@ -0,0 +1,331 @@
<stix:STIX_Package
xmlns:AddressObj="http://cybox.mitre.org/objects#AddressObject-2"
xmlns:campaign="http://stix.mitre.org/Campaign-1"
xmlns:ciqIdentity="http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1"
xmlns:cybox="http://cybox.mitre.org/cybox-2"
xmlns:cyboxCommon="http://cybox.mitre.org/common-2"
xmlns:cyboxVocabs="http://cybox.mitre.org/default_vocabularies-2"
xmlns:et="http://stix.mitre.org/ExploitTarget-1"
xmlns:bae="http://bae.com"
xmlns:indicator="http://stix.mitre.org/Indicator-2"
xmlns:stix="http://stix.mitre.org/stix-1"
xmlns:stixCommon="http://stix.mitre.org/common-1"
xmlns:stixVocabs="http://stix.mitre.org/default_vocabularies-1"
xmlns:ta="http://stix.mitre.org/ThreatActor-1"
xmlns:ttp="http://stix.mitre.org/TTP-1"
xmlns:xal="urn:oasis:names:tc:ciq:xal:3"
xmlns:xnl="urn:oasis:names:tc:ciq:xnl:3"
xmlns:xpil="urn:oasis:names:tc:ciq:xpil:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="bae:Package-f0b927dd-9356-49ba-8f56-6d9f3d42fe25" version="1.1.1">
<stix:Observables cybox_major_version= "2" cybox_minor_version= "1" cybox_update_version= "0" >
<cybox:Observable id= "bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d" >
<cybox:Title > CNC Server 1</cybox:Title>
<cybox:Object id= "bae:Address-6e6990d8-20b6-4482-97a2-55732c993982" >
<cybox:Properties xsi:type= "AddressObj:AddressObjectType" category= "ipv4-addr" >
<AddressObj:Address_Value > 82.146.166.56</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id= "bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7" >
<cybox:Title > CNC Server 2</cybox:Title>
<cybox:Object id= "bae:Address-00dc7361-ca55-48ef-8529-72a3ac9c58d7" >
<cybox:Properties xsi:type= "AddressObj:AddressObjectType" category= "ipv4-addr" >
<AddressObj:Address_Value > 209.239.79.47</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id= "bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b" >
<cybox:Title > CNC Server 3</cybox:Title>
<cybox:Object id= "bae:Address-bbbbdcad-e8f5-449d-99d3-264de0ed512e" >
<cybox:Properties xsi:type= "AddressObj:AddressObjectType" category= "ipv4-addr" >
<AddressObj:Address_Value > 41.213.121.180</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id= "bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad" >
<cybox:Title > Watering Hole Wordpress</cybox:Title>
<cybox:Object id= "bae:Address-c0e85056-de10-44f7-a600-73144514e7a1" >
<cybox:Properties xsi:type= "AddressObj:AddressObjectType" >
<AddressObj:Address_Value > eu-society.com</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id= "bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5" >
<cybox:Title > Watering Hole Wordpress</cybox:Title>
<cybox:Object id= "bae:Address-ae972731-3b33-4fb1-bab6-053b0056deb5" >
<cybox:Properties xsi:type= "AddressObj:AddressObjectType" >
<AddressObj:Address_Value > aromatravel.org</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id= "bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993" >
<cybox:Title > Watering Hole Wordpress</cybox:Title>
<cybox:Object id= "bae:Address-f0d9ef90-af2d-462d-aa69-bfd55da9e65c" >
<cybox:Properties xsi:type= "AddressObj:AddressObjectType" >
<AddressObj:Address_Value > bss.servebbs.com</AddressObj:Address_Value>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</stix:Observables>
<stix:Indicators >
<stix:Indicator id= "bae:indicator-1c3fc03e-86dc-4440-9e95-8b9964f03b92" timestamp= "2016-07-04T15:17:14.479542+00:00" xsi:type= 'indicator:IndicatorType' >
<indicator:Title > Watering Hole Detected</indicator:Title>
<indicator:Type xsi:type= "stixVocabs:IndicatorTypeVocab-1.1" > URL Watchlist</indicator:Type>
<indicator:Observable id= "bae:Observable-4e173154-e739-4917-86e8-8b30e4cf39e5" >
<cybox:Observable_Composition operator= "OR" >
<cybox:Observable idref= "bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad" >
