diff options
| author | W. Kosior <koszko@koszko.org> | 2025-01-08 13:29:32 +0100 |
|---|---|---|
| committer | W. Kosior <koszko@koszko.org> | 2025-01-08 13:29:32 +0100 |
| commit | 7d465de3f9e47a7dd95a5d5db6ecf8b16a2de5ba (patch) | |
| tree | 8bf68e572def945a010b57417ffc9c3963134b2f | |
| parent | ed6def4a5c8c3531748e22237790acade8525a18 (diff) | |
| download | AGH-threat-intel-course-7d465de3f9e47a7dd95a5d5db6ecf8b16a2de5ba.tar.gz AGH-threat-intel-course-7d465de3f9e47a7dd95a5d5db6ecf8b16a2de5ba.zip | |
Document several more groups.
| -rw-r--r-- | profiles.yaml | 411 |
1 files changed, 251 insertions, 160 deletions
diff --git a/profiles.yaml b/profiles.yaml index 757c154..fffad38 100644 --- a/profiles.yaml +++ b/profiles.yaml @@ -718,174 +718,263 @@ groups: - name: Cinnamon Tempest origin: China - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: East Asia # "southeast Asia" in the source + ref: hivepro-decoding-bronze-starlight + sectors: + - sector: gambling + ref: hivepro-decoding-bronze-starlight + goals: + # The information theft goal is only speculated + - goal: extortion + ref: [sygnia-revealing-emperor-dragonfly, + hivepro-decoding-bronze-starlight] + references: + - label: sygnia-revealing-emperor-dragonfly + URL: https://www.sygnia.co/threat-reports-and-advisories/revealing-emperor-dragonfly-a-chinese-ransomware-group/ + - label: hivepro-decoding-bronze-starlight + URL: https://hivepro.com/wp-content/uploads/2023/08/Decoding-Bronze-Starlights-Strategy-in-the-Gambling-Sector_TA2023337.pdf - name: Cleaver origin: Iran - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: US + ref: cyclane-operation-cleaver + - where: Saudi Arabia + ref: cyclane-operation-cleaver + - where: Canada + ref: cyclane-operation-cleaver + - where: China + ref: cyclane-operation-cleaver + - where: England + ref: cyclane-operation-cleaver + - where: France + ref: cyclane-operation-cleaver + - where: Germany + ref: cyclane-operation-cleaver + - where: India + ref: cyclane-operation-cleaver + - where: Israel + ref: cyclane-operation-cleaver + - where: Kuwait + ref: cyclane-operation-cleaver + - where: Mexico + ref: cyclane-operation-cleaver + - where: Pakistan + ref: cyclane-operation-cleaver + - where: Qatar + ref: cyclane-operation-cleaver + - where: South Korea + ref: cyclane-operation-cleaver + - where: Turkey + ref: cyclane-operation-cleaver + - where: United Arab Emirates + ref: cyclane-operation-cleaver + sectors: + - sector: aerospace + ref: cyclane-operation-cleaver + - sector: medical + ref: cyclane-operation-cleaver + - sector: education + ref: cyclane-operation-cleaver + - sector: energy + ref: cyclane-operation-cleaver + - sector: automotive + ref: cyclane-operation-cleaver + - sector: defense + ref: cyclane-operation-cleaver + goals: + - goal: espionage + ref: cyclane-operation-cleaver + references: + - label: cyclane-operation-cleaver + URL: https://web.archive.org/web/20150108041942/http://cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf - name: CopyKittens origin: Iran - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: Israel + ref: [minerva-copykittens, operation-wilted-tulip] + - where: Middle East + ref: [minerva-copykittens, operation-wilted-tulip] + - where: US + ref: operation-wilted-tulip + - where: Saudi Arabia + ref: operation-wilted-tulip + - where: Turkey + ref: operation-wilted-tulip + - where: Jordan + ref: operation-wilted-tulip + - where: Germany + ref: operation-wilted-tulip + sectors: + - sector: government + ref: minerva-copykittens + - sector: researchers + ref: minerva-copykittens + goals: + - goal: espionage + ref: minerva-copykittens + references: + - label: minerva-copykittens + URL: https://web.archive.org/web/20201101053223/https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf + - label: operation-wilted-tulip + URL: https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf - name: CURIUM origin: Iran - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: Middle East + ref: ankura-malware + - where: Israel + ref: ankura-malware + - where: US + ref: ankura-malware + sectors: + - sector: transportation + ref: staying-ahead-in-age-of-ai + - sector: medical # "healthcare" in "staying-ahead-in-age-of-ai" + ref: [staying-ahead-in-age-of-ai, ankura-malware] + - sector: defense + ref: staying-ahead-in-age-of-ai + - sector: government + ref: marioarauzo-unc1860 + - sector: energy + ref: marioarauzo-unc1860 + - sector: finance + ref: ankura-malware + goals: + - goal: espionage + ref: marioarauzo-unc1860 + references: + - label: ahead-in-age-of-ai + URL: https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/ + - label: marioarauzo-unc1860 + URL: https://www.linkedin.com/posts/marioarauzo_iranian-apt-unc1860-linked-to-mois-facilitates-activity-7242894568143114240-94oI + - label: ankura-malware + URL: https://www.lexology.com/library/detail.aspx?g=abefdf48-8415-4ce1-97de-d857e830aa70 - name: CyberAv3ngers origin: Iran - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: Israel + ref: cisa-irgc-plcs + sectors: + - sector: electronics # "PLCs" in our source + ref: cisa-irgc-plcs + - sector: biotechnology # "human machine interfaces" in our source + ref: cisa-irgc-plcs + goals: + - goal: disruption + ref: cisa-irgc-plcs + references: + - label: cisa-irgc-plcs + URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a - name: Daggerfly origin: China - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: India + ref: kpmg-ctip-evasive-panda + - where: China + ref: kpmg-ctip-evasive-panda + - where: Tibet + ref: kpmg-ctip-evasive-panda + - where: Taiwan + ref: kpmg-ctip-evasive-panda + - where: Hong Kong + ref: kpmg-ctip-evasive-panda + - where: South Korea + ref: kpmg-ctip-evasive-panda + - where: Myanmar + ref: kpmg-ctip-evasive-panda + - where: Australia + ref: kpmg-ctip-evasive-panda + - where: US + ref: kpmg-ctip-evasive-panda + - where: Vietnam + ref: kpmg-ctip-evasive-panda + - where: East Asia + ref: kpmg-ctip-evasive-panda + sectors: + - sector: government + ref: kpmg-ctip-evasive-panda + - sector: non-government organizations # just "organizations" in our + # source + ref: kpmg-ctip-evasive-panda + goals: + - goal: espionage + ref: kpmg-ctip-evasive-panda + references: + - label: kpmg-ctip-evasive-panda + URL: https://assets.kpmg.com/content/dam/kpmgsites/in/pdf/2024/11/kpmg-ctip-evasive-panda-12-nov-2024.pdf.coredownload.inline.pdf - name: Deep Panda origin: China - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: US + ref: [crowdstrike-deep-panda, fbi-deep-panda] + - where: Japan + ref: crowdstrike-deep-panda + sectors: + - sector: defense + ref: crowdstrike-deep-panda + - sector: energy + ref: crowdstrike-deep-panda + - sector: government + ref: fbi-deep-panda + goals: + - goal: espionage + ref: fbi-deep-panda + references: + - label: crowdstrike-deep-panda + URL: http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf + - label: fbi-deep-panda + URL: https://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf - name: Dragonfly origin: Russia - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: Europe + ref: dragonfly-cyber-threats + - where: US + ref: dragonfly-cyber-threats + sectors: + - sector: energy # "power grids" in our source + ref: dragonfly-cyber-threats + - sector: government + ref: dragonfly-cyber-threats + goals: + - goal: espionage + ref: dragonfly-cyber-threats + references: + - label: dragonfly-cyber-threats + URL: https://www.jcbi.org/index.php/Main/article/download/137/82 - name: DragonOK origin: China - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: Japan + ref: [unit-dragonok-malware, securityweek-dragonok] + - where: Taiwan + ref: [quantum-entanglement, securityweek-dragonok] + sectors: + - sector: construction/manufacturing # only "manufacturing" in our sources + ref: [unit-dragonok-malware, securityweek-dragonok] + - sector: electronics # "semoinductor" in our source + ref: securityweek-dragonok + - sector: education + ref: securityweek-dragonok + - sector: energy + ref: securityweek-dragonok + goals: + - goal: espionage + ref: securityweek-dragonok + references: + - label: unit-dragonok-malware + URL: https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ + - label: securityweek-dragonok + URL: https://www.securityweek.com/china-linked-dragonok-group-expands-operations/ - name: Earth Lusca origin: China @@ -1237,22 +1326,22 @@ groups: - name: Moafee origin: China - # targets: - # - where: - # ref: - # - where: - # ref: - # sectors: - # - sector: - # ref: - # - sector: - # ref: - # goals: - # - goal: - # ref: - # references: - # - label: - # URL: + targets: + - where: US + ref: quantum-entanglement + - where: East Asia + ref: quantum-entanglement + sectors: + - sector: government + ref: quantum-entanglement + - sector: defense + ref: quantum-entanglement + goals: + - goal: espionage + ref: franchising-the-chinese-apt + references: + - label: franchising-the-chinese-apt + URL: https://www.darkreading.com/vulnerabilities-threats/franchising-the-chinese-apt - name: Mofang origin: China @@ -1722,3 +1811,5 @@ references: URL: https://web.archive.org/web/20180806122230/https://www.fireeye.com/current-threats/apt-groups.html - label: trendmicro-lazarus URL: https://www.trendmicro.com/vinfo/nl/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations + - label: quantum-entanglement + URL: https://web.archive.org/web/20200302090751/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf |