From 02e23a9a4761a7e9226e1fea9c163cdee8fba193 Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Mon, 17 Apr 2023 22:32:50 +0200 Subject: [PATCH 1/4] adding Google alias HOODOO for APT41 --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 24955b8..63bc59e 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -7449,7 +7449,8 @@ "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", "https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf", - "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf" ], "synonyms": [ "G0096", @@ -7465,7 +7466,8 @@ "Red Kelpie", "G0044", "Earth Baku", - "Amoeba" + "Amoeba", + "HOODOO" ] }, "related": [ From 41afab1c0698e75d37a9519753092c21b2d7bbab Mon Sep 17 00:00:00 2001 From: Daniel Plohmann Date: Tue, 18 Apr 2023 20:11:57 +0200 Subject: [PATCH 2/4] adding Trend Micro alias Earth Smilodon for APT27 --- clusters/threat-actor.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 63bc59e..31fc78c 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -841,7 +841,8 @@ "https://unit42.paloaltonetworks.com/atoms/iron-taurus/", "https://www.mandiant.com/resources/insights/apt-groups", "https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf", - "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" + "https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/", + "https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" ], "synonyms": [ "GreedyTaotie", @@ -856,7 +857,8 @@ "BRONZE UNION", "Lucky Mouse", "G0027", - "Iron Taurus" + "Iron Taurus", + "Earth Smilodon" ] }, "related": [ From ccc8f0f8018fece44f3afd18375894b16948da88 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 19 Apr 2023 10:47:11 +0200 Subject: [PATCH 3/4] chg: [microsoft-activity-group] updated to map the new funky Microsoft "taxonomy" Script to generate the cluster is the following, UUIDv5 based on standard misp-stix source UUIDv4. ~~~python lcluster = [] for v in data: cluster = {} cluster['value'] = v['threat_actor'] cluster['meta'] = {} cluster['meta']['sector'] = v['sector'] cluster['meta']['synonyms'] = v['synonyms'] cluster['meta']['refs'] = [] cluster['meta']['refs'].append('https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide') _uuid = uuid.uuid5(uuid.UUID("76beed5f-7251-457e-8c2a-b45f7b589d3d"), "{}".format(cluster['value'])) cluster['uuid'] = str(_uuid) lcluster.append(cluster) ~~~ Relationships might be added in a later stage to map with the MISP threat actor galaxy. --- clusters/microsoft-activity-group.json | 866 ++++++++++++++++++++++++- 1 file changed, 865 insertions(+), 1 deletion(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 012e1bd..1cf8757 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -319,7 +319,871 @@ ], "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", "value": "NOBELIUM" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "APT41", + "BARIUM" + ] + }, + "uuid": "2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5", + "value": "Brass Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "CHROMIUM", + "ControlX" + ] + }, + "uuid": "3f8b7c98-7484-523f-9d58-181274e6fc8f", + "value": "Charcoal Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "DEV-0322" + ] + }, + "uuid": "0bebd962-191a-5671-b5b0-f6de7c8180fc", + "value": "Circle Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "APT40", + "GADOLINIUM", + "Kryptonite Panda", + "Leviathan", + "TEMP.Periscope" + ] + }, + "uuid": "dbc45b46-5b64-50d4-b0f1-d7de888d4e85", + "value": "Gingham Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "GALLIUM" + ] + }, + "uuid": "ae4036de-c901-5f21-808a-f5c071ef509b", + "value": "Granite Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "DEV-0234" + ] + }, + "uuid": "aa45a89c-4c2b-5f6b-9a3d-51abccaa9623", + "value": "Lilac Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "APT5", + "Keyhole Panda", + "MANGANESE", + "TABCTENG" + ] + }, + "uuid": "fa562b27-d3ff-5e7c-9079-c957eb01a0e0", + "value": "Mulberry Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "APT15", + "NICKEL", + "Vixen Panda", + "ke3chang" + ] + }, + "uuid": "66571167-13fe-5817-93e0-54ae8f206fdc", + "value": "Nylon Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "APT30", + "LotusBlossom", + "RADIUM" + ] + }, + "uuid": "b3c378fc-1ce3-5a46-a32e-f55a584c6536", + "value": "Raspberry Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "HAFNIUM" + ] + }, + "uuid": "9728610a-17cb-5cac-9322-ef19ae296a29", + "value": "Silk Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "China", + "synonyms": [ + "APT31", + "ZIRCONIUM" + ] + }, + "uuid": "27eb4928-b3e6-5ae1-bbb6-f73bce8d7c69", + "value": "Violet Typhoon" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "Bronze Starlight", + "DEV-0401", + "Emperor Dragonfly" + ] + }, + "uuid": "43fe584d-88e5-5f2b-a9fd-a866e62040bb", + "value": "Cinnamon Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "DEV-0950", + "FIN11", + "TA505" + ] + }, + "uuid": "b27dcdee-14b1-5842-86b3-32eacec94584", + "value": "Lace Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "DEV-0206", + "Purple Vallhund" + ] + }, + "uuid": "1b1524f4-16b0-5b85-aea4-844babea4ccb", + "value": "Mustard Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "DEV-0193", + "UNC2053", + "Wizard Spider" + ] + }, + "uuid": "120dc1ae-e850-5059-a4fb-520748ca6881", + "value": "Periwinkle Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "Choziosi loader", + "Chrome Loader", + "ClickPirate", + "DEV-0796" + ] + }, + "uuid": "3c9a0350-8d17-5624-872c-fe44969a5888", + "value": "Phlox Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "DEV-0237", + "FIN12" + ] + }, + "uuid": "567ea386-a78f-5550-ae7c-9c9eacdf45af", + "value": "Pistachio Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "Carbon Spider", + "ELBRUS", + "FIN7" + ] + }, + "uuid": "9471ad21-0553-5483-bf7c-e6ad9c062c79", + "value": "Sangria Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "CHIMBORAZO", + "TA505" + ] + }, + "uuid": "c85120d0-c397-5d30-9d57-3b019090acd5", + "value": "Spandex Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "DEV-0537", + "LAPSUS$" + ] + }, + "uuid": "d4dfb329-822c-5db3-a078-a8c0f77924da", + "value": "Strawberry Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "DEV-0832" + ] + }, + "uuid": "a01da064-988c-5ad3-92c6-9537adb6a5f0", + "value": "Vanilla Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "DEV-0504" + ] + }, + "uuid": "0662a721-a92e-50b3-a5ac-0c4142ac9aeb", + "value": "Velvet Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Financially motivated", + "synonyms": [ + "PARINACOTA", + "Wadhrama" + ] + }, + "uuid": "5939e42e-06d0-5719-8072-62f0fc0821e8", + "value": "Wine Tempest" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Group in development", + "synonyms": [ + "DEV-0257", + "UNC1151" + ] + }, + "uuid": "60ac9e2c-b3b2-5c6b-913e-935952e14c28", + "value": "Storm-0257" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "NEPTUNIUM", + "Vice Leaker" + ] + }, + "uuid": "b06ff51a-77e7-5b7f-9938-4a2d37bce5a4", + "value": "Cotton Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "CURIUM", + "TA456", + "Tortoise Shell" + ] + }, + "uuid": "b76e22b0-26a4-50ca-b876-09bc90a81b3b", + "value": "Crimson Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "DEV-0228" + ] + }, + "uuid": "badacab7-5097-5817-8516-d8a72de2a71b", + "value": "Cuboid Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "DEV-0343" + ] + }, + "uuid": "395473c6-be98-5369-82d1-cdbc97b3fddc", + "value": "Gray Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "APT34", + "Cobalt Gypsy", + "EUROPIUM", + "OilRig" + ] + }, + "uuid": "b6260d6d-a2f7-5b79-8132-5c456a225f53", + "value": "Hazel Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "Fox Kitten", + "PioneerKitten", + "RUBIDIUM", + "UNC757" + ] + }, + "uuid": "0757856a-1313-57d8-bb6c-f4c537e110da", + "value": "Lemon Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "MERCURY", + "MuddyWater", + "SeedWorm", + "Static Kitten", + "TEMP.Zagros" + ] + }, + "uuid": "da68ca6d-250f-50f1-a585-240475fdbb35", + "value": "Mango Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "DEV-0500", + "Moses Staff" + ] + }, + "uuid": "ef415059-e150-5324-877e-44b65ab022f5", + "value": "Marigold Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "APT35", + "Charming Kitten", + "PHOSPHORUS" + ] + }, + "uuid": "400cd1b8-52b7-5a5c-984f-9b4af35ea231", + "value": "Mint Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "APT33", + "HOLMIUM", + "Refined Kitten" + ] + }, + "uuid": "4c0f085a-70b1-5ee6-a45a-dc368f03e701", + "value": "Peach Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "AMERICIUM", + "Agrius", + "BlackShadow", + "Deadwood", + "SharpBoys" + ] + }, + "uuid": "cca311c0-dc91-5aee-b282-5e412040dac3", + "value": "Pink Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "DEV-0146", + "ZeroCleare" + ] + }, + "uuid": "562049d7-78f5-5a65-b7db-c509c9f483f7", + "value": "Pumpkin Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Iran", + "synonyms": [ + "BOHRIUM" + ] + }, + "uuid": "4426d375-1435-5ccc-8c1f-f8688bd11f80", + "value": "Smoke