{ "authors": [ "Various" ], "category": "actor", "description": "Activity groups as described by Microsoft", "name": "Microsoft Activity Group actor", "source": "MISP Project", "type": "microsoft-activity-group", "uuid": "28b5e55d-acba-4748-a79d-0afa3512689a", "values": [ { "description": "Microsoft threat actor profile. Origin/Threat: Lebanon.", "meta": { "country": "LB", "microsoft-origin-threat": "Lebanon", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "VolcanicTimber", "Volatile Cedar" ] }, "uuid": "043ebe48-3101-5f67-9dd0-de3c9f230031", "value": "Amethyst Rain" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-0558" ] }, "uuid": "ae55260b-eafa-5492-bfa1-19676ade75d2", "value": "Antique Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Russia", "synonyms": [ "ACTINIUM", "UNC530", "Primitive Bear", "Gamaredon", "Armageddon", "shuckworm", "SectorC08" ] }, "related": [ { "dest-uuid": "1a77e156-76bc-43f5-bdd7-bd67f30fbbbb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "fc77a775-d06f-5efc-a6fa-0b2af01902a7", "value": "Aqua Blizzard" }, { "description": "Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" ] }, "related": [ { "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "cc70bdbd-afa7-4e19-bba2-2443811ef3af", "value": "BARIUM" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-0852" ] }, "uuid": "7482e4fa-ae4e-5827-a357-46b1a55c4f59", "value": "Berry Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: Israel, Private sector offensive actor.", "meta": { "country": "IL", "microsoft-origin-threat": "Israel, Private sector offensive actor", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "258a5cd1-f040-5a2e-8f04-6787bf2f1ae7", "value": "Blue Tsunami" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "BARIUM", "APT41", "WICKED PANDA" ] }, "related": [ { "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "2fc42ffc-dd1a-560e-ac97-05e8fa27bbe5", "value": "Brass Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "BORON", "GOTHIC PANDA", "UPS", "APT3", "OLDCARP", "TG-0110", "Red Sylvan", "CYBRAN" ] }, "uuid": "53f1281b-790d-5183-9306-b1b1ac38b715", "value": "Brocade Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "REMIX KITTEN", "Cadelle", "Chafer" ] }, "uuid": "855828a7-8e3d-5ee7-8c5c-8bb619f6db6c", "value": "Burgundy Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Russia", "synonyms": [ "DEV-0586", "EMBER BEAR" ] }, "related": [ { "dest-uuid": "a5f64c1a-c829-4855-903d-e0ff2098b2d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "7f190457-6829-55c4-9b6b-bccdadb747cb", "value": "Cadet Blizzard" }, { "meta": { "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], "sector": "Financially motivated", "synonyms": [ "TAAL", "FIN6", "Skeleton Spider" ] }, "related": [ { "dest-uuid": "647894f6-1723-4cba-aba4-0ef0966d5302", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "3126bd2c-3d04-5174-ad03-40136b94f574", "value": "Camouflage Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "CIRCUIT PANDA", "APT24", "Palmerworm", "BlackTech" ] }, "uuid": "59b25baf-5d3b-5e98-824a-2a0b0764e961", "value": "Canary Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Vietnam.", "meta": { "country": "VN", "microsoft-origin-threat": "Vietnam", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Vietnam", "synonyms": [ "BISMUTH", "APT32", "OceanLotus", "OCEAN BUFFALO" ] }, "related": [ { "dest-uuid": "aa29ae56-e54b-47a2-ad16-d3ab0242d5d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ad1a6df6-2251-5e47-a245-8693c1ace8fb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "37808cab-cbb3-560b-bebd-375fa328ea1e", "value": "Canvas Cyclone" }, { "description": "Microsoft threat actor profile. Origin/Threat: Israel, Private sector offensive actor.", "meta": { "country": "IL", "microsoft-origin-threat": "Israel, Private sector offensive actor", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Private sector offensive actor", "synonyms": [ "SOURGUM", "Candiru", "DEV-0236" ] }, "uuid": "1b15288c-ff19-5f52-8c4b-6185de934ff8", "value": "Caramel Tsunami" }, { "description": "Microsoft threat actor profile. Origin/Threat: Private sector offensive actor.", "meta": { "microsoft-origin-threat": "Private sector offensive actor", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Private sector offensive actor", "synonyms": [ "DEV-0196", "QuaDream" ] }, "uuid": "ab6940c3-a2f0-5802-9270-87f15f2e168a", "value": "Carmine Tsunami" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "CHROMIUM", "ControlX", "AQUATIC PANDA", "RedHotel", "BRONZE UNIVERSITY" ] }, "related": [ { "dest-uuid": "39150b30-61af-4d9c-9682-1595e145f3c1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "3f8b7c98-7484-523f-9d58-181274e6fc8f", "value": "Charcoal Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "CHLORINE", "DEEP PANDA", "ATG50", "APT19", "TG-3551", "Red Gargoyle" ] }, "uuid": "df9c1947-9c78-5538-b4b8-a6385e77c5bb", "value": "Checkered Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China, Financially motivated.", "meta": { "country": "CN", "microsoft-origin-threat": "China, Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0401", "Emperor Dragonfly", "Bronze Starlight", "HighGround" ] }, "related": [ { "dest-uuid": "737c0207-1a1a-4480-86e7-b6a5066e1ee5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "43fe584d-88e5-5f2b-a9fd-a866e62040bb", "value": "Cinnamon Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "DEV-0322", "EMISSARY PANDA", "APT6", "APT27" ] }, "uuid": "0bebd962-191a-5671-b5b0-f6de7c8180fc", "value": "Circle Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-0139", "Storm-1222", "LABYRINTH