MISP
/
misp-galaxy
mirror of https://github.com/MISP/misp-galaxy
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-galaxy/clusters/threat-actor.json

1231 lines
39 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"values": [
{
"meta": {
"synonyms": [
"Comment Panda",
"PLA Unit 61398",
"APT 1",
"Advanced Persistent Threat 1",
"Byzantine Candor",
"Group 3",
"TG-8223"
],
"country": "CN",
"refs": [
"https://en.wikipedia.org/wiki/PLA_Unit_61398",
"http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf"
]
},
"description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",
"value": "Comment Crew"
},
{
"meta": {
"country": "CN"
},
"value": "Stalker Panda"
},
{
"value": "Nitro",
"meta": {
"country": "CN",
"refs": [
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf"
],
"synonyms": [
"Covert Grove"
]
}
},
{
"value": "Codoso",
"meta": {
"country": "CN",
"refs": [
"https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
],
"synonyms": [
"C0d0so",
"Sunshop Group"
]
}
},
{
"meta": {
"refs": [
"https://www.cylance.com/hubfs/2015_cylance_website/assets/operation-dust-storm/Op_Dust_Storm_Report.pdf"
]
},
"value": "Dust Storm"
},
{
"value": "Karma Panda",
"description": "Adversary targeting dissident groups in China and its surroundings.",
"meta": {
"country": "CN",
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
]
}
},
{
"meta": {
"country": "CN"
},
"value": "Keyhole Panda"
},
{
"meta": {
"country": "CN"
},
"value": "Wet Panda"
},
{
"meta": {
"country": "CN"
},
"value": "Foxy Panda",
"description": "Adversary group targeting telecommunication and technology organizations."
},
{
"meta": {
"country": "CN"
},
"value": "Predator Panda"
},
{
"meta": {
"country": "CN"
},
"value": "Union Panda"
},
{
"meta": {
"country": "CN"
},
"value": "Spicy Panda"
},
{
"meta": {
"country": "CN"
},
"value": "Eloquent Panda"
},
{
"meta": {
"synonyms": [
"LadyBoyle"
]
},
"value": "Dizzy Panda"
},
{
"meta": {
"synonyms": [
"PLA Unit 61486",
"APT 2",
"Group 36",
"APT-2",
"MSUpdater",
"4HCrew",
"SULPHUR",
"TG-6952"
],
"country": "CN",
"refs": [
"http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf"
]
},
"description": "The CrowdStrike Intelligence team has been tracking this particular unit since 2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486. ",
"value": "Putter Panda"
},
{
"meta": {
"synonyms": [
"Gothic Panda",
"TG-0110",
"APT 3",
"Group 6",
"UPS Team",
"APT3",
"Buckeye"
],
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html",
"http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong"
]
},
"value": "UPS"
},
{
"meta": {
"synonyms": [
"DUBNIUM"
],
"refs": [
"https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/",
"https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2"
]
},
"value": "darkhotel"
},
{
"meta": {
"synonyms": [
"Numbered Panda",
"TG-2754",
"BeeBus",
"Group 22",
"DynCalc",
"Crimson Iron",
"APT12",
"APT 12"
],
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/whois-numbered-panda/"
]
},
"description": "A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.",
"value": "IXESHE"
},
{
"meta": {
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html"
]
},
"value": "APT 16"
},
{
"meta": {
"synonyms": [
"APT 17",
"Deputy Dog",
"Group 8",
"APT17",
"Hidden Lynx",
"Tailgater Team"
],
"country": "CN",
"refs": [
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
]
},
"value": "Aurora Panda"
},
{
"meta": {
"synonyms": [
"Dynamite Panda",
"TG-0416",
"APT 18",
"SCANDIUM",
"APT18"
],
"country": "CN",
"refs": [
"https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828"
]
},
"value": "Wekby"
},
{
"meta": {
"synonyms": [
"Operation Tropic Trooper"
],
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/",
"http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf"
]
},
"value": "Tropic Trooper"
},
{
"meta": {
"synonyms": [
"Winnti Group",
"Tailgater Team",
"Group 72",
"Group72",
"Tailgater",
"Ragebeast",
"Blackfly"
],
"country": "CN",
"refs": [
