From ec9dc0f2e31461981df16d9ff6492316b755ec8d Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Fri, 20 Oct 2023 11:51:13 +0200 Subject: [PATCH] threat actors update --- clusters/threat-actor.json | 47 +++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f02dd15..b1836dd 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -209,6 +209,30 @@ "uuid": "8a8f39df-74b3-4946-ab64-f84968bababe", "value": "DIZZY PANDA" }, + { + "description": "Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.", + "meta": { + "attribution-confidence": "50", + "country": "CN", + "cfr-suspected-state-sponsor": "China", + "refs": [ + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks" + ], + "cfr-suspected-victims": [ + "Taiwan", + "United States", + "Vietnam", + "Solomon Islands" + ], + "cfr-target-category": [ + "Biomedical", + "Government", + "Information technology" + ] + }, + "uuid": "6714de29-4dd8-463c-99a3-77c9e80fa47d", + "value": "Grayling" + }, { "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'", "meta": { @@ -7531,7 +7555,28 @@ "description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.", "meta": { "refs": [ - "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" + "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf", + "https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia", + "https://lab52.io/blog/apt-c-36-recent-activity-analysis/", + "https://www.trendmicro.com/en_ph/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html", + "https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/", + "https://attack.mitre.org/groups/G0099/" + ], + "cfr-suspected-victims": [ + "Ecuador", + "Colombia", + "Spain", + "Panama", + "Chile" + ], + "cfr-type-of-incident": "Espionage", + "cfr-target-category": [ + "Petroleum", + "Manufacturing", + "Financial", + "Private sector", + "Government" ], "synonyms": [ "Blind Eagle"