From 3735fd37d5ccc51e0f1430e97b7701755da20ec1 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 24 Dec 2024 04:59:34 -0800 Subject: [PATCH 1/2] [threat-actors] Add Wassonite --- clusters/threat-actor.json | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1f54a53e..65a8ebd0 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -17612,6 +17612,18 @@ }, "uuid": "d44be76b-07ad-47b3-a296-3899f27f0702", "value": "UAC-0185" + }, + { + "description": "WASSONITE is a North Korea-linked APT that has targeted industrial sectors, including electric generation, nuclear energy, manufacturing, and research entities in India, South Korea, and Japan since at least 2018. The group employs DTrack RAT for remote access, Mimikatz for credential capture, and various system tools for lateral movement and file transfers. WASSONITE has been observed using nuclear energy-themed spear phishing lures to deploy the AppleSeed backdoor, which can take screenshots, log keystrokes, and execute commands from a C2 server. Their operations focus on initial access, reconnaissance, and data collection without demonstrating disruptive capabilities.", + "meta": { + "country": "KP", + "refs": [ + "https://www.dragos.com/blog/2022-ics-ot-threat-landscape-recap-what-to-watch-for-this-year/", + "https://www.dragos.com/threat/wassonite/" + ] + }, + "uuid": "fba00660-d18c-4af7-831c-25757e495907", + "value": "Wassonite" } ], "version": 322 From fb5665eb028fc0182f0a98921a188835821fde07 Mon Sep 17 00:00:00 2001 From: Mathieu4141 Date: Tue, 24 Dec 2024 04:59:34 -0800 Subject: [PATCH 2/2] [threat actors] Update README --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8cf14873..88bc1120 100644 --- a/README.md +++ b/README.md @@ -599,7 +599,7 @@ Category: *tea-matrix* - source: ** - total: *7* elements [Threat Actor](https://www.misp-galaxy.org/threat-actor) - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group. -Category: *actor* - source: *MISP Project* - total: *792* elements +Category: *actor* - source: *MISP Project* - total: *793* elements [[HTML](https://www.misp-galaxy.org/threat-actor)] - [[JSON](https://github.com/MISP/misp-galaxy/blob/main/clusters/threat-actor.json)]