CHOLLIMA" ] }, "uuid": "c4004152-f87a-5052-b02b-5602ee3c0fd3", "value": "Citrine Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-2416" ] }, "uuid": "5730cf0f-286d-5f10-9eb0-e5242ec87f08", "value": "Clay Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Tonto Team", "Earth Akhlut", "Sharp-R" ] }, "uuid": "32525044-46ee-54c1-a81d-90ee1b9abeb4", "value": "Copper Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-1877" ] }, "uuid": "7146aa01-7139-54d7-bd58-d9be2957b64e", "value": "Coral Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "NEPTUNIUM", "Vice Leaker", "DEV-0198", "HAYWIRE KITTEN" ] }, "uuid": "b06ff51a-77e7-5b7f-9938-4a2d37bce5a4", "value": "Cotton Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: Covert network.", "meta": { "microsoft-origin-threat": "Covert network", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "ORB07" ] }, "uuid": "8fe1ecdc-5718-5a05-9778-df58c0687b32", "value": "CovertNetwork-1658" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "CESIUM" ] }, "uuid": "f0321b6d-ba72-556c-b2eb-df47e188ad5c", "value": "Crescent Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "CURIUM", "TA456", "Tortoise Shell", "IMPERIAL KITTEN", "HOUSEBLEND" ] }, "uuid": "b76e22b0-26a4-50ca-b876-09bc90a81b3b", "value": "Crimson Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "DEV-0228", "IMPERIAL KITTEN" ] }, "uuid": "badacab7-5097-5817-8516-d8a72de2a71b", "value": "Cuboid Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: United Arab Emirates.", "meta": { "country": "AE", "microsoft-origin-threat": "United Arab Emirates", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Stealth Falcon", "Fruity Armor", "Project Raven" ] }, "uuid": "667c2c4e-42bf-5383-ac1d-8a875d6c03a8", "value": "Daffodil Gust" }, { "description": "Microsoft threat actor profile. Origin/Threat: Austria, Private sector offensive actor.", "meta": { "country": "AT", "microsoft-origin-threat": "Austria, Private sector offensive actor", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Private sector offensive actor", "synonyms": [ "KNOTWEED", "DSIRF", "DEV-0291" ] }, "uuid": "9a4a662a-84a9-5b86-b241-7c5eef9cea4d", "value": "Denim Tsunami" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "North Korea", "synonyms": [ "ZINC", "Labyrinth Chollima", "Lazarus", "Black Artemis" ] }, "related": [ { "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9630b0aa-ee9e-5b58-9f79-cf7fa8d291a8", "value": "Diamond Sleet" }, { "description": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.", "meta": { "refs": [ "https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/", "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2", "https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/", "https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" ], "synonyms": [ "darkhotel" ] }, "related": [ { "dest-uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "f52ab8b8-71f2-5a88-946f-853dc3441efe", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b56af6ab-69f8-457a-bf50-c3aefa6dc14a", "value": "DUBNIUM" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "North Korea", "synonyms": [ "THALLIUM", "Kimsuky", "Velvet Chollima", "RGB-D5", "Black Banshee", "Greendinosa" ] }, "related": [ { "dest-uuid": "bcaaad6f-0597-4b89-b69b-84a6be2b7bc3", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "44be06b1-e17a-5ea6-a0a2-067933a7af77", "value": "Emerald Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: Singapore.", "meta": { "country": "SG", "microsoft-origin-threat": "Singapore", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "PLATINUM", "PARASITE", "RUBYVINE", "GINGERSNAP" ] }, "uuid": "6d0809db-12c3-5193-ad5b-33dbb98fe379", "value": "Fallow Squall" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-0919", "ETHEREAL PANDA" ] }, "uuid": "fd257ab6-5245-52c1-a456-7138d72112ac", "value": "Flax Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Russia", "synonyms": [ "STRONTIUM", "APT28", "Fancy Bear", "Sednit", "ATG2", "Sofacy", "Blue Athena", "Z-Lom Team", "Operation Pawn Storm", "Tsar Team", "CrisisFour", "HELLFIRE" ] }, "related": [ { "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "8d84d7b0-7716-5ab3-a3a4-f373dd148347", "value": "Forest Blizzard" }, { "description": "GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods.\nHistorically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.", "meta": { "refs": [ "https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/" ] }, "related": [ { "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "99e708f7-1c01-467d-b0da-f6cebd434abc", "value": "GADOLINIUM" }, { "description": "Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks.\nTo compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points.\nThis activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.", "meta": { "refs": [ "https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" ], "synonyms": [ "Operation Soft Cell" ] }, "related": [ { "dest-uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" } ], "uuid": "6085aad0-1d95-11ea-a140-078d42aced40", "value": "GALLIUM" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Russia", "synonyms": [ "BROMINE", "Energetic Bear", "Crouching Yeti", "BERSERK BEAR", "TG-4192", "Koala Team", "Blue Kraken", "Dragonfly" ] }, "related": [ { "dest-uuid": "64d6559c-6d5c-4585-bbf9-c17868f763ee", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "45d0f984-2b63-517b-922a-12924bcf4f68", "value": "Ghost Blizzard" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "GADOLINIUM", "APT40", "Leviathan", "TEMP.Periscope", "Kryptonite