"http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/",
"http://williamshowalter.com/a-universal-windows-bootkit/"
]
},
"value": "Axiom"
},
{
"meta": {
"synonyms": [
"Deep Panda",
"WebMasters",
"APT 19",
"KungFu Kittens",
"Black Vine",
"Group 13",
"PinkPanther",
"Sh3llCr3w"
],
"country": "CN",
"refs": [
"http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf",
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
]
},
"description": "Adversary group targeting financial, technology, non-profit organisations.",
"value": "Shell Crew"
},
{
"meta": {
"synonyms": [
"PLA Unit 78020",
"APT 30",
"Override Panda",
"Camerashy",
"APT.Naikon"
],
"country": "CN",
"refs": [
"https://securelist.com/analysis/publications/69953/the-naikon-apt/",
"http://www.fireeye.com/blog/technical/malware-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html"
]
},
"value": "Naikon"
},
{
"meta": {
"synonyms": [
"Spring Dragon",
"ST Group"
],
"country": "CN",
"refs": [
"https://securelist.com/blog/research/70726/the-spring-dragon-apt/"
]
},
"value": "Lotus Blossom"
},
{
"meta": {
"synonyms": [
"Elise"
],
"country": "CN"
},
"value": "Lotus Panda"
},
{
"meta": {
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/"
]
},
"value": "Hurricane Panda"
},
{
"meta": {
"synonyms": [
"TG-3390",
"APT 27",
"TEMP.Hippo",
"Group 35",
"HIPPOTeam",
"APT27",
"Operation Iron Tiger"
],
"country": "CN",
"refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
]
},
"description": "A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.",
"value": "Emissary Panda"
},
{
"meta": {
"synonyms": [
"APT10",
"APT 10",
"menuPass",
"happyyongzi",
"POTASSIUM"
],
"country": "CN"
},
"value": "Stone Panda"
},
{
"meta": {
"synonyms": [
"APT 9",
"Flowerlady/Flowershow",
"Flowerlady",
"Flowershow"
],
"country": "CN",
"refs": [
"https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393/"
]
},
"value": "Nightshade Panda"
},
{
"meta": {
"synonyms": [
"Goblin Panda",
"Cycldek"
],
"country": "CN",
"refs": [
"https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/"
]
},
"value": "Hellsing"
},
{
"meta": {
"country": "CN",
"refs": [
"https://kc.mcafee.com/corporate/index?page=content&id=KB71150"
]
},
"value": "Night Dragon"
},
{
"meta": {
"synonyms": [
"Vixen Panda",
"Ke3Chang",
"GREF",
"Playful Dragon",
"APT 15",
"Metushy"
],
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html"
]
},
"value": "Mirage"
},
{
"meta": {
"country": "CN",
"synonyms": [
"APT14",
"APT 14",
"QAZTeam",
"ALUMINUM"
],
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
]
},
"value": "Anchor Panda"
},
{
"meta": {
"country": "CN",
"synonyms": [
"APT 21"
],
"refs": [
"https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/"
]
},
"value": "NetTraveler"
},
{
"meta": {
"synomyns": [
"IceFog",
"Dagger Panda"
],
"country": "CN",
"refs": [
"https://securelist.com/blog/research/57331/the-icefog-apt-a-tale-of-cloak-and-three-daggers/"
]
},
"value": "Ice Fog"
},
{
"meta": {
"synonyms": [
"PittyTiger",
"MANGANESE"
],
"country": "CN"
},
"value": "Pitty Panda"
},
{
"value": "Roaming Tiger",
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/"
]
}
},
{
"meta": {
"country": "CN",
"refs": [
"http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf"
]
},
"value": "HiddenLynx"
},
{
"meta": {
"country": "CN",
"synonyms": [
"Sneaky Panda"
]
},
"value": "Beijing Group"
},
{
"meta": {
"country": "CN"
},
"value": "Radio Panda"
},
{
"meta": {
"country": "CN"
},
"value": "Dagger Panda"
},
{
"value": "APT.3102",
"meta": {
"country": "CN",
"refs": [
"http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/"
]
}
},
{
"meta": {
"synonyms": [
"PLA Navy",
"APT4",
"APT 4",
"Getkys",
"SykipotGroup",
"Wkysol"
],
"country": "CN",
"refs": [
"http://www.crowdstrike.com/blog/whois-samurai-panda/"
]
},
"value": "Samurai Panda"
},
{
"meta": {
"country": "CN"
},
"value": "Impersonating Panda"
},
{
"meta": {
"country": "CN",
"synonyms": [
"APT20",
"APT 20",
"TH3Bug"
]
},
"value": "Violin Panda"
},
{
"meta": {
"country": "CN",
