From 95659c39c08349eea3992bc68c2224a96aff85ef Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sat, 23 Nov 2024 22:04:39 +0530 Subject: [PATCH 1/6] Update threat-actor.json --- clusters/threat-actor.json | 54 +++++++++++++++----------------------- 1 file changed, 21 insertions(+), 33 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 0dc399b4..132419f6 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4859,8 +4859,22 @@ "https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations", "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign", "https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf", - "https://www.darkreading.com/attacks-breaches/russian-apt-bluecharlie-swaps-infrastructure-to-evade-detection", - "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/" + "https://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023", + "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/", + "https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf", + "https://www.ncsc.gov.uk/files/Advisory-Russian-FSB-cyber-actor-star-blizzard-continues-worldwide-spear-sphishing-campaigns.pdf", + "https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes", + "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections", + "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics", + "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware", + "https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/", + "https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes", + "https://citizenlab.ca/2024/10/disrupting-coldriver/", + "https://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/", + "https://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts", + "https://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer", + "https://www.justice.gov/opa/media/1327601/dl?inline", + "https://www.noticeofpleadings.com/starblizzard/" ], "synonyms": [ "COLDRIVER", @@ -4868,7 +4882,11 @@ "TA446", "GOSSAMER BEAR", "BlueCharlie", - "Star Blizzard" + "Star Blizzard", + "TAG-53", + "IRON FRONTIER", + "UNC4057", + "Blue Callisto" ], "targeted-sector": [ "Government, Administration", @@ -4877,15 +4895,6 @@ "Journalist" ] }, - "related": [ - { - "dest-uuid": "06630ccd-98ed-5aec-8083-e04c894bd2d6", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", "value": "Callisto" }, @@ -11665,27 +11674,6 @@ "uuid": "171d0590-be92-443f-addb-af5dc2a8034d", "value": "Evasive Panda" }, - { - "description": "A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Future’s Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.", - "meta": { - "refs": [ - "https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies", - "https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations", - "https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf" - ] - }, - "related": [ - { - "dest-uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "overlaps" - } - ], - "uuid": "e5865ca1-ec95-43e2-954a-d0f3507a9747", - "value": "TAG-53" - }, { "description": "This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.", "meta": { From ad9e315856c75f7ec0820a344bcacd3f4413643e Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sat, 23 Nov 2024 18:00:01 +0000 Subject: [PATCH 2/6] chg: [threat-actor] add PwC refrences of COLDRIVER --- clusters/threat-actor.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 132419f6..32ce1931 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4862,6 +4862,7 @@ "https://www.recordedfuture.com/research/bluecharlie-previously-tracked-as-tag-53-continues-to-deploy-new-infrastructure-in-2023", "https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/", "https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html", "https://www.ncsc.gov.uk/files/Advisory-Russian-FSB-cyber-actor-star-blizzard-continues-worldwide-spear-sphishing-campaigns.pdf", "https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes", "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections", @@ -4869,6 +4870,7 @@ "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware", "https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-perceived-enemies-around-the-globe/", "https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes", + "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/coldwastrel-space.html", "https://citizenlab.ca/2024/10/disrupting-coldriver/", "https://blogs.microsoft.com/on-the-issues/2024/10/03/protecting-democratic-institutions-from-cyber-threats/", "https://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts", From ae88aab5e9b3c06161e8083d074ec240dcabeabd Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sat, 23 Nov 2024 18:06:20 +0000 Subject: [PATCH 3/6] chg: [threat-actor] remove duplicate --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 32ce1931..faa989ba 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4864,7 +4864,6 @@ "https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf", "https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/blue-callisto-orbits-around-us.html", "https://www.ncsc.gov.uk/files/Advisory-Russian-FSB-cyber-actor-star-blizzard-continues-worldwide-spear-sphishing-campaigns.pdf", - "https://www.gov.uk/government/news/uk-exposes-attempted-russian-cyber-interference-in-politics-and-democratic-processes", "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-global-elections", "https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-2024-paris-olympics", "https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware", From f93293817e182a324d40ddbe6fa3927dbe59eca6 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sun, 24 Nov 2024 07:23:08 +0000 Subject: [PATCH 4/6] chg: [threat-actor] more references --- clusters/threat-actor.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index faa989ba..fcb4e4e0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4875,7 +4875,12 @@ "https://www.justice.gov/opa/pr/justice-department-disrupts-russian-intelligence-spear-phishing-efforts", "https://www.justice.gov/opa/pr/two-russian-nationals-working-russias-federal-security-service-charged-global-computer", "https://www.justice.gov/opa/media/1327601/dl?inline", - "https://www.noticeofpleadings.com/starblizzard/" + "https://www.noticeofpleadings.com/starblizzard/", + "https://edeca.net/post/2024-06-26-an-interesting-callisto-yara-rule", + "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign", + "https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support", + "https://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/", + "https://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/" ], "synonyms": [ "COLDRIVER", @@ -4890,7 +4895,7 @@ "Blue Callisto" ], "targeted-sector": [ - "Government, Administration", + "Government Administration", "Military", "Think Tanks", "Journalist" From 446ff6f2a43a00d8cb6e4157cb0c5ddf5b6aeee5 Mon Sep 17 00:00:00 2001 From: Rony <49360849+r0ny123@users.noreply.github.com> Date: Sun, 24 Nov 2024 07:27:58 +0000 Subject: [PATCH 5/6] chg: [threat-actor] remove duplicate --- clusters/threat-actor.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index fcb4e4e0..e8315496 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -4877,7 +4877,6 @@ "https://www.justice.gov/opa/media/1327601/dl?inline", "https://www.noticeofpleadings.com/starblizzard/", "https://edeca.net/post/2024-06-26-an-interesting-callisto-yara-rule", - "https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign", "https://blog.sekoia.io/calisto-show-interests-into-entities-involved-in-ukraine-war-support", "https://blog.sekoia.io/one-year-after-the-cyber-implications-of-the-russo-ukrainian-war/", "https://blog.sekoia.io/calisto-doxxing-sekoia-io-findings-concurs-to-reuters-investigation-on-fsb-related-andrey-korinets/" From 955b9b14e8cd65619cbb7d57641d6ffa478cb43e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 24 Nov 2024 19:49:08 +0100 Subject: [PATCH 6/6] chg: [README] updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f528ac8e..f637f33a 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *782* elements +Category: *actor* - source: *MISP Project* - total: *781* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]