<cybox:Title > C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref= "bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5" >
<cybox:Title > C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref= "bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993" >
<cybox:Title > C2 List</cybox:Title>
</cybox:Observable>
</cybox:Observable_Composition>
</indicator:Observable>
</stix:Indicator>
<stix:Indicator id= "bae:indicator-e5ff413f-074e-41fe-ab20-6d0e0bf10f9c" timestamp= "2016-07-04T15:17:14.480747+00:00" xsi:type= 'indicator:IndicatorType' >
<indicator:Title > CnC Beaconing Detected</indicator:Title>
<indicator:Type xsi:type= "stixVocabs:IndicatorTypeVocab-1.1" > C2</indicator:Type>
<indicator:Observable id= "bae:Observable-f4695e3e-5a27-4889-ba48-456b14146911" >
<cybox:Observable_Composition operator= "OR" >
<cybox:Observable idref= "bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d" >
</cybox:Observable>
<cybox:Observable idref= "bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7" >
</cybox:Observable>
<cybox:Observable idref= "bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b" >
</cybox:Observable>
</cybox:Observable_Composition>
</indicator:Observable>
</stix:Indicator>
</stix:Indicators>
<stix:TTPs >
<stix:TTP id= "bae:ttp-801d59e9-28c2-4016-976e-011dcab22cfd" timestamp= "2016-07-04T15:17:14.479244+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Malware CnC Channels</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.479332+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Resources >
<ttp:Infrastructure >
<ttp:Type xsi:type= "stixVocabs:AttackerInfrastructureTypeVocab-1.0" > Hosting</ttp:Type>
<ttp:Observable_Characterization cybox_major_version= "2" cybox_minor_version= "1" cybox_update_version= "0" >
<cybox:Observable idref= "bae:Observable-3a106400-cc90-4b5f-ad3d-6837dded226d" >
</cybox:Observable>
<cybox:Observable idref= "bae:Observable-9b6bd172-96e6-451f-93c6-3632fe05daf7" >
</cybox:Observable>
<cybox:Observable idref= "bae:Observable-7605b9f2-af49-429d-95ff-7029681dc20b" >
</cybox:Observable>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
</stix:TTP>
<stix:TTP id= "bae:ttp-62c59e28-9480-4080-ad20-6b4092cb118d" timestamp= "2016-07-04T15:17:14.476428+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Fingerprinting and whitelisting during watering-hole operations</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477552+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Theft - Credential Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Resources >
<ttp:Infrastructure >
<ttp:Type xsi:type= "stixVocabs:AttackerInfrastructureTypeVocab-1.0" > Domain Registration</ttp:Type>
<ttp:Observable_Characterization cybox_major_version= "2" cybox_minor_version= "1" cybox_update_version= "0" >
<cybox:Observable idref= "bae:Observable-f7c32ba1-91bb-4bb1-aee6-80afae13bbad" >
<cybox:Title > C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref= "bae:Observable-d4e819f1-0af9-49d4-826b-02ada3386cf5" >
<cybox:Title > C2 List</cybox:Title>
</cybox:Observable>
<cybox:Observable idref= "bae:Observable-5a951ea5-5beb-40b8-8043-97f05e020993" >
<cybox:Title > C2 List</cybox:Title>
</cybox:Observable>
</ttp:Observable_Characterization>
</ttp:Infrastructure>
</ttp:Resources>
<ttp:Kill_Chain_Phases >
<stixCommon:Kill_Chain_Phase phase_id= "stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" />
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id= "bae:ttp-7ffb9e3d-688a-4ec4-8919-f8ccb91d4b59" timestamp= "2016-07-04T15:17:14.476589+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Spear-phishing in tandem with 0-day exploits</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477592+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Unauthorized Access</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases >
<stixCommon:Kill_Chain_Phase phase_id= "stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16" kill_chain_id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" />