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
]
},
"description": "A group targeting dissident groups in China and at the boundaries.",
"value": "Toxic Panda"
},
{
"meta": {
"synonyms": [
"Admin338",
"Team338",
"MAGNESIUM",
"admin@338"
],
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html",
"https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html"
]
},
"description": "China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.",
"value": "Temper Panda"
},
{
"meta": {
"country": "CN",
"synonyms": [
"APT23",
"KeyBoy"
]
},
"value": "Pirate Panda"
},
{
"meta": {
"country": "IR",
"synonyms": [
"SaffronRose",
"Saffron Rose",
"AjaxSecurityTeam",
"Ajax Security Team",
"Group 26"
]
},
"value": "Flying Kitten"
},
{
"meta": {
"country": "IR",
"synonyms": [
"ITSecTeam",
"Threat Group 2889",
"TG-2889",
"Ghambar"
],
"refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
]
},
"description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.",
"value": "Cutting Kitten"
},
{
"meta": {
"country": "IR",
"synonyms": [
"Newscaster",
"Parastoo",
"Group 83"
]
},
"value": "Charming Kitten"
},
{
"meta": {
"country": "IR",
"synonyms": [
"Group 42"
],
"refs": [
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
]
},
"description": "An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.",
"value": "Magic Kitten"
},
{
"meta": {
"synonyms": [
"TEMP.Beanie",
"Operation Woolen Goldfish",
"Thamar Reservoir"
],
"country": "IR",
"refs": [
"https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing",
"https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf",
"http://www.clearskysec.com/thamar-reservoir/",
"https://citizenlab.org/2015/08/iran_two_factor_phishing/",
"https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf"
]
},
"description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.",
"value": "Rocket Kitten"
},
{
"meta": {
"country": "IR",
"synonyms": [
"Operation Cleaver"
],
"refs": [
"http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf"
]
},
"value": "Cleaver"
},
{
"meta": {
"country": "IR"
},
"value": "Sands Casino"
},
{
"meta": {
"country": "TN",
"synonyms": [
"FallagaTeam"
]
},
"value": "Rebel Jackal"
},
{
"meta": {
"country": "AE",
"synonyms": [
"Vikingdom"
]
},
"value": "Viking Jackal"
},
{
"meta": {
"synonyms": [
"APT 28",
"APT28",
"Pawn Storm",
"Fancy Bear",
"Sednit",
"TsarTeam",
"TG-4127",
"Group-4127",
"STRONTIUM",
"Grey-Cloud"
],
"country": "RU",
"refs": [
"https://en.wikipedia.org/wiki/Sofacy_Group"
]
},
"description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
"value": "Sofacy"
},
{
"meta": {
"synonyms": [
"Dukes",
"Group 100",
"Cozy Duke",
"CozyDuke",
"EuroAPT",
"CozyBear",
"CozyCar",
"Cozer",
"Office Monkeys",
"OfficeMonkeys",
"APT29",
"Cozy Bear",
"The Dukes",
"Minidionis",
"SeaDuke"
],
"country": "RU",
"refs": [
"https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/"
]
},
"value": "APT 29"
},
{
"meta": {
"synonyms": [
"Turla",
"Snake",
"Venomous Bear",
"Group 88",
"Waterbug",
"WRAITH",
"Turla Team",
"Uroburos",
"Pfinet"
],
"refs": [
"https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf",
"https://www.circl.lu/pub/tr-25/"
],
"country": "RU"
},
"value": "Turla Group"
},
{
"meta": {
"synonyms": [
"Dragonfly",
"Crouching Yeti",
"Group 24",
"Havex",
"CrouchingYeti",
"Koala Team"
],
"country": "RU",
"refs": [
"http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/"
]
},
"description": "A Russian group that collects intelligence on the energy industry.",
"value": "Energetic Bear"
},
{
"meta": {
"synonyms": [
"Sandworm Team",
"Black Energy",
"BlackEnergy",
"Quedagh"
],
"country": "RU",
"refs": [
"http://www.isightpartners.com/2014/10/cve-2014-4114/"
]
},
"value": "Sandworm"
},
{
"meta": {
"country": "RU",
"refs": ["http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"]
},
"value": "TeleBots",
"description": "We will refer to the gang behind the malware as TeleBots. However its important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group."