Panda", "JJDoor", "Feverdream" ] }, "related": [ { "dest-uuid": "5b4b6980-3bc7-11e8-84d6-879aaac37dd9", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "dbc45b46-5b64-50d4-b0f1-d7de888d4e85", "value": "Gingham Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "GALLIUM", "PHANTOM PANDA" ] }, "related": [ { "dest-uuid": "e400b6c5-77cf-453d-ba0f-44575583ac6c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "ae4036de-c901-5f21-808a-f5c071ef509b", "value": "Granite Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "DEV-0343" ] }, "uuid": "395473c6-be98-5369-82d1-cdbc97b3fddc", "value": "Gray Sandstorm" }, { "description": "HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.", "meta": { "refs": [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" ] }, "related": [ { "dest-uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" } ], "uuid": "fbb66d6c-0faa-49cc-8aa3-2f9bd4e9c298", "value": "HAFNIUM" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "EUROPIUM", "Cobalt Gypsy", "APT34", "OilRig", "HELIX KITTEN", "Crambus" ] }, "related": [ { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b6260d6d-a2f7-5b79-8132-5c456a225f53", "value": "Hazel Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "HELIUM", "AURORA PANDA", "APT17", "Hidden Lynx", "ATG3", "Red Typhoon", "KAOS", "TG-8153", "SportsFans", "DeputyDog", "Tailgater" ] }, "uuid": "a418d583-d520-5207-bec9-b634417d7f41", "value": "Heart Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "HYDROGEN", "NUMBERED PANDA", "Calc Team", "Red Anubis", "APT12", "DNS-Calc", "HORDE" ] }, "uuid": "a8df4364-1b52-5cee-b103-da42fa640ddc", "value": "Hexagon Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "HASSIUM", "DRAGNET PANDA", "isoon", "deepclif" ] }, "uuid": "7f875c7f-8209-5faa-877e-c0b5708d1a70", "value": "Houndstooth Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-0954", "LABYRINTH CHOLLIMA" ] }, "uuid": "67df1658-fa43-5cd0-9234-7ff2b86c2a8b", "value": "Jade Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-0287" ] }, "uuid": "c7b33217-b9d9-538d-8947-63dc0d89e9dc", "value": "Jasper Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0950", "FIN11", "TA505" ] }, "related": [ { "dest-uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "c01aadc6-1087-4e8e-8d5c-a27eba409fe3", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b27dcdee-14b1-5842-86b3-32eacec94584", "value": "Lace Tempest" }, { "description": "In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" ] }, "related": [ { "dest-uuid": "9c124874-042d-48cd-b72b-ccdc51ecbbd6", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "f542442e-ba0f-425d-b386-6c10351a468e", "value": "LEAD" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "RUBIDIUM", "Fox Kitten", "UNC757", "PioneerKitten", "PIONEER KITTEN" ] }, "related": [ { "dest-uuid": "bfb0bc20-5bdf-47ff-b07f-dbd9a3cb9772", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "0757856a-1313-57d8-bb6c-f4c537e110da", "value": "Lemon Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "LEAD", "WICKED PANDA", "TG-2633", "TG-3279", "Mana", "KAOS", "Red Diablo", "Winnti Group" ] }, "uuid": "7796ae6d-a7fe-5ec0-976d-badff57ac65b", "value": "Leopard Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "DEV-0234" ] }, "uuid": "aa45a89c-4c2b-5f6b-9a3d-51abccaa9623", "value": "Lilac Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "IODINE", "EMISSARY PANDA", "Red Phoenix", "Hippo", "Lucky Mouse", "BOWSER", "APT27", "Wekby2", "UNC215", "TG-3390" ] }, "uuid": "45dc2a46-f0b1-5b5c-bf32-57d160542800", "value": "Linen Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "1a85f99d-4fe1-5e89-bc84-32710f64ff69", "value": "Luna Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: Türkiye.", "meta": { "country": "TR", "microsoft-origin-threat": "Türkiye", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "PROMETHIUM", "StrongPity", "SmallPity" ] }, "uuid": "0d0c07ff-2246-5f59-80c7-b3b743252a76", "value": "Magenta Dust" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0243", "EvilCorp", "UNC2165", "Indrik Spider" ] }, "related": [ { "dest-uuid": "658314bc-3bb8-48d2-913a-c528607b75c8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b19bc1a0-2489-56ae-aa61-ed147310363e", "value": "Manatee Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "MERCURY", "MuddyWater", "SeedWorm", "Static Kitten", "TEMP.Zagros" ] }, "related": [ { "dest-uuid": "a29af069-03c3-4534-b78b-7d1a77ea085b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "da68ca6d-250f-50f1-a585-240475fdbb35", "value": "Mango Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: Türkiye.", "meta": { "country": "TR", "microsoft-origin-threat": "Türkiye", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Turkey", "synonyms": [ "SILICON", "Sea Turtle", "COSMIC WOLF", "UNC1326" ] }, "related": [ { "dest-uuid": "ce7bba52-5ae8-44ea-9979-68502d832ab7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "fc91881e-92c0-5a63-a0b9-b253958a594e", "value": "Marbled Dust" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "DEV-0500", "Moses Staff", "DEV-500", "VENGEFUL KITTEN" ] }, "related": [ { "dest-uuid": "d45dd940-b38d-4b2c-9f2f-3e4a0eac841c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "ef415059-e150-5324-877e-44b65ab022f5", "value": "Marigold Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Russia", "synonyms": [ "NOBELIUM", "APT29", "Cozy Bear", "UNC2452" ] }, "related": [ { "dest-uuid": "b2056ff0-00b9-482e-b11c-c771daa5f28a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "31982812-c8bf-5e85-b0ba-0c64a7d05d20", "value": "Midnight