From ebd216e31597dcac18897b51f3170262fc786077 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Wed, 6 Dec 2023 17:42:33 -0800
Subject: [PATCH] [threat-actors] Add UNC2447

---
 clusters/threat-actor.json | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 3e923fe..51b059a 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13682,6 +13682,19 @@
       },
       "uuid": "21bb2dab-4125-4ae8-8966-c7381659e180",
       "value": "WIP19"
+    },
+    {
+      "description": "UNC2447 is a financially motivated threat actor with ties to multiple hacker groups. They have been observed deploying ransomware, including FiveHands and Hello Kitty, and engaging in double extortion tactics. They have been active since at least May 2020 and target organizations in Europe and North America.",
+      "meta": {
+        "refs": [
+          "https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire",
+          "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html",
+          "http://internal-www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html",
+          "https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs"
+        ]
+      },
+      "uuid": "590ecec6-4047-4d0f-9143-2e367700423d",
+      "value": "UNC2447"
     }
   ],
   "version": 295