},
{
"meta": {
"synonyms": [
"Carbanak",
"Carbon Spider"
],
"country": "RU"
},
"description": "Groups targeting financial organizations or people with significant financial assets.",
"value": "Anunak"
},
{
"meta": {
"synonyms": [
"TeamSpy",
"Team Bear"
],
"country": "RU",
"refs": [
"https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/"
]
},
"value": "TeamSpy Crew"
},
{
"meta": {
"country": "RU",
"refs": [
"http://www.welivesecurity.com/2015/11/11/operathion-buhtrap-malware-distributed-via-ammyy-com/"
]
},
"value": "BuhTrap"
},
{
"meta": {
"country": "RU"
},
"value": "Berserk Bear"
},
{
"meta": {
"country": "RO"
},
"value": "Wolf Spider"
},
{
"meta": {
"country": "RU"
},
"value": "Boulder Bear"
},
{
"meta": {
"country": "RU"
},
"value": "Shark Spider"
},
{
"meta": {
"country": "RU",
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
]
},
"value": "Union Spider",
"description": "Adversary targeting manufacturing and industrial organizations."
},
{
"meta": {
"country": "KP",
"synonyms": [
"OperationTroy"
],
"refs": [
"http://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf"
]
},
"value": "Silent Chollima"
},
{
"meta": {
"country": "KP",
"synonyms": [
"Operation DarkSeoul"
],
"refs": [
"https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/"
]
},
"value": "Lazarus Group"
},
{
"meta": {
"synonyms": [
"Appin",
"OperationHangover"
],
"country": "IN"
},
"value": "Viceroy Tiger"
},
{
"meta": {
"synonyms": [
"DD4BC",
"Ambiorx"
],
"country": "US"
},
"value": "Pizzo Spider"
},
{
"meta": {
"synonyms": [
"TunisianCyberArmy"
],
"country": "TN"
},
"value": "Corsair Jackal"
},
{
"value": "SNOWGLOBE",
"meta": {
"country": "FR",
"synonyms": [
"Animal Farm"
]
}
},
{
"meta": {
"synonyms": [
"SyrianElectronicArmy",
"SEA"
],
"country": "SY",
"refs": [
"https://en.wikipedia.org/wiki/Syrian_Electronic_Army"
]
},
"description": "The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been *the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies*. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear",
"value": "Deadeye Jackal"
},
{
"meta": {
"country": "PK",
"synonyms": [
"C-Major"
],
"refs": [
"http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf"
]
},
"value": "Operation C-Major",
"description": "Group targeting Indian Army or related assets in India. Attribution to a Pakistani connection has been made by TrendMicro."
},
{
"refs": [
"https://citizenlab.org/2016/05/stealth-falcon/"
],
"country": "UAE",
"value": "Stealth Falcon",
"description": "Group targeting Emirati journalists, activists, and dissidents."
},
{
"synonyms": [
"Operation Daybreak",
"Operation Erebus"
],
"refs": [
"https://securelist.com/blog/research/75082/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/"
],
"value": "ScarCruft",
"description": "ScarCruft is a relatively new APT group; victims have been observed in several countries, including Russia, Nepal, South Korea, China, India, Kuwait and Romania. The group has several ongoing operations utilizing multiple exploits — two for Adobe Flash and one for Microsoft Internet Explorer."
},
{
"meta": {
"refs": [
"http://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf"
]
},
"value": "Pacifier APT",
"description": "Bitdefender detected and blocked an ongoing cyber-espionage campaign against Romanian institutions and other foreign targets. The attacks started in 2014, with the latest reported occurrences in May of 2016. The APT, dubbed Pacifier by Bitdefender researchers, makes use of malicious .doc documents and .zip files distributed via spear phishing e-mail."