Blizzard" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "PHOSPHORUS", "APT35", "Charming Kitten", "Parastoo", "Newscaster" ] }, "related": [ { "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b8967b3c-3bc9-11e8-8701-8b1ead8c099e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "400cd1b8-52b7-5a5c-984f-9b4af35ea231", "value": "Mint Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-1789", "LABYRINTH CHOLLIMA" ] }, "uuid": "b1e94607-7211-585d-8197-73e7d9229400", "value": "Moonstone Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "MANGANESE", "APT5", "Keyhole Panda", "TABCTENG", "Backdoor-DPD", "COVENANT", "CYSERVICE", "Bottle", "Red Horus", "Red Naga", "Auriga", "ATG48", "TG-2754" ] }, "related": [ { "dest-uuid": "a47b79ae-7a0c-4308-9efc-294af19cc795", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "fa562b27-d3ff-5e7c-9079-c957eb01a0e0", "value": "Mulberry Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0206", "Purple Vallhund", "INDRIK SPIDER" ] }, "uuid": "1b1524f4-16b0-5b85-aea4-844babea4ccb", "value": "Mustard Tempest" }, { "description": "NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" ] }, "related": [ { "dest-uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "ada08ea8-4517-4eea-aff1-3ad69e5466bb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "47b5007a-3fb1-466a-9578-629e6e735493", "value": "NEODYMIUM" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia, Influence operations.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia, Influence operations", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-1516", "CopyCop" ] }, "uuid": "50ad9a39-a0c3-5ade-af96-fb57ea465bd5", "value": "Neva Flood" }, { "description": "Microsoft threat actor profile. Origin/Threat: Israel.", "meta": { "country": "IL", "microsoft-origin-threat": "Israel", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Private sector offensive actor", "synonyms": [ "DEV-0336", "NSO Group" ] }, "uuid": "af54315b-3561-5046-8b9b-c3e9e05c0f77", "value": "Night Tsunami" }, { "description": "Threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware.", "meta": { "refs": [ "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html" ] }, "related": [ { "dest-uuid": "2ee5ed7a-c4d0-40be-a837-20817474a15b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "16902832-0118-40f2-b29e-eaba799b2bf4", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "aba3fd7d-87cc-4266-82a1-d458ae299266", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "1e912590-c879-4a9c-81b9-2d31e82ac718", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "0125ef58-2675-426f-90eb-0b189961199a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "f169f0b3-fe4d-40e5-a443-2561c98eb67e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "2d5072db-64e2-4d81-9b3a-3aa76cfa978b", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" } ], "uuid": "d7247cf9-13b6-4781-b789-a5f33521633b", "value": "NOBELIUM" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "NICKEL", "ke3chang", "APT15", "Vixen Panda", "Playful Dragon", "RedRiver", "Mirage" ] }, "related": [ { "dest-uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "66571167-13fe-5817-93e0-54ae8f206fdc", "value": "Nylon Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "SCATTERED SPIDER", "0ktapus" ] }, "uuid": "565b1ffa-6aa0-534d-a7bd-82ae942dd813", "value": "Octo Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia, Influence operations.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia, Influence operations", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-1679" ] }, "uuid": "3f0694c2-605d-5ac3-bdd2-09c2d4be3d73", "value": "Oka Flood" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "PLUTONIUM", "SILENT CHOLLIMA", "StoneFly", "Tdrop2 campaign", "DarkSeoul", "Black Chollima", "Andariel", "APT45" ] }, "uuid": "26a2854b-51e4-5fc9-8c30-2880d1483ed1", "value": "Onyx Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "North Korea", "synonyms": [ "OSMIUM", "Konni", "VELVET CHOLLIMA", "Planedown", "APT43" ] }, "uuid": "5163b2d9-7521-5225-a7a8-88d881fbc406", "value": "Opal Sleet" }, { "description": "One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload.\n PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware.\nThe group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment.\nPARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors.\nThe group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.", "meta": { "refs": [ "https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/" ] }, "related": [ { "dest-uuid": "42148074-196b-4f8c-b149-12163fc385fa", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "uses" }, { "dest-uuid": "4245e4cd-a57a-4e0b-9853-acaa549d495d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "similar" } ], "uuid": "00edb40d-2fed-4d36-98b1-c85fc2bb1168", "value": "PARINACOTA" }, { "description": "Microsoft threat actor profile from the public naming mapping feed.", "meta": { "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-0113" ] }, "uuid": "aac2327b-d330-55a0-8ead-d20df7413a56", "value": "Patched Lightning" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "HOLMIUM", "APT33", "Refined Kitten", "Elfin" ] }, "related": [ { "dest-uuid": "4f69ec6d-cb6b-42af-b8e2-920a2aa4be10", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "4c0f085a-70b1-5ee6-a45a-dc368f03e701", "value": "Peach Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "North Korea", "synonyms": [ "LAWRENCIUM", "DEV-0215" ] }, "uuid": "1c5c67ad-c241-5103-99d0-daab5a554b0d", "value": "Pearl Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "LIMINAL PANDA", "CL-STA-0969" ] }, "uuid": "dfdd0ccd-9755-5988-8b23-595d0188608f", "value": "Pepper Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0193", "Wizard Spider", "UNC2053" ] }, "related": [ { "dest-uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "120dc1ae-e850-5059-a4fb-520748ca6881", "value": "Periwinkle Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: Israel, Financially motivated.", "meta": { "country": "IL", "microsoft-origin-threat": "Israel, Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0796", "ClickPirate", "Chrome Loader", "Choziosi loader" ] }, "uuid": "3c9a0350-8d17-5624-872c-fe44969a5888", "value": "Phlox Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "AMERICIUM", "Agrius", "Deadwood", "BlackShadow", "SharpBoys", "DEV-0227", "SPECTRAL KITTEN", "FireAnt", "Justice Blade" ] }, "uuid": "cca311c0-dc91-5aee-b282-5e412040dac3", "value": "Pink Sandstorm" }, { "description": "Microsoft threat actor profile from the public naming mapping feed.", "meta": { "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "NIOBIUM", "RENEGADE JACKAL", "Desert Falcons", "Scimitar", "Arid Viper" ] }, "uuid": "21d4413c-47f5-55c5-8074-aef6212c88ec", "value": "Pinstripe Lightning" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0237", "FIN12" ] }, "related": [ { "dest-uuid": "bdf4fe4f-af8a-495f-a719-cf175cecda1f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "567ea386-a78f-5550-ae7c-9c9eacdf45af", "value": "Pistachio Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: Lebanon.", "meta": { "country": "LB", "microsoft-origin-threat": "Lebanon", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Lebanon", "synonyms": [ "POLONIUM", "INCENDIARY JACKAL" ] }, "related": [ { "dest-uuid": "3c5129ea-8f18-4bcf-a33b-b5aab0720494", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "ce5357da-0e15-5022-bd4f-74aa689d0b2e", "value": "Plaid Rain" }, { "description": "PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/", "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" ] }, "related": [ { "dest-uuid": "f9c06633-dcff-48a1-8588-759e7cec5694", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "1fc5671f-5757-43bf-8d6d-a9a93b03713a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "154e97b5-47ef-415a-99a6-2157f1b50339", "value": "PLATINUM" }, { "description": "PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/" ] }, "related": [ { "dest-uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "43894e2a-174e-4931-94a8-2296afe8f650", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "5744f91a-d2d8-4f92-920f-943dd80c578f", "value": "PROMETHIUM" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "DEV-0146", "ZeroCleare" ] }, "uuid": "562049d7-78f5-5a65-b7db-c509c9f483f7", "value": "Pumpkin Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "POTASSIUM", "STONE PANDA", "GOLEM", "Evilgrab", "AEON", "LIVESAFE", "ChChes", "APT10", "Haymaker", "Webmonder", "Foxtrot", "Foxmail", "MenuPass", "Red Apollo" ] }, "uuid": "2a3bd953-67fc-5966-a333-2c954522dec4", "value": "Purple Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "RADIUM", "APT30", "LotusBlossom", "LOTUS PANDA" ] }, "related": [ { "dest-uuid": "d3881afe-f781-4c53-9f68-33487a119a59", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "b3c378fc-1ce3-5a46-a32e-f55a584c6536", "value": "Raspberry Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-0842", "BANISHED KITTEN", "Void Manticore" ] }, "uuid": "46db3943-9a37-5f2b-8238-5b768934785e", "value": "Red Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "North Korea", "synonyms": [ "CERIUM", "VELVET CHOLLIMA" ] }, "uuid": "c29e7262-6a6f-501d-8c00-57f75f2172a3", "value": "Ruby Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia, Influence operations.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia, Influence operations", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "bf33d93e-070c-5e0f-87b6-7bd25c881155", "value": "Ruza Flood" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "SODIUM", "MAVERICK PANDA", "APT4" ] }, "uuid": "6da413e3-a027-5616-af21-0702f67ae972", "value": "Salmon Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "OPERATOR PANDA", "GhostEmperor", "FamousSparrow" ] }, "uuid": "3b357ed0-c50c-5793-b0e9-e60ada7a50e5", "value": "Salt Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Ukraine, Financially motivated.", "meta": { "country": "UA", "microsoft-origin-threat": "Ukraine, Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "ELBRUS", "Carbon Spider", "FIN7" ] }, "related": [ { "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9471ad21-0553-5483-bf7c-e6ad9c062c79", "value": "Sangria Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: North Korea.", "meta": { "country": "KP", "microsoft-origin-threat": "North Korea", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "North Korea", "synonyms": [ "COPERNICIUM", "Genie Spider", "BlueNoroff", "UNC1069", "STARDUST CHOLLIMA", "Alluring Pisces", "CageyChameleon", "CryptoCore" ] }, "related": [ { "dest-uuid": "68391641-859f-4a9a-9a1e-3e5cf71ec376", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "3a32c54d-d86a-55de-b16a-d9a08a5cf49b", "value": "Sapphire Sleet" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "SCANDIUM", "DYNAMITE PANDA", "COMBINE", "TG-0416", "SILVERVIPER", "Red Wraith", "APT18", "Elderwood Group", "Wekby" ] }, "uuid": "073df49d-f3c8-5459-b8d8-89e7beb348ef", "value": "Satin Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Russia", "synonyms": [ "IRIDIUM", "Sandworm", "VOODOO BEAR", "BE2", "UAC-0113", "Blue Echidna", "PHANTOM", "BlackEnergy Lite", "APT44" ] }, "related": [ { "dest-uuid": "f512de42-f76b-40d2-9923-59e7dbdfec35", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "29cfe970-5446-4cfc-a2da-00e9f49e02ba", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "0fdab65b-3e2b-5fd8-be36-cc18c7bcc1d7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "473eb51c-36cb-5e3a-8347-2f57df809be9", "value": "Seashell Blizzard" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Russia", "synonyms": [ "KRYPTON", "Venomous Bear", "Turla", "Snake", "Uroburos", "Blue Python", "WRAITH", "ATG26" ] }, "related": [ { "dest-uuid": "fa80877c-f509-4daf-8b62-20aba1635f68", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "8d19da8a-d0fa-5194-ad6f-315cc4f36c8b", "value": "Secret Blizzard" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran, Influence operations.