diff options
| author | W. Kosior <koszko@koszko.org> | 2024-12-16 19:41:24 +0100 |
|---|---|---|
| committer | W. Kosior <koszko@koszko.org> | 2024-12-16 19:41:24 +0100 |
| commit | 973d4b6fc1232ae36b865f91204e8198233d5484 (patch) | |
| tree | 98ddc1e2592ce0dafb9520bf4ca7d0aed3c15cdb | |
| download | AGH-threat-intel-course-973d4b6fc1232ae36b865f91204e8198233d5484.tar.gz AGH-threat-intel-course-973d4b6fc1232ae36b865f91204e8198233d5484.zip | |
Initial commit.
| -rw-r--r-- | Makefile | 45 | ||||
| -rw-r--r-- | profiles.yaml | 1588 | ||||
| -rw-r--r-- | scrape_groups_info.py | 127 | ||||
| -rwxr-xr-x | threats_by_sector_table.py | 88 |
4 files changed, 1848 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..1cb2039 --- /dev/null +++ b/Makefile @@ -0,0 +1,45 @@ +# SPDX-License-Identifier: CC0-1.0 +# +# Copyright (C) 2024 Wojtek Kosior <koszko@koszko.org> + +# Make sure you have Pandoc, Python as well as Python packages `pyyaml' (YAML +# parser library) and `requests' installed. + +PYTHON=python3 +PANDOC=pandoc + +all: tables.pdf scraped_group_aliases.yaml +.PHONY: all + +.SUFFIXES: .pdf .md + +.md.pdf: + $(PANDOC) \ + -V geometry:margin=1.10in \ + -r markdown-auto_identifiers \ + --number-sections \ + --shift-heading-level-by=-1 \ + --columns=1 \ + -o $@ $< + +tables.md: threats_by_sector_table.py profiles.yaml + $(PYTHON) $^ > $@ + +scraped_group_aliases.yaml: scrape_groups_info.py profiles.yaml + $(PYTHON) $^ > $@ + +th-proj-archive.tar.gz: Makefile profiles.yaml scrape_groups_info.py \ + scraped_group_aliases.yaml tables.md tables.pdf \ + threats_by_sector_table.py + tar --transform='s|^|th-proj-archive/|' \ + --mtime=1970-01-01T00:00:00-00:00 --group=0 --owner=0 \ + -czf $@ $^ + +clean: + rm -rf scraped_group_aliases.yaml tables.pdf tables.md \ + th-proj-archive.tar.gz +.PHONY: clean + +magisterclean: clean + rm -rf scraping/ +.PHONY: magisterclean diff --git a/profiles.yaml b/profiles.yaml new file mode 100644 index 0000000..b9759c4 --- /dev/null +++ b/profiles.yaml @@ -0,0 +1,1588 @@ +# SPDX-License-Identifier: CC0-1.0 +# +# Copyright (C) 2024 Wojtek Kosior <koszko@koszko.org> +--- +# "targets" are countries, groups thereof or regions of Earth. Only to most +# often attacked ones are listed for each group. A country listed for one group +# may overlap with a region listed (for example: for APT12 we have "Taiwan" +# listed next to "East Asia +groups: + - name: admin@338 + origin: China + targets: + - where: HongKong + ref: china-based-threat + sectors: + - sector: defense + ref: rpt-poison-ivy + - sector: government + ref: rpt-poison-ivy + - sector: finance # "finance, economic and trade policy" in our source + ref: [rpt-poison-ivy, china-based-threat] + - sector: telecommunications/satellites # only "telecommunications" in our + # source + ref: rpt-poison-ivy + - sector: media + ref: china-based-threat + goals: + - goal: espionage + ref: china-based-threat + references: + - label: rpt-poison-ivy + URL: https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf + - label: china-based-threat + URL: https://cloud.google.com/blog/topics/threat-intelligence/china-based-threat/ + + - name: Agrius + origin: Iran + targets: + - where: Israel + ref: [evol-agrius, agrius-moneybird] + - where: Middle East + ref: evol-agrius + sectors: + - sector: education + ref: agrius-moneybird + - sector: insurance + ref: agrius-moneybird + goals: + - goal: espionage + ref: evol-agrius + - goal: disruption + ref: [evol-agrius, agrius-moneybird] + - goal: extortion + ref: [evol-agrius, agrius-moneybird] + references: + - label: evol-agrius + URL: https://assets.sentinelone.com/sentinellabs/evol-agrius + - label: agrius-moneybird + URL: https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/ + + - name: ALLANITE + origin: Russia + targets: + - where: US + ref: dragos-allanite + - where: UK + ref: dragos-allanite + sectors: + - sector: energy # "electric utility" in our source + ref: dragos-allanite + goals: + - goal: espionage + ref: dragos-allanite + - goal: disruption + ref: dragos-allanite + references: + - label: dragos-allanite + URL: https://www.dragos.com/threat/allanite/ + + - name: Aoqin Dragon + origin: China + targets: + - where: East Asia # "southeast Asia" in the source + ref: aoqin-newly-discovered + - where: Australia + ref: aoqin-newly-discovered + sectors: + - sector: government + ref: aoqin-newly-discovered + - sector: education + ref: aoqin-newly-discovered + - sector: telecommunications/satellites # only "telecommunications" in our + # source + ref: aoqin-newly-discovered + goals: + - goal: espionage + ref: aoqin-newly-discovered + references: + - label: aoqin-newly-discovered + URL: https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/ + + - name: APT1 + origin: China + targets: + - where: US + ref: mandiant-apt1-report + sectors: + - sector: information technology + ref: mandiant-apt1-report + - sector: aerospace + ref: mandiant-apt1-report + - sector: public administration + ref: mandiant-apt1-report + - sector: public administration + ref: mandiant-apt1-report + - sector: telecommunications/satellites + ref: mandiant-apt1-report + - sector: scientific research and consulting + ref: mandiant-apt1-report + - sector: energy + ref: mandiant-apt1-report + - sector: transportation + ref: mandiant-apt1-report + - sector: construction/manufacturing # "construction and manufacturing" + # in our source + ref: mandiant-apt1-report + - sector: non-government organizations # "international organizations" in + # our source + ref: mandiant-apt1-report + - sector: engineering services + ref: mandiant-apt1-report + - sector: electronics + ref: mandiant-apt1-report + - sector: legal services + ref: mandiant-apt1-report + - sector: media # "media, advertising and entertainment" in our source + ref: mandiant-apt1-report + - sector: navigation + ref: mandiant-apt1-report + goals: + - goal: espionage + ref: mandiant-apt1-report + references: + - label: mandiant-apt1-report + ref: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf + + - name: APT12 + origin: China + targets: + - where: East Asia + ref: microtrends-ixeshe + - where: Taiwan + ref: microtrends-ixeshe + sectors: + - sector: electronics + ref: microtrends-ixeshe + - sector: telecommunications/satellites # only "telecommunications" in our + # source + ref: microtrends-ixeshe + goals: + - goal: espionage + ref: mandiant-2014-report + references: + - label: mandiant-2014-report + URL: https://web.archive.org/web/20140913050920/https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf + - label: microtrends-ixeshe # uses name "IXESHE" rather than "APT12" + URL: https://web.archive.org/web/20190808160128/https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf + + - name: APT16 + origin: China + targets: + - where: Taiwan + ref: the-eps-awakens + sectors: + # The source mentions more attacks but doesn't attribute them with + # certainty to APT16. + - sector: media # "media and entertainment" in our source + ref: the-eps-awakens + goals: + - goal: espionage + references: + - label: the-eps-awakens + URL: https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html + + - name: APT17 + origin: China + targets: + - where: US + ref: apt17-report + sectors: + - sector: government + ref: apt17-report + - sector: defense + ref: apt17-report + - sector: information technology + ref: apt17-report + - sector: legal services # "law firms" in our source + ref: apt17-report + - sector: mining + ref: apt17-report + - sector: non-government organizations + ref: apt17-report + # No goals were explicitly named in our source. + references: + - label: apt17-report + URL: https://web.archive.org/web/20240119213200/https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf + + - name: APT18 + origin: China + targets: + - where: US + ref: bugcrowd-apt18 + sectors: + # Besides the ones below, our source also mentions "technology" and "high + # technology" which are to broad/ambigious for us to use here. + - sector: construction/manufacturing + ref: bugcrowd-apt18 + - sector: government + ref: bugcrowd-apt18 + - sector: medical # "healthcare" in our source + ref: bugcrowd-apt18 + - sector: defense + ref: bugcrowd-apt18 + - sector: telecommunications/satellites # only "telecommunications" in our + # source + ref: bugcrowd-apt18 + - sector: non-government organizations # "human rights groups" and + # "non-profit" in our source + ref: bugcrowd-apt18 + - sector: engineering services # "engineering" in our source + ref: bugcrowd-apt18 + - sector: energy + ref: bugcrowd-apt18 + - sector: education + ref: bugcrowd-apt18 + - sector: aerospace + ref: bugcrowd-apt18 + - sector: transportation + ref: bugcrowd-apt18 + - sector: biotechnology + ref: bugcrowd-apt18 + goals: + - goal: espionage + ref: bugcrowd-apt18 + references: + - label: bugcrowd-apt18 + URL: https://www.bugcrowd.com/glossary/apt18/ + + - name: APT19 + origin: China + targets: + - where: US # Forbes is an American magazine. + ref: darkreading-codoso-team + - where: Hong Kong # Forbes is also owned b a Hong Kong-based group. + ref: darkreading-codoso-team + sectors: + - sector: legal services # "legal" in our source + ref: fireeye-apt-groups + - sector: finance # "investment" in our source + ref: [fireeye-apt-groups, darkreading-codoso-team] + - sector: defense + ref: darkreading-codoso-team + - sector: dissident groups + ref: darkreading-codoso-team + - sector: medical # "pharmaceutical" in our source + ref: darkreading-codoso-team + - sector: energy + ref: darkreading-codoso-team + goals: + - goal: espionage + ref: darkreading-codoso-team + references: + - label: darkreading-codoso-team + URL: https://www.darkreading.com/cyberattacks-data-breaches/chinese-hacking-group-codoso-team-uses-forbes-com-as-watering-hole + + - name: APT28 + origin: Russia + targets: + - where: US + ref: mandiant-apt28 + - where: Europe + ref: [fireeye-apt-groups, mandiant-apt28] + - where: NATO + ref: fireeye-apt-groups + - where: former Soviet Union # "Caucasus" and "eastern European countries" + # in `fireeye-apt-groups' + ref: [fireeye-apt-groups, mandiant-apt28] + - where: Georgia + ref: fireeye-apt-groups + sectors: + - sector: defense # "militaries", "security organizations" and "defense + # firms" in our source + ref: fireeye-apt-groups + - sector: government + ref: mandiant-apt28 + - sector: dissident groups + ref: mandiant-apt28 + - sector: religious groups + ref: mandiant-apt28 + - sector: sport # the World Anti-Doping Agency + ref: mandiant-apt28 + goals: + - goal: espionage + ref: mandiant-apt28 + references: + - label: mandiant-apt28 + URL: https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf + + - name: APT29 + origin: Russia + targets: + - where: US + ref: [eset-operation-ghost-dukes, cyber-case-study-solarwinds] + - where: Norway + ref: eset-operation-ghost-dukes + - where: Europe # 3 EU ministries and a Washington DC embassy + ref: eset-operation-ghost-dukes + sectors: + - sector: government + ref: eset-operation-ghost-dukes + - sector: drug dealers # a reuse of hacking tools… + ref: eset-operation-ghost-dukes + goals: + - goal: espionage + ref: [eset-operation-ghost-dukes, cyber-case-study-solarwinds] + references: + - label: eset-operation-ghost-dukes + URL: https://web-assets.esetstatic.com/wls/2019/10/ESET_Operation_Ghost_Dukes.pdf + - label: cyber-case-study-solarwinds + URL: https://ollisakersarney.com/wp-content/uploads/2021/10/Cyber_Case_Study_-_SolarWinds_Supply_Chain_Cyberattack.pdf + + - name: APT3 + origin: China + targets: + - where: US + ref: chinas-cyber-capabilities + - where: Germany # Siemens AG is a German company + ref: chinas-cyber-capabilities + sectors: + - sector: information technology + ref: chinas-cyber-capabilities + - sector: aerospace + ref: fireeye-apt-groups + - sector: defense + ref: fireeye-apt-groups + - sector: construction/manufacturing # "construction and engineering" in + # our source + ref: fireeye-apt-groups + - sector: telecommunications/satellites + ref: [fireeye-apt-groups, chinas-cyber-capabilities] + goals: + - goal: espionage + ref: chinas-cyber-capabilities + references: + - label: chinas-cyber-capabilities + URL: https://www.uscc.gov/sites/default/files/2022-11/Chapter_3_Section_2--Chinas_Cyber_Capabilities.pdf + + - name: APT30 + origin: China + targets: + - where: East Asia # Association of Southeast Asian Nations in our source + ref: fireeye-apt-groups + sectors: + - sector: government + ref: fireeye-apt30 + - sector: media + ref: fireeye-apt30 + goals: + - goal: espionage + ref: fireeye-apt30 + references: + - label: fireeye-apt30 + URL: https://scadahacker.com/library/Documents/Cyber_Events/Fireeye%20-%20APT30.pdf + + - name: APT33 + origin: Iran + sectors: + - sector: aerospace # "aviation" in `hivepro-apt33' + ref: [fireeye-apt-groups, hivepro-apt33] + - sector: energy + ref: [fireeye-apt-groups, hivepro-apt33] + - sector: construction/manufacturing # only "construction" in our source + ref: hivepro-apt33 + - sector: defense + ref: hivepro-apt33 + - sector: education + ref: hivepro-apt33 + - sector: finance + ref: hivepro-apt33 + - sector: medical # "healthcare" and "pharmaceutical" in our source + ref: hivepro-apt33 + - sector: government + ref: hivepro-apt33 + - sector: telecommunications/satellites + ref: hivepro-apt33 + goals: + - goal: espionage + ref: hivepro-apt33 + references: + - label: hivepro-apt33 + URL: https://www.hivepro.com/wp-content/uploads/2023/09/APT-33-Uses-Password-Spray-Campaigns-to-Infiltrate-Organizations_TA2023375.pdf + + - name: APT39 + origin: Iran + targets: + - where: US + ref: fireeye-apt39 + - where: Middle East + ref: fireeye-apt39 + sectors: + - sector: telecommunications/satellites # only "telecommunications" in our + # source + ref: fireeye-apt39 + - sector: travel + ref: fireeye-apt39 + - sector: government + ref: fireeye-apt39 + goals: + - goal: espionage + ref: fireeye-apt39 + references: + - label: fireeye-apt39 + URL: https://attack.mitre.org/docs/training-cti/FireEye%20APT39%20-%20original%20report.pdf + + - name: APT41 + origin: China + targets: + - where: East Asia + ref: rt-apt41-dual-operation + - where: US + ref: rt-apt41-dual-operation + - where: India + ref: rt-apt41-dual-operation + - where: Europe + ref: rt-apt41-dual-operation + - where: South Africa + ref: rt-apt41-dual-operation + sectors: + - sector: medical + ref: rt-apt41-dual-operation + - sector: telecommunications/satellites # only "telecommunications" in our + # source + ref: rt-apt41-dual-operation + - sector: education + ref: rt-apt41-dual-operation + - sector: travel + ref: rt-apt41-dual-operation + - sector: media + ref: rt-apt41-dual-operation + - sector: video games + ref: rt-apt41-dual-operation + - sector: information technology + ref: rt-apt41-dual-operation + - sector: retail + ref: rt-apt41-dual-operation + - sector: virtual currencies + ref: rt-apt41-dual-operation + goals: + - goal: rt-apt41-dual-operation + ref: expionage + - goal: rt-apt41-dual-operation + ref: financial theft + references: + - label: rt-apt41-dual-operation + URL: https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf + + # Going alphabetically, now we'd have APT5. It's been omitted because neither + # the NSA'a Threat Hunting Guidance[1] nor the description from + # ^[fireeye-apt-groups] actually state its origin. Some sources call it a + # Chinese group but those can be considered less reliable than these 2. + + - name: Aquatic Panda + origin: China + sectors: + - sector: education + ref: overwatch-exposes-aquatic-panda + - sector: telecommunications/satellites # only "telecommunications" in our + # source + ref: overwatch-exposes-aquatic-panda + - sector: government + ref: overwatch-exposes-aquatic-panda + goals: + - goal: espionage + ref: overwatch-exposes-aquatic-panda + references: + - label: overwatch-exposes-aquatic-panda + URL: https://www.crowdstrike.com/en-us/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ + + - name: Axiom + origin: China + targets: + - where: Europe + ref: novetta-executive-summary + - where: East Asia + ref: novetta-executive-summary + - where: US + ref: novetta-executive-summary + sectors: + - sector: media # "journalists" in our source + ref: novetta-executive-summary + - sector: information technology # "software companies" in our source + ref: novetta-executive-summary + - sector: education + ref: novetta-executive-summary + - sector: government + ref: novetta-executive-summary + - sector: telecommunications + ref: novetta-executive-summary + - sector: non-government organizations + ref: novetta-executive-summary + goals: + - goal: espionage + ref: novetta-executive-summary + references: + - label: novetta-executive-summary + URL: https://web.archive.org/web/20230211014413/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf + + - name: BackdoorDiplomacy + origin: China + targets: + - where: Middle East + ref: bitdefender-backdoordiplomacy + - where: Europe + ref: hivepro-backdoordiplomacy + - where: South Africa + ref: hivepro-backdoordiplomacy + - where: Namibia + ref: hivepro-backdoordiplomacy + - where: South Asia + ref: hivepro-backdoordiplomacy + sectors: + - sector: government + ref: hivepro-backdoordiplomacy + - sector: telecommunications/satellites # only "telecommunications" in our + # source + ref: hivepro-backdoordiplomacy + goals: + - goal: espionage + ref: bitdefender-backdoordiplomacy + references: + - label: bitdefender-backdoordiplomacy + URL: https://www.bitdefender.com/files/News/CaseStudies/study/426/Bitdefender-PR-Whitepaper-BackdoorDiplomacy-creat6507-en-EN.pdf + - label: hivepro-backdoordiplomacy + URL: https://www.hivepro.com/wp-content/uploads/2022/12/BackdoorDiplomacy-targets-the-telecom-industry-in-the-Middle-East_TA2022285.pdf + + - name: BlackTech + origin: China + targets: + - where: East Asia + ref: nnt-blacktech + - where: US + ref: nnt-blacktech + + goals: + - goal: espionage + ref: nnt-blacktech + references: + - label: csa-blacktech + URL: https://media.defense.gov/2023/Sep/27/2003309107/-1/-1/0/CSA_BLACKTECH_HIDE_IN_ROUTERS_TLP-CLEAR.PDF + - label: nnt-blacktech + URL: https://jp.security.ntt/resources/EN-BlackTech_2021.pdf + + - name: BRONZE BUTLER + origin: China + targets: + - where: Japan + ref: butler-targets-japanese + sectors: + - sector: government + ref: hivepro-butler + - sector: defense + ref: hivepro-butler + goals: + - goal: espionage + ref: butler-targets-japanese + references: + - label: butler-targets-japanese + URL: https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses + - label: hivepro-butler + URL: https://www.hivepro.com/wp-content/uploads/2023/03/TA2023135.pdf + + - name: Chimera + origin: China + targets: + - where: Taiwan + ref: cycraft-chimera + sectors: + - sector: electronics + ref: cycraft-chimera + goals: + - goal: espionage + ref: cycraft-chimera + references: + - label: cycraft-chimera + URL: https://uploads-ssl.webflow.com/6667e1c7aa0aa53cf61a022c/66bc65e430aa86747891a088_%5BTLP-White%5D20200415%20Chimera_V4.2.pdf + + - name: Cinnamon Tempest + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Cleaver + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: CopyKittens + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: CURIUM + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: CyberAv3ngers + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Daggerfly + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Deep Panda + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Dragonfly + origin: Russia + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: DragonOK + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Earth Lusca + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Elderwood + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Ember Bear + origin: Russia + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Ferocious Kittens + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + + - name: Fox Kitten + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Gallium + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Gamaredon Group + origin: Russia + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: HAFNIUM + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: IndigoZebra + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Indrik Spider + origin: Russia + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Ke3chang + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Lazarus Group + origin: North Korea + targets: + - where: South Korea + ref: trendmicro-lazarus + - where: US + ref: trendmicro-lazarus + - where: Vietnam + ref: trendmicro-lazarus + sectors: + - sector: government + ref: trendmicro-lazarus + - sector: finance + ref: trendmicro-lazarus + - sector: media + ref: trendmicro-lazarus + - sector: defense + ref: trendmicro-lazarus + goals: + - goal: espionage + ref: trendmicro-lazarus + - goal: disruption + ref: trendmicro-lazarus + - goal: extortion + ref: trendmicro-lazarus + - goal: financial theft + ref: trendmicro-lazarus + references: + - label: trendmicro-lazarus + URL: https://www.trendmicro.com/vinfo/nl/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations + + - name: Leafminer + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Leviathan + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Lotus Blossom + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Magic Hound + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: menuPass + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Moafee + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Mofang + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Moonstone Sleet + origin: North Korea + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Moses Staff + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: MuddyWater + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Mustang Panda + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Naikon + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Nomadic Octopus + origin: Russia + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: OilRig + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: PittyTiger + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Putter Panda + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Saint Bear + origin: Russia + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Sandworm Team + origin: Russia + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Silent Librarian + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Star Blizzard + origin: Russia + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Suckfly + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Threat Group-3390 + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Tonto Team + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Tropic Trooper + origin: China # mitre.org calls it unaffiliated but at least one of the + # sources calls it "China-backed" and its set of targets is + # consistent with that of other Chinese APTs. + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Turla + origin: Russia + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: UNC788 + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Volt Typhoon + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Windshift + origin: Iran + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + - name: Winnti Group + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + + # Going alphabetically, now we'd have Winter Vivern. It's been omitted + # because there is no clue as to whether it is actually a Russian group or a + # Belorussian one. + + - name: ZIRCONIUM + origin: China + # targets: + # - where: + # ref: + # - where: + # ref: + # sectors: + # - sector: + # ref: + # - sector: + # ref: + # goals: + # - goal: + # ref: + # references: + # - label: + # URL: + +# Below we keep references that are used in profiles of multiple groups. +references: + label: fireeye-apt-groups + URL: https://web.archive.org/web/20180806122230/https://www.fireeye.com/current-threats/apt-groups.html#apt19 diff --git a/scrape_groups_info.py b/scrape_groups_info.py new file mode 100644 index 0000000..549f872 --- /dev/null +++ b/scrape_groups_info.py @@ -0,0 +1,127 @@ +#!/usr/bin/env python3 + +# SPDX-License-Identifier: CC0-1.0 +# +# Copyright (C) 2024 Wojtek Kosior <koszko@koszko.org> + +from dataclasses import dataclass +from html.parser import HTMLParser +from pathlib import Path +import sys + +import requests +import yaml + +mitre_pages_path = Path(".") / "scraping" / "attack.mitre.org" +profiles_path = Path('./profiles.yaml') + +def mitre_page_download(path): + response = requests.get('https://attack.mitre.org/' + path) + response.raise_for_status() + return response.text + +def mitre_page_get(path): + page_path = mitre_pages_path / path + if page_path.exists(): + return page_path.read_text() + else: + if not page_path.parent.exists(): + page_path.parent.mkdir(parents=True) + page_text = mitre_page_download(path) + page_path.write_text(page_text) + return page_text + +@dataclass +class Group: + name: str + mitre_id: str + aliases: list[str] + + + +class GroupListPageParser(HTMLParser): + def __init__(self, relevant_groups): + super().