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id= "bae:ttp-f13297d6-0963-4a74-89dc-12745db39845" timestamp= "2016-07-04T15:17:14.476707+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Infiltration of organisations via third party supplier/partner</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477629+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Unauthorized Access</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases >
<stixCommon:Kill_Chain_Phase phase_id= "stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d" kill_chain_id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" />
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id= "bae:ttp-78aef1ee-8c7d-4a6e-87cc-a4471b29ac45" timestamp= "2016-07-04T15:17:14.476822+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Custom recon tool to compromise and identify credentials of the network</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477665+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Theft - Credential Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases >
<stixCommon:Kill_Chain_Phase phase_id= "stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" kill_chain_id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" />
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id= "bae:ttp-3a5f9a19-fa56-4b7d-ad7f-df64b7efdf98" timestamp= "2016-07-04T15:17:14.476932+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Multiple means of C2 communications given the diversity of the attacker toolset</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477708+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases >
<stixCommon:Kill_Chain_Phase phase_id= "stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" />
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id= "bae:ttp-e08d9d94-0294-4fa7-9e1d-8f1e087e3dc0" timestamp= "2016-07-04T15:17:14.477046+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > rootkit communicates during the same time as network activity, encoded with an XOR key</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477744+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases >
<stixCommon:Kill_Chain_Phase phase_id= "stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" />
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id= "bae:ttp-898d58cd-369c-4b76-892b-2f5ced35cf0e" timestamp= "2016-07-04T15:17:14.477159+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Kernel-centric rootkit waits for network trigger before launching</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477779+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Advantage</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases >
<stixCommon:Kill_Chain_Phase phase_id= "stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" kill_chain_id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" />
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id= "bae:ttp-fb1ac371-8e28-48d9-8905-03f54bd546ee" timestamp= "2016-07-04T15:17:14.477269+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Kernel centric exfiltration over TCP/UDP/DNS/ICMP/HTTP</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477814+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases >
<stixCommon:Kill_Chain_Phase phase_id= "stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" />
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id= "bae:ttp-27872de0-c3ce-425d-9348-8f1439645398" timestamp= "2016-07-04T15:17:14.477382+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Exfiltration over HTTP/HTTPS</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477849+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Theft</stixCommon:Value>
</ttp:Intended_Effect>
<ttp:Kill_Chain_Phases >