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran, Influence operations", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "61f350a3-6507-5045-a3ef-0a5f773c9fe0", "value": "Sefid Flood" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-0062", "DarkShadow", "Oro0lxy" ] }, "uuid": "4349a6d9-7838-57dc-9873-ddd5835ae428", "value": "Shadow Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "HAFNIUM", "MURKY PANDA", "timmy" ] }, "related": [ { "dest-uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "9728610a-17cb-5cac-9322-ef19ae296a29", "value": "Silk Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Iran", "synonyms": [ "BOHRIUM", "IMPERIAL KITTEN", "UNC1549" ] }, "uuid": "4426d375-1435-5ccc-8c1f-f8688bd11f80", "value": "Smoke Sandstorm" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "CHIMBORAZO", "TA505", "MONTY SPIDER" ] }, "related": [ { "dest-uuid": "03c80674-35f8-4fe0-be2b-226ed0fcd69f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "c85120d0-c397-5d30-9d57-3b019090acd5", "value": "Spandex Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Russia", "synonyms": [ "SEABORGIUM", "Callisto", "Reuse Team", "COLDRIVER", "Callisto Group", "BlueCharlie", "TA446" ] }, "related": [ { "dest-uuid": "fbd279ab-c095-48dc-ba48-4bece3dd5b0f", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "06630ccd-98ed-5aec-8083-e04c894bd2d6", "value": "Star Blizzard" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "HEXANE", "Lyceum", "Siamesekitten", "Spirlin" ] }, "uuid": "dd5654f6-4ea2-53d9-bdd7-4e4e1d07dd86", "value": "Storm-0133" }, { "description": "Microsoft threat actor profile. Origin/Threat: Pakistan.", "meta": { "country": "PK", "microsoft-origin-threat": "Pakistan", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "MYTHIC LEOPARD", "SideCopy", "APT36", "Transparent Tribe" ] }, "uuid": "5df61c0b-9a22-5125-a9a6-048acca641a4", "value": "Storm-0156" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "TUNNEL SPIDER", "UNC2198" ] }, "uuid": "4435483b-a130-5d25-96f2-3625ed1d02b5", "value": "Storm-0216" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "WIZARD SPIDER", "Conti Team 1" ] }, "uuid": "7d9a8d61-6863-5c80-941d-840a1de3a944", "value": "Storm-0230" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "ToddyCat", "Websiic" ] }, "uuid": "7a81f6b8-1e7f-5f28-8f69-8267bec40406", "value": "Storm-0247" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "fc30a605-a6af-5f02-b93d-e2c352370cb3", "value": "Storm-0249" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "CHATTY SPIDER" ] }, "uuid": "303e4e4f-4ae5-52aa-9f17-0dd0f7f99223", "value": "Storm-0252" }, { "meta": { "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], "sector": "Group in development", "synonyms": [ "DEV-0257", "UNC1151" ] }, "related": [ { "dest-uuid": "749aaa11-f0fd-416b-bf6c-112f9b5930a5", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "60ac9e2c-b3b2-5c6b-913e-935952e14c28", "value": "Storm-0257" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "2c858cc8-fb74-5e4e-a92d-e57471bba3a1", "value": "Storm-0259" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "FIN8" ] }, "uuid": "6671d8ae-7856-595e-8b84-680c02131493", "value": "Storm-0288" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "NARWHAL SPIDER", "TA544" ] }, "uuid": "71761cb6-1046-574b-a438-2dbc32733503", "value": "Storm-0302" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "24435633-bfd9-58e8-8199-ad37d46d6b59", "value": "Storm-0408" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "6541e7b1-c2bb-575e-90f1-49305625c17b", "value": "Storm-0485" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "559c8dc4-1022-50ed-9f1c-d7715737fd87", "value": "Storm-0501" }, { "meta": { "country": "KP", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], "sector": "North Korea", "synonyms": [ "DEV-0530", "H0lyGh0st" ] }, "uuid": "ab314f1c-8d07-5edb-bb32-64d1105f74ff", "value": "Storm-0530" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "SKELETON SPIDER", "FIN6" ] }, "uuid": "8ad930d9-fcdb-531b-827f-c4a05c36e152", "value": "Storm-0538" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "b5678bd7-4ec0-51c0-8371-0846cc558e98", "value": "Storm-0539" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "d7bd75a2-15e3-5293-a53a-5a467326f5de", "value": "Storm-0569" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "InvisiMole" ] }, "uuid": "44bd7d68-2522-55b2-86ee-d1f74fe95281", "value": "Storm-0593" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "UNC2596", "Tropicalscorpius" ] }, "uuid": "d4c3823c-1535-597b-8e7d-784612ade7aa", "value": "Storm-0671" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "c83eb0f5-eaff-5b3b-b938-4f9068255bf7", "value": "Storm-0940" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "RomCom", "Underground