Sandstorm" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Lebanon", + "synonyms": [ + "POLONIUM" + ] + }, + "uuid": "ce5357da-0e15-5022-bd4f-74aa689d0b2e", + "value": "Plaid Rain" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "Labyrinth Chollima", + "Lazarus", + "ZINC" + ] + }, + "uuid": "9630b0aa-ee9e-5b58-9f79-cf7fa8d291a8", + "value": "Diamond Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "Kimsuky", + "THALLIUM", + "Velvet Chollima" + ] + }, + "uuid": "44be06b1-e17a-5ea6-a0a2-067933a7af77", + "value": "Emerald Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "Konni", + "OSMIUM" + ] + }, + "uuid": "5163b2d9-7521-5225-a7a8-88d881fbc406", + "value": "Opal Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "LAWRENCIUM" + ] + }, + "uuid": "1c5c67ad-c241-5103-99d0-daab5a554b0d", + "value": "Pearl Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "CERIUM" + ] + }, + "uuid": "c29e7262-6a6f-501d-8c00-57f75f2172a3", + "value": "Ruby Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "BlueNoroff", + "COPERNICIUM", + "Genie Spider" + ] + }, + "uuid": "3a32c54d-d86a-55de-b16a-d9a08a5cf49b", + "value": "Sapphire Sleet" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "North Korea", + "synonyms": [ + "DEV-0530", + "H0lyGh0st" + ] + }, + "uuid": "ab314f1c-8d07-5edb-bb32-64d1105f74ff", + "value": "Storm-0530" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Private Sector Offensive Actor", + "synonyms": [ + "Candiru", + "SOURGUM" + ] + }, + "uuid": "1b15288c-ff19-5f52-8c4b-6185de934ff8", + "value": "Caramel Tsunami" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Private Sector Offensive Actor", + "synonyms": [ + "DSIRF", + "KNOTWEED" + ] + }, + "uuid": "9a4a662a-84a9-5b86-b241-7c5eef9cea4d", + "value": "Denim Tsunami" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Private Sector Offensive Actor", + "synonyms": [ + "DEV-0336", + "NSO Group" + ] + }, + "uuid": "af54315b-3561-5046-8b9b-c3e9e05c0f77", + "value": "Night Tsunami" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Private Sector Offensive Actor", + "synonyms": [ + "CyberRoot", + "DEV-0605" + ] + }, + "uuid": "2263b6c9-861a-5971-b882-9ea4a84fcf74", + "value": "Wisteria Tsunami" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "ACTINIUM", + "Gamaredon", + "Primitive Bear", + "UNC530" + ] + }, + "uuid": "fc77a775-d06f-5efc-a6fa-0b2af01902a7", + "value": "Aqua Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "DEV-0586" + ] + }, + "uuid": "7f190457-6829-55c4-9b6b-bccdadb747cb", + "value": "Cadet Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "APT28", + "Fancy Bear", + "STRONTIUM" + ] + }, + "uuid": "8d84d7b0-7716-5ab3-a3a4-f373dd148347", + "value": "Forest Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "BROMINE", + "Crouching Yeti", + "Energetic Bear" + ] + }, + "uuid": "45d0f984-2b63-517b-922a-12924bcf4f68", + "value": "Ghost Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "APT29", + "Cozy Bear", + "NOBELIUM" + ] + }, + "uuid": "31982812-c8bf-5e85-b0ba-0c64a7d05d20", + "value": "Midnight Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "IRIDIUM", + "Sandworm" + ] + }, + "uuid": "473eb51c-36cb-5e3a-8347-2f57df809be9", + "value": "Seashell Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "Callisto", + "Reuse Team", + "SEABORGIUM" + ] + }, + "uuid": "06630ccd-98ed-5aec-8083-e04c894bd2d6", + "value": "Star Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Russia", + "synonyms": [ + "DEV-0665" + ] + }, + "uuid": "79f8646f-d127-51b7-b502-b096b445c322", + "value": "Sunglow Blizzard" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "South Korea", + "synonyms": [ + "DUBNIUM", + "Dark Hotel", + "Tapaoux" + ] + }, + "uuid": "0a4ddab3-a1a6-5372-b11f-5edc25c0e548", + "value": "Zigzag Hail" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Turkey", + "synonyms": [ + "SILICON", + "Sea Turtle" + ] + }, + "uuid": "fc91881e-92c0-5a63-a0b9-b253958a594e", + "value": "Marbled Dust" + }, + { + "meta": { + "refs": [ + "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" + ], + "sector": "Vietnam", + "synonyms": [ + "APT32", + "BISMUTH", + "OceanLotus" + ] + }, + "uuid": "37808cab-cbb3-560b-bebd-375fa328ea1e", + "value": "Canvas Cyclone" } ], - "version": 11 + "version": 12 } From 8d2b9537f1c415adbd04161a67fd8456b3155367 Mon Sep 17 00:00:00 2001 From: Tobias Mainka Date: Wed, 19 Apr 2023 12:38:37 +0200 Subject: [PATCH 4/4] replace "sector" tag with "country" for matching data. this allows to be confirm with