<stixCommon:Kill_Chain_Phase phase_id= "stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" kill_chain_id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" />
</ttp:Kill_Chain_Phases>
</stix:TTP>
<stix:TTP id= "bae:ttp-c3a4fec7-00b7-4efb-adf9-a38feee005fe" timestamp= "2016-07-04T15:17:14.477499+00:00" xsi:type= 'ttp:TTPType' >
<ttp:Title > Use of previously undocumented functions in their Kernel centric attacks</ttp:Title>
<ttp:Intended_Effect timestamp= "2016-07-04T15:17:14.477888+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Advantage</stixCommon:Value>
</ttp:Intended_Effect>
</stix:TTP>
<stix:Kill_Chains >
<stixCommon:Kill_Chain id= "stix:TTP-af3e707f-2fb9-49e5-8c37-14026ca0a5ff" definer= "LMCO" name= "LM Cyber Kill Chain" >
<stixCommon:Kill_Chain_Phase ordinality= "1" name= "Reconnaissance" phase_id= "stix:TTP-af1016d6-a744-4ed7-ac91-00fe2272185a" />
<stixCommon:Kill_Chain_Phase ordinality= "2" name= "Weaponization" phase_id= "stix:TTP-445b4827-3cca-42bd-8421-f2e947133c16" />
<stixCommon:Kill_Chain_Phase ordinality= "3" name= "Delivery" phase_id= "stix:TTP-79a0e041-9d5f-49bb-ada4-8322622b162d" />
<stixCommon:Kill_Chain_Phase ordinality= "4" name= "Exploitation" phase_id= "stix:TTP-f706e4e7-53d8-44ef-967f-81535c9db7d0" />
<stixCommon:Kill_Chain_Phase ordinality= "5" name= "Installation" phase_id= "stix:TTP-e1e4e3f7-be3b-4b39-b80a-a593cfd99a4f" />
<stixCommon:Kill_Chain_Phase ordinality= "6" name= "Command and Control" phase_id= "stix:TTP-d6dc32b9-2538-4951-8733-3cb9ef1daae2" />
<stixCommon:Kill_Chain_Phase ordinality= "7" name= "Actions on Objectives" phase_id= "stix:TTP-786ca8f9-2d9a-4213-b38e-399af4a2e5d6" />
</stixCommon:Kill_Chain>
</stix:Kill_Chains>
</stix:TTPs>
<stix:Exploit_Targets >
<stixCommon:Exploit_Target id= "bae:et-ca916690-1221-46b3-8e69-dabd46018892" timestamp= "2016-07-04T15:17:14.480615+00:00" xsi:type= 'et:ExploitTargetType' >
<et:Title > Privilage Escalation Vulnerability</et:Title>
<et:Vulnerability >
<et:CVE_ID > CVE-2013-5065</et:CVE_ID>
</et:Vulnerability>
</stixCommon:Exploit_Target>
</stix:Exploit_Targets>
<stix:Campaigns >
<stix:Campaign id= "bae:campaign-2b81268f-c0f0-4bd4-aa63-a880dc05ed82" timestamp= "2016-07-04T15:17:14.478248+00:00" xsi:type= 'campaign:CampaignType' >
<campaign:Title > The Epic Turla Campaign</campaign:Title>
<campaign:Description > The Epic Turla Campaign</campaign:Description>
<campaign:Intended_Effect timestamp= "2016-07-04T15:17:14.478460+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Advantage - Political</stixCommon:Value>
</campaign:Intended_Effect>
<campaign:Attribution >
<campaign:Attributed_Threat_Actor >
<stixCommon:Threat_Actor idref= "bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type= 'ta:ThreatActorType' >
</stixCommon:Threat_Actor>
</campaign:Attributed_Threat_Actor>
</campaign:Attribution>
</stix:Campaign>
<stix:Campaign id= "bae:campaign-53a0ca81-b065-431a-b043-0457b0bcfffa" timestamp= "2016-07-04T15:17:14.478394+00:00" xsi:type= 'campaign:CampaignType' >
<campaign:Title > SNAKE Campaign</campaign:Title>
<campaign:Description > The SNAKE Campaign</campaign:Description>
<campaign:Intended_Effect timestamp= "2016-07-04T15:17:14.478500+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Advantage - Political</stixCommon:Value>
</campaign:Intended_Effect>
<campaign:Attribution >
<campaign:Attributed_Threat_Actor >
<stixCommon:Threat_Actor idref= "bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" xsi:type= 'ta:ThreatActorType' >
</stixCommon:Threat_Actor>
</campaign:Attributed_Threat_Actor>
</campaign:Attribution>
</stix:Campaign>
</stix:Campaigns>
<stix:Threat_Actors >
<stix:Threat_Actor id= "bae:threatactor-857fd80b-1b4e-4add-bfa1-d1e90911421b" timestamp= "2016-07-04T15:17:14.454074+00:00" xsi:type= 'ta:ThreatActorType' >
<ta:Title > SNAKE</ta:Title>
<ta:Description >
The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits – virtually undetectable by conventional security products.
This threat actor group has been operating continuously for over a decade, infiltrating governments and strategic private sector networks in that time. The most notorious of their early campaigns led to a breach of classified US military systems, an extensive clean-up called ‘ Operation Buckshot Yankee’ , and led to the creation of the US Cyber Command.
Whilst the sophisticated rootkit is used for persistent access to networks, the group also leverage more straight-forward capabilities for gaining an initial toe-hold on targets. This includes the use of watering-hole attacks and basic remote access tools.
</ta:Description>
<ta:Short_Description >
The group behind the SNAKE campaign are a top tier nation-state threat. Their capabilities extend from subtle watering-hole attacks to sophisticated server rootkits – virtually undetectable by conventional security products.
</ta:Short_Description>
<ta:Identity xsi:type= "ciqIdentity:CIQIdentity3.0InstanceType" >
<ExtSch:Specification xmlns:ExtSch= "http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1" >
<xpil:PartyName xmlns:xpil= "urn:oasis:names:tc:ciq:xpil:3" >
<xnl:OrganisationName xmlns:xnl= "urn:oasis:names:tc:ciq:xnl:3" xnl:Type= "OfficialName" >
<xnl:NameElement > SNAKE</xnl:NameElement>
</xnl:OrganisationName>
<xnl:OrganisationName xmlns:xnl= "urn:oasis:names:tc:ciq:xnl:3" xnl:Type= "OfficialName" >
<xnl:NameElement > Turla</xnl:NameElement>
</xnl:OrganisationName>
<xnl:OrganisationName xmlns:xnl= "urn:oasis:names:tc:ciq:xnl:3" xnl:Type= "UnofficialName" >
<xnl:NameElement > WRAITH</xnl:NameElement>
</xnl:OrganisationName>
</xpil:PartyName>
<xpil:Addresses xmlns:xpil= "urn:oasis:names:tc:ciq:xpil:3" >
<xpil:Address >
<xal:Country xmlns:xal= "urn:oasis:names:tc:ciq:xal:3" >
<xal:NameElement > Russia</xal:NameElement>
</xal:Country>
<xal:AdministrativeArea xmlns:xal= "urn:oasis:names:tc:ciq:xal:3" >
<xal:NameElement > Moscow</xal:NameElement>
</xal:AdministrativeArea>
</xpil:Address>
</xpil:Addresses>
<xpil:ElectronicAddressIdentifiers xmlns:xpil= "urn:oasis:names:tc:ciq:xpil:3" >
<xpil:ElectronicAddressIdentifier > snake@gmail.com</xpil:ElectronicAddressIdentifier>
<xpil:ElectronicAddressIdentifier > twitter.com/snake</xpil:ElectronicAddressIdentifier>
</xpil:ElectronicAddressIdentifiers>
<xpil:Languages xmlns:xpil= "urn:oasis:names:tc:ciq:xpil:3" >
<xpil:Language > Russian</xpil:Language>
</xpil:Languages>
</ExtSch:Specification>
</ta:Identity>
<ta:Motivation timestamp= "2016-07-04T15:17:14.475968+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:MotivationVocab-1.1" > Political</stixCommon:Value>
</ta:Motivation>
<ta:Sophistication timestamp= "2016-07-04T15:17:14.454350+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:ThreatActorSophisticationVocab-1.0" > Expert</stixCommon:Value>
</ta:Sophistication>
<ta:Intended_Effect timestamp= "2016-07-04T15:17:14.476056+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Advantage - Political</stixCommon:Value>
</ta:Intended_Effect>
<ta:Intended_Effect timestamp= "2016-07-04T15:17:14.476095+00:00" >
<stixCommon:Value xsi:type= "stixVocabs:IntendedEffectVocab-1.0" > Theft - Intellectual Property</stixCommon:Value>
</ta:Intended_Effect>
</stix:Threat_Actor>
</stix:Threat_Actors>
</stix:STIX_Package>