},
{
"meta": {
"country": "CN",
"synonyms": [
"Operation C-Major"
],
"refs": [
"http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf"
]
},
"description": "This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder",
"value": "HummingBad"
},
{
"meta": {
"synonyms": [
"Chinastrats",
"Patchwork",
"Monsoon"
],
"refs": [
"https://securelist.com/blog/research/75328/the-dropping-elephant-actor/",
"http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries"
]
},
"description": "Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with Chinas foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.",
"value": "Dropping Elephant"
},
{
"meta": {
"refs": [
"https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf"
]
},
"description": "Proofpoint researchers recently uncovered evidence of an advanced persistent threat (APT) against Indian diplomatic and military resources. Our investigation began with malicious emails sent to Indian embassies in Saudi Arabia and Kazakstan but turned up connections to watering hole sites focused on Indian military personnel and designed to drop a remote access Trojan (RAT) with a variety of data exfiltration functions.",
"value": "Operation Transparent Tribe"
},
{
"meta": {
"country": "CN",
"refs": [
"https://attack.mitre.org/wiki/Groups",
"http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/"
]
},
"description": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group's motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, it has not been concluded that the groups are the same.",
"value": "Scarlet Mimic"
},
{
"meta": {
"refs": [
"https://securelist.com/blog/research/73673/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/",
"https://attack.mitre.org/wiki/Groups"
]
},
"description": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.",
"value": "Poseidon Group"
},
{
"meta": {
"synonyms": [
"Moafee"
],
"refs": [
"https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf",
"https://attack.mitre.org/wiki/Groups"
],
"country": "CN"
},
"description": "Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.",
"value": "DragonOK"
},
{
"meta": {
"refs": [
"http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/",
"https://attack.mitre.org"
],
"country": "CN"
},
"description": "Chinese threat group that has extensively used strategic Web compromises to target victims.",
"value": "Threat Group-3390"
},
{
"meta": {
"synonyms": [
"Strider",
"Sauron"
],
"refs": [
"https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/"
]
},
"description": "ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to Sauron in the Lua scripts.",
"value": "ProjectSauron"
},
{
"meta": {
"refs": [
"https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
]
},
"value": "APT30"
},
{
"meta": {
"country": "CN"
},
"description": "TA530, who we previously examined in relation to large-scale personalized phishing campaigns",
"value": "TA530"
},
{
"meta": {
"refs": [
"https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/"
]
},
"description": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.",
"value": "GCMAN"
},
{
"meta": {
"refs": [
"http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates"
]
},
"description": "Suckfly is a China-based threat group that has been active since at least 2014",
"value": "Suckfly"
},
{
"meta": {
"refs": [
"https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf"
]
},
"description": "FIN is a group targeting financial assets including assets able to do financial transaction including PoS.",
"value": "FIN6"
},
{
"meta": {
"country": "LBY"
},
"description": "Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.",
"value": "Libyan Scorpions"
},
{
"meta": {
"refs": [
"https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users"
]
},
"value": "StrongPity"
},
{
"meta": {
"synonyms": [
"CorporacaoXRat",
"CorporationXRat"
],
"refs": [
"https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/"
]
},
"value": "TeamXRat"
},
{
"meta": {
"refs": [
"http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/"
]
},
"value": "OilRig"
},
{
"meta": {
"refs": [
"https://www.checkpoint.com/downloads/volatile-cedar-technical-report.pdf"
]
},
"description": "Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive .",
"value": "Volatile Cedar"
},
{
"meta": {
"synonyms": [
"Grey-Pro",
"Coldriver",
"Reuse team",
"Malware reusers",
"Callisto Group"
]
},
"description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.",
"value": "Callisto"
},
{
"value": "TERBIUM",
"description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
"meta" : {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"]
}
},
{
"value": "Molerats",
"description": "In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”",
"meta": {
"refs": ["https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html"],
"synonyms": ["Gaza Hackers Team", "Operation Molerats"]
}},
{
"value": "PROMETHIUM",
"description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
}
},
{
"value": "NEODYMIUM",
"description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoors characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.",
"meta": {
"refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"]
}
}
],
"name": "Threat actor",
"type": "threat-actor",
"source": "MISP Project",
"authors": [
"Alexandre Dulaunoy",
"Florian Roth",
"Thomas Schreck",
"Timo Steffens",
"Various"
],
"description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
"uuid": "7cdff317-a673-4474-84ec-4f1754947823",
"version": 6
}
Reference in New Issue View Git Blame Copy Permalink