https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf",
|
||||||
|
"https://attack.mitre.org/groups/G0020/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Tilded Team",
|
"Tilded Team",
|
||||||
"Lamberts",
|
"Lamberts",
|
||||||
"EQGRP"
|
"EQGRP",
|
||||||
|
"Longhorn"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4296,7 +4337,9 @@
|
||||||
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
|
"https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html",
|
||||||
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html",
|
"https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html",
|
||||||
"https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf",
|
"https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf",
|
||||||
"http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf"
|
"http://files.shareholder.com/downloads/AMDA-254Q5F/0x0x938351/665BA6A3-9573-486C-B96F-80FA35759E8C/FEYE_rpt-mtrends-2017_FINAL2.pdf",
|
||||||
|
"https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html",
|
||||||
|
"https://attack.mitre.org/groups/G0061"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -4339,9 +4382,10 @@
|
||||||
],
|
],
|
||||||
"cfr-type-of-incident": "Espionage",
|
"cfr-type-of-incident": "Espionage",
|
||||||
"refs": [
|
"refs": [
|
||||||
"https://securelist.com/blog/research/66108/el-machete/",
|
"https://securelist.com/el-machete/66108/",
|
||||||
"https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html",
|
"https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html",
|
||||||
"https://www.cfr.org/interactive/cyber-operations/machete"
|
"https://www.cfr.org/interactive/cyber-operations/machete",
|
||||||
|
"https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Machete"
|
"Machete"
|
||||||
|
@ -5773,15 +5817,27 @@
|
||||||
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
|
"https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage",
|
||||||
"https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
|
"https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/",
|
||||||
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
|
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/",
|
||||||
"https://securelist.com/luckymouse-ndisproxy-driver/87914/"
|
"https://securelist.com/luckymouse-ndisproxy-driver/87914/",
|
||||||
|
"https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf",
|
||||||
|
"https://www.cfr.org/interactive/cyber-operations/iron-tiger",
|
||||||
|
"https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/",
|
||||||
|
"https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/",
|
||||||
|
"https://securelist.com/luckymouse-hits-national-data-center/86083/",
|
||||||
|
"https://www.secureworks.com/research/bronze-union",
|
||||||
|
"https://attack.mitre.org/groups/G0027/"
|
||||||
],
|
],
|
||||||
"synonyms": [
|
"synonyms": [
|
||||||
"Emissary Panda",
|
"Emissary Panda",
|
||||||
"APT27",
|
"APT27",
|
||||||
|
"APT 27",
|
||||||
"Threat Group 3390",
|
"Threat Group 3390",
|
||||||
"Bronze Union",
|
"Bronze Union",
|
||||||
"ZipToken",
|
"ZipToken",
|
||||||
"Iron Tiger"
|
"Iron Tiger",
|
||||||
|
"TG-3390",
|
||||||
|
"TEMP.Hippo",
|
||||||
|
"Group 35",
|
||||||
|
"ZipToken"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"related": [
|
"related": [
|
||||||
|
@ -6910,7 +6966,29 @@
|
||||||
},
|
},
|
||||||
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
|
"uuid": "320c42f7-eab7-4ef9-b09a-74396caa6c3e",
|
||||||
"value": "BlackTech"
|
"value": "BlackTech"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "FIN5",
|
||||||
|
"description": "FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?",
|
||||||
|
"https://attack.mitre.org/groups/G0053/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"value": "FIN10",
|
||||||
|
"description": "FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.",
|
||||||
|
"meta": {
|
||||||
|
"refs": [
|
||||||
|
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf",
|
||||||
|
"https://attack.mitre.org/groups/G0051/"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"uuid": "f2d02410-8c2c-11e9-8df1-a31c1fb33d79"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"version": 111
|
"version": 112
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue