Merge branch 'jstnk9-main' into main

MISP · Oct 20, 2023 · c585caa · c585caa
2 parents 800928a + 416cd67
commit c585caa
Showing 1 changed file with 47 additions and 2 deletions.
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
@@ -209,6 +209,30 @@
       "uuid": "8a8f39df-74b3-4946-ab64-f84968bababe",
       "value": "DIZZY PANDA"
     },
+    {
+      "description": "Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.",
+      "meta": {
+        "attribution-confidence": "50",
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-suspected-victims": [
+          "Taiwan",
+          "United States",
+          "Vietnam",
+          "Solomon Islands"
+        ],
+        "cfr-target-category": [
+          "Biomedical",
+          "Government",
+          "Information technology"
+        ],
+        "country": "CN",
+        "refs": [
+          "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayling-taiwan-cyber-attacks"
+        ]
+      },
+      "uuid": "6714de29-4dd8-463c-99a3-77c9e80fa47d",
+      "value": "Grayling"
+    },
     {
       "description": "Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'",
       "meta": {
@@ -7530,8 +7554,29 @@
     {
       "description": "Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.",
       "meta": {
+        "cfr-suspected-victims": [
+          "Ecuador",
+          "Colombia",
+          "Spain",
+          "Panama",
+          "Chile"
+        ],
+        "cfr-target-category": [
+          "Petroleum",
+          "Manufacturing",
+          "Financial",
+          "Private sector",
+          "Government"
+        ],
+        "cfr-type-of-incident": "Espionage",
         "refs": [
-          "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/"
+          "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/",
+          "https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf",
+          "https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia",
+          "https://lab52.io/blog/apt-c-36-recent-activity-analysis/",
+          "https://www.trendmicro.com/en_ph/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html",
+          "https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/",
+          "https://attack.mitre.org/groups/G0099/"
         ],
         "synonyms": [
           "Blind Eagle"
@@ -12004,5 +12049,5 @@
       "value": "Void Rabisu"
     }
   ],
-  "version": 286
+  "version": 287
 }