existing clusters. --- clusters/microsoft-activity-group.json | 88 +++++++++++++------------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index 1cf8757..9a46090 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -325,7 +325,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT41", "BARIUM" @@ -339,7 +339,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "CHROMIUM", "ControlX" @@ -353,7 +353,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "DEV-0322" ] @@ -366,7 +366,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT40", "GADOLINIUM", @@ -383,7 +383,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "GALLIUM" ] @@ -396,7 +396,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "DEV-0234" ] @@ -409,7 +409,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT5", "Keyhole Panda", @@ -425,7 +425,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT15", "NICKEL", @@ -441,7 +441,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT30", "LotusBlossom", @@ -456,7 +456,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "HAFNIUM" ] @@ -469,7 +469,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "China", + "country": "CN", "synonyms": [ "APT31", "ZIRCONIUM" @@ -669,7 +669,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "NEPTUNIUM", "Vice Leaker" @@ -683,7 +683,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "CURIUM", "TA456", @@ -698,7 +698,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "DEV-0228" ] @@ -711,7 +711,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "DEV-0343" ] @@ -724,7 +724,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "APT34", "Cobalt Gypsy", @@ -740,7 +740,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "Fox Kitten", "PioneerKitten", @@ -756,7 +756,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "MERCURY", "MuddyWater", @@ -773,7 +773,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "DEV-0500", "Moses Staff" @@ -787,7 +787,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "APT35", "Charming Kitten", @@ -802,7 +802,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "APT33", "HOLMIUM", @@ -817,7 +817,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "AMERICIUM", "Agrius", @@ -834,7 +834,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "DEV-0146", "ZeroCleare" @@ -848,7 +848,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Iran", + "country": "IR", "synonyms": [ "BOHRIUM" ] @@ -861,7 +861,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Lebanon", + "country": "LB", "synonyms": [ "POLONIUM" ] @@ -874,7 +874,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "Labyrinth Chollima", "Lazarus", @@ -889,7 +889,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "Kimsuky", "THALLIUM", @@ -904,7 +904,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "Konni", "OSMIUM" @@ -918,7 +918,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "LAWRENCIUM" ] @@ -931,7 +931,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "CERIUM" ] @@ -944,7 +944,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "BlueNoroff", "COPERNICIUM", @@ -959,7 +959,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "North Korea", + "country": "KP", "synonyms": [ "DEV-0530", "H0lyGh0st" @@ -1029,7 +1029,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "ACTINIUM", "Gamaredon", @@ -1045,7 +1045,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "DEV-0586" ] @@ -1058,7 +1058,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "APT28", "Fancy Bear", @@ -1073,7 +1073,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "BROMINE", "Crouching Yeti", @@ -1088,7 +1088,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "APT29", "Cozy Bear", @@ -1103,7 +1103,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "IRIDIUM", "Sandworm" @@ -1117,7 +1117,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "Callisto", "Reuse Team", @@ -1132,7 +1132,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Russia", + "country": "RU", "synonyms": [ "DEV-0665" ] @@ -1145,7 +1145,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "South Korea", + "country": "KR", "synonyms": [ "DUBNIUM", "Dark Hotel", @@ -1160,7 +1160,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Turkey", + "country": "TR", "synonyms": [ "SILICON", "Sea Turtle" @@ -1174,7 +1174,7 @@ "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], - "sector": "Vietnam", + "country": "VN", "synonyms": [ "APT32", "BISMUTH", @@ -1185,5 +1185,5 @@ "value": "Canvas Cyclone" } ], - "version": 12 + "version": 13 }