From 4127ce9694ab8122ea2b34fb3a3f967a077e7c7f Mon Sep 17 00:00:00 2001 From: "Daniel Plohmann (Saturn)" Date: Tue, 15 Aug 2023 12:32:51 +0200 Subject: [PATCH 1/2] replaced various broken links with reachable equivalents --- clusters/threat-actor.json | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 77b9db75..540f01d7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -165,7 +165,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + "https://dokumen.tips/documents/detecting-and-responding-pandas-and-bears.html" ] }, "uuid": "7195b51f-500e-4034-a851-bf34a2728dc8", @@ -187,7 +187,7 @@ "attribution-confidence": "50", "country": "CN", "refs": [ - "http://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Detecting-and-Responding-to-Pandas-and-Bears-Christopher-Scott-CrowdStrike-and-Wendi-Whitmore-IBM.pdf" + "https://dokumen.tips/documents/detecting-and-responding-pandas-and-bears.html" ] }, "uuid": "432b0304-768f-4fb9-9762-e745ef524ec7", @@ -606,7 +606,7 @@ "https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/", "https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695", "https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/", - "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf", + "https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group", "https://attack.mitre.org/groups/G0009/", "https://www.secureworks.com/research/threat-profiles/bronze-firestone", "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks", @@ -873,7 +873,7 @@ "https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf", "https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/", - "https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/", + "https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf", "https://www.cfr.org/interactive/cyber-operations/iron-tiger", "https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/", "https://www.secureworks.com/research/bronze-union", @@ -1328,7 +1328,7 @@ "country": "CN", "refs": [ "https://www.cfr.org/interactive/cyber-operations/sneaky-panda", - "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf", + "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-37d1af16d411&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments", "https://attack.mitre.org/groups/G0066/" ], "synonyms": [ @@ -1871,7 +1871,7 @@ "attribution-confidence": "50", "country": "IR", "refs": [ - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "https://carnegieendowment.org/2018/01/04/iran-s-cyber-ecosystem-who-are-threat-actors-pub-75140" ], "synonyms": [ @@ -2455,7 +2455,7 @@ "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", "https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/", "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/", - "https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf", + "https://docs.broadcom.com/doc/waterbug-attack-group", "https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec", "https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/", "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", @@ -2548,7 +2548,7 @@ "country": "RU", "refs": [ "https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet", - "http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", + "https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/", "https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", "http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans", "https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/", @@ -2634,7 +2634,7 @@ "https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid", "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks", "https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage", - "https://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks", + "https://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/", "https://attack.mitre.org/groups/G0034", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf", @@ -3108,7 +3108,7 @@ "attribution-confidence": "50", "country": "IN", "refs": [ - "https://kung_foo.keybase.pub/papers_and_presentations/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf", + "https://github.com/jack8daniels2/threat-INTel/blob/master/2013/Unveiling-an-Indian-Cyberattack-Infrastructure-appendixes.pdf", "https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/", "https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia", "https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/", @@ -4472,7 +4472,7 @@ "meta": { "country": "RU", "refs": [ - "https://www.f-secure.com/documents/996508/1030745/callisto-group", + "https://web.archive.org/web/20170417102235/https://www.f-secure.com/documents/996508/1030745/callisto-group", "https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe", "https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe", "https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag", @@ -5024,7 +5024,7 @@ { "meta": { "refs": [ - "https://www.rsaconference.com/writable/presentations/file_upload/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries_final.pdf" + "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf" ] }, "uuid": "7ad01582-d6a7-4a40-a0ee-7727e268cd15", @@ -7236,7 +7236,7 @@ "refs": [ "https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/", "https://ti.360.net/blog/articles/analysis-of-apt-c-27/", - "https://www.pbwcz.cz/Reporty/20180723_CSE_APT27_Syria_v1.pdf" + "https://web.archive.org/web/20180827024318/http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf" ], "since": "2014", "suspected-victims": [ @@ -9462,7 +9462,7 @@ "refs": [ "https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers", "https://www.contextis.com/en/news/context-identifies-new-avivore-threat-group", - "https://www.contextis.com/en/blog/avivore" + "https://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore" ] }, "uuid": "8045fc09-13d6-4f90-b239-ed5060b9297b", @@ -10167,7 +10167,7 @@ "https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group", "https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112" + "https://www.cisa.gov/news-events/analysis-reports/ar21-112a" ] }, "uuid": "3f04dbbc-69bc-409b-82a1-6135f0b6a41c", From e207218534e12ef42c4b6c6d1ac926cb69d769d2 Mon Sep 17 00:00:00 2001 From: "Daniel Plohmann (Saturn)" Date: Tue, 15 Aug 2023 12:34:06 +0200 Subject: [PATCH 2/2] version bump --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 540f01d7..e6ee977b 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -11487,5 +11487,5 @@ "value": "MoustachedBouncer" } ], - "version": 277 + "version": 278 }