Team" ] }, "uuid": "b2e3b39d-3988-530d-be21-ccc4f31f0caa", "value": "Storm-0978" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "69b69079-ccb0-5d6a-a69c-86b5c4fae168", "value": "Storm-1101" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "APOTHECARY SPIDER" ] }, "uuid": "669b24db-d543-560a-851a-5ba81a586350", "value": "Storm-1113" }, { "description": "Microsoft threat actor profile. Origin/Threat: Belarus.", "meta": { "country": "BY", "microsoft-origin-threat": "Belarus", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "MoustachedBouncer" ] }, "uuid": "c373a2a3-f80d-515f-b1d8-13595c47de11", "value": "Storm-1125" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "d9d23fe2-8efb-51cf-8913-91ed75f9379e", "value": "Storm-1152" }, { "description": "Microsoft threat actor profile. Origin/Threat: China, Financially motivated.", "meta": { "country": "CN", "microsoft-origin-threat": "China, Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "fdb4a217-6ea3-58bd-b0af-35c01ebb5cad", "value": "Storm-1175" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "MONTI" ] }, "uuid": "45b05a13-80ac-5f99-82a0-7c0bc41bc38a", "value": "Storm-1194" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "3fc0b642-a037-5165-9e4b-c64e8f9593e2", "value": "Storm-1249" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia, Influence operations.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia, Influence operations", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "8b3ef1b4-c68d-56b8-8767-a2c293f4a65e", "value": "Storm-1516" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "PUNK SPIDER" ] }, "uuid": "ba96d568-f803-50c9-907b-d11947123257", "value": "Storm-1567" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "567d3da5-d486-5f6c-a5f6-ed5cb4990ee2", "value": "Storm-1575" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "a90661e5-8b7a-5206-807f-aef8517aaf23", "value": "Storm-1607" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "30ed08d3-db95-5d08-9504-9e9781a253d4", "value": "Storm-1674" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "317f8679-6add-5f53-9d60-a233bc860519", "value": "Storm-1747" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "CURLY SPIDER" ] }, "uuid": "6784f384-a942-5d7a-b693-4f8e383d54e0", "value": "Storm-1811" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "f0f9425a-f3ba-59ad-b1a7-41ec0bed10e3", "value": "Storm-1865" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "SneakyCheff", "UNK_SweetSpecter" ] }, "uuid": "2df0d679-4402-54c9-8a04-af98861312a7", "value": "Storm-1982" }, { "description": "Microsoft threat actor profile. Origin/Threat: Iran, Influence operations.", "meta": { "country": "IR", "microsoft-origin-threat": "Iran, Influence operations", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "67b75e8c-2a19-523f-ae3c-0e56fde9875b", "value": "Storm-2035" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "TAG-100" ] }, "uuid": "bb60789d-b159-53a7-b852-6f076380cf4e", "value": "Storm-2077" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "919c0184-9b73-55f5-9f70-f931155ac58c", "value": "Storm-2227" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "35f8662a-f8a2-57b4-9ae2-df4d05e93b80", "value": "Storm-2372" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Lumma Stealer" ] }, "uuid": "d43caa08-f997-582f-ae95-c522dbc486a6", "value": "Storm-2460" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "20935d1b-dafd-5373-bfd1-df8519507641", "value": "Storm-2470" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "1476ebb5-2336-53b0-a1c6-d23bab1497a8", "value": "Storm-2477" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "fdaa6bfe-3b2a-5947-a6eb-71a12002719f", "value": "Storm-2561" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "afe95d2e-227c-59d3-918f-007163912e8f", "value": "Storm-2603" }, { "description": "Microsoft threat actor profile. Origin/Threat: United States, Financially motivated.", "meta": { "microsoft-origin-threat": "United States, Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Payroll Pirates" ] }, "uuid": "e7d96acd-a70c-5589-847f-1d6a8c6788ba", "value": "Storm-2657" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ] }, "uuid": "5f98bdf4-a39c-5e99-ba2d-fc36c10c2b0c", "value": "Storm-2755" }, { "description": "Microsoft threat actor profile. Origin/Threat: Group in development.", "meta": { "microsoft-origin-threat": "Group in development", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Coinbase Cartel" ] }, "uuid": "2dcf0edc-5cc9-5100-8e7b-11b5fa93b659", "value": "Storm-2981" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0537", "LAPSUS$", "SLIPPY SPIDER" ] }, "related": [ { "dest-uuid": "d9e5be22-1a04-4956-af6c-37af02330980", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "d4dfb329-822c-5db3-a078-a8c0f77924da", "value": "Strawberry Tempest" }, { "description": "STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer. ", "meta": { "country": "RU", "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/", "http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf", "https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/", "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/", "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/" ], "synonyms": [ "APT 28", "APT28", "Pawn Storm", "Fancy Bear", "Sednit", "TsarTeam", "TG-4127", "Group-4127", "Sofacy", "Grey-Cloud" ] }, "related": [ { "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "3d9f700c-5eb5-5d36-a6e7-47b55f2844cd", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", "value": "STRONTIUM" }, { "description": "Microsoft threat actor profile from the public naming mapping feed.", "meta": { "country": "RU", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Russia", "synonyms": [ "DEV-0665" ] }, "uuid": "79f8646f-d127-51b7-b502-b096b445c322", "value": "Sunglow Blizzard" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "TELLURIUM", "STALKER PANDA", "Tick", "Bronze Butler", "REDBALDKNIGHT" ] }, "uuid": "655dd99e-fc7d-5f7b-88f0-796d6beb4857", "value": "Swirl Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "TECHNETIUM", "TURBINE PANDA", "TG-0055", "Red Kobold", "JerseyMikes", "APT26", "BEARCLAW" ] }, "uuid": "31da9f81-56d4-5c95-87c3-ec4568cdfc2a", "value": "Taffeta Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China, Influence operations.", "meta": { "country": "CN", "microsoft-origin-threat": "China, Influence operations", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Dragonbridge", "Spamouflage" ] }, "uuid": "f69bbe03-a0c5-5f59-ada9-e1b9f1beea0c", "value": "Taizi Flood" }, { "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/" ] }, "related": [ { "dest-uuid": "46670c51-fea4-45d6-bdd4-62e85a5c7404", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "99784b80-6298-45ba-885c-0ed37bfd8324", "value": "TERBIUM" }, { "meta": { "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], "sector": "Financially motivated", "synonyms": [ "SPURR", "Vatet" ] }, "uuid": "028b667a-1102-5b1e-9726-edbf145d9d8f", "value": "Tomato Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "THORIUM", "Karst" ] }, "uuid": "c58445b5-0c8c-5844-83ef-5c3a7176f0e1", "value": "Tumbleweed Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "TANTALUM", "MUSTANG PANDA", "BRONZE PRESIDENT", "LuminousMoth" ] }, "uuid": "4020ad2a-fa0e-56f2-a33a-bffb3b1717f6", "value": "Twill Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0832", "VICE SPIDER", "Vice Society" ] }, "uuid": "a01da064-988c-5ad3-92c6-9537adb6a5f0", "value": "Vanilla Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Financially motivated", "synonyms": [ "DEV-0504", "ALPHA SPIDER" ] }, "uuid": "0662a721-a92e-50b3-a5ac-0c4142ac9aeb", "value": "Velvet Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "China", "synonyms": [ "ZIRCONIUM", "APT31", "JUDGMENT PANDA", "Chameleon", "WebFans" ] }, "related": [ { "dest-uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "27eb4928-b3e6-5ae1-bbb6-f73bce8d7c69", "value": "Violet Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Laundry Bear" ] }, "uuid": "0bd1fd55-daef-51ad-82c5-4d79859f87d1", "value": "Void Blizzard" }, { "description": "Microsoft threat actor profile. Origin/Threat: Russia, Influence operations.", "meta": { "country": "RU", "microsoft-origin-threat": "Russia, Influence operations", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-1841", "Rybar" ] }, "uuid": "5efac1a3-ede6-53d5-88d5-6c650df36cab", "value": "Volga Flood" }, { "description": "Microsoft threat actor profile. Origin/Threat: China.", "meta": { "country": "CN", "microsoft-origin-threat": "China", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "VANGUARD PANDA", "BRONZE SILHOUETTE" ] }, "uuid": "7c4a32dc-24d5-5d69-96a2-9d0a2ae0f31b", "value": "Volt Typhoon" }, { "description": "Microsoft threat actor profile. Origin/Threat: Financially motivated.", "meta": { "microsoft-origin-threat": "Financially motivated", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "GOLD", "Gatak" ] }, "uuid": "9288268f-8511-5932-8a0c-f240c0799603", "value": "Wheat Tempest" }, { "meta": { "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" ], "sector": "Financially motivated", "synonyms": [ "PARINACOTA", "Wadhrama" ] }, "related": [ { "dest-uuid": "4245e4cd-a57a-4e0b-9853-acaa549d495d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "5939e42e-06d0-5719-8072-62f0fc0821e8", "value": "Wine Tempest" }, { "description": "Microsoft threat actor profile. Origin/Threat: India, Private sector offensive actor.", "meta": { "microsoft-origin-threat": "India, Private sector offensive actor", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "Private sector offensive actor", "synonyms": [ "DEV-0605", "CyberRoot", "MintedSoil" ] }, "uuid": "2263b6c9-861a-5971-b882-9ea4a84fcf74", "value": "Wisteria Tsunami" }, { "description": "Microsoft threat actor profile. Origin/Threat: China, Influence operations.", "meta": { "country": "CN", "microsoft-origin-threat": "China, Influence operations", "refs": [ "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "synonyms": [ "Storm-1852" ] }, "uuid": "18e08038-d73d-5f35-9851-b226e499c438", "value": "Yulong Flood" }, { "description": "Microsoft threat actor profile. Origin/Threat: Korea.", "meta": { "country": "KR", "microsoft-origin-threat": "Korea", "refs": [ "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide", "https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json" ], "sector": "South Korea", "synonyms": [ "DUBNIUM", "Dark Hotel", "Tapaoux", "SHADOW CRANE", "Nemim", "TEMPLAR", "TieOnJoe", "Fallout Team", "Purple Pygmy", "Egobot", "PALADIN", "APT-C-60" ] }, "related": [ { "dest-uuid": "f52ab8b8-71f2-5a88-946f-853dc3441efe", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { "dest-uuid": "b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "0a4ddab3-a1a6-5372-b11f-5edc25c0e548", "value": "Zigzag Hail" }, { "description": "In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit. ", "meta": { "refs": [ "https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/" ] }, "related": [ { "dest-uuid": "6bf7e6b6-5917-45a6-9567-f0baba79768c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" } ], "uuid": "2d19c573-252b-49d8-8c2e-3b529b91e72d", "value": "ZIRCONIUM" } ], "version": 22 }