__init__() + self.relevant_groups = relevant_groups + + self.col_numbers = [-1] + self.current_tags = ["*TOP*"] + + self.collected_groups = {} + + self.collecting_new_group() + + def collecting_new_group(self): + self.current_group_mitre_id = None + self.current_group_name = None + self.current_group_aliases = None + + def handle_starttag(self, tag, attrs): + self.current_tags.append(tag) + + if tag == "tr": + self.col_numbers.append(-1) + elif tag == "td": + self.col_numbers[-1] += 1 + + def handle_data(self, data): + if self.current_tags[-1] == "a" and self.col_numbers[-1] == 0: + self.current_group_mitre_id = data.strip() + elif self.current_tags[-1] == "a" and self.col_numbers[-1] == 1: + self.current_group_name = data.strip() + elif self.current_tags[-1] == "td" and self.col_numbers[-1] == 2: + data = data.strip() + if data: + self.current_group_aliases = data.split(", ") + else: + self.current_group_aliases = [] + + def handle_endtag(self, tag): + self.current_tags.pop() + + if tag == "tr": + self.col_numbers.pop() + + if self.current_group_name is None or \ + self.current_group_mitre_id is None or \ + self.current_group_aliases is None: + print("Incomplete data for group.", file=sys.stderr) + return + + if self.current_group_name not in self.relevant_groups: + print(f"Ignoring group `{self.current_group_name}'", + file=sys.stderr) + return + + if self.current_group_name in self.collected_groups: + print(f"Double definition of group `{self.current_group_name}'", + file=sys.stderr) + return + + self.collected_groups[self.current_group_name] = Group( + self.current_group_name, + self.current_group_mitre_id, + self.current_group_aliases + ) + + self.collecting_new_group() + +def get_groups(names): + parser = GroupListPageParser(names) + parser.feed(mitre_page_get("groups/")) + return parser.collected_groups + +def get_group_names(profiles_path): + def group_names(inp): + return {group["name"] for group in yaml.safe_load(inp)["groups"]} + + if profiles_path: + with open(profiles_path) as inp: + return group_names(inp) + + return group_names(sys.stdin) + +if __name__ == "__main__": + group_names = get_group_names(None if len(sys.argv) < 2 else sys.argv[1]) + groups = get_groups(group_names) + yaml.safe_dump([group.__dict__ for group in groups.values()], sys.stdout) diff --git a/threats_by_sector_table.py b/threats_by_sector_table.py new file mode 100755 index 0000000..597cf12 --- /dev/null +++ b/threats_by_sector_table.py @@ -0,0 +1,88 @@ +#!/usr/bin/env python3 + +# SPDX-License-Identifier: CC0-1.0 +# +# Copyright (C) 2024 Wojtek Kosior <koszko@koszko.org> + +import yaml +import sys + +def read_APT_data(yaml_path): + if yaml_path: + with open(yaml_path) as inp: + return yaml.safe_load(inp) + else: + return yaml.safe_load(sys.stdin) + +def group_has_sector(group, sector): + group_sectors = group.get("sectors", []) + + if sector is None: + return not group_sectors + + for sector_obj in group_sectors: + if sector_obj["sector"] == sector: + return True + +def group_has_goal(group, goal): + group_goals = group.get("goals", []) + + if goal is None: + return not group_goals + + for goal_obj in group_goals: + if goal_obj["goal"] == goal: + return True + +dashes = ''.join('-' for _ in range(24)) + +def print_tables(APT_data, out=sys.stdout): + all_groups = APT_data["groups"] + all_goals = sorted({goal["goal"] + for group in all_groups + for goal in group.get("goals", [])}) + all_origins = sorted({group["origin"] for group in all_groups}) + all_sectors = sorted({sector["sector"] + for group in all_groups + for sector in group.get("sectors", [])}) + + separator_line = f"|{'|'.join(dashes for _ in [None] + all_origins)}|" + + first = True + + for sector in all_sectors: + if first: + first = False + else: + print("\\newpage") + + groups = [group for group in all_groups + if group_has_sector(group, sector)] + + def make_group_listing(origin, goal): + return ", ".join(group["name"] for group in groups + if (group["origin"] == origin and + group_has_goal(group, goal))) + + print(f"### {sector}") + print() + print(f"|**goal \ origin**|**{'**|**'.join(all_origins)}**|") + + for goal in all_goals: + group_listings = [make_group_listing(origin, goal) or ' ' + for origin in all_origins] + print(separator_line) + print(f"|**{goal}**|{'|'.join(group_listings)}|") + + # Groups with no documented goal (if there are such ones) + group_listings = [make_group_listing(origin, None) + for origin in all_origins] + + if any(group_listings): + print(separator_line) + print(f"|*not documented*|{'|'.join(group_listings)}|") + + print() + +if __name__ == "__main__": + print_tables(read_APT_data(None if len(sys.argv) < 2 else sys.argv[1])) |