Skip to content

WIP: add :targeted_{countries,industries} to Actor #447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
frenchy64 wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

WIP: add :targeted_{countries,industries} to Actor #447

frenchy64 wants to merge 1 commit into from

Conversation

@frenchy64
Copy link
Contributor

@frenchy64 frenchy64 commented Jun 3, 2024
edited
Loading

XDR-2098

michaels-den
michaels-den reviewed Jun 17, 2024
View reviewed changes
src/ctim/examples/actors.cljc
:tlp "green"
:aliases ["alias 1" "alias 2"]})
:aliases ["alias 1" "alias 2"]
:targeted_countries ["840"]
Copy link
Contributor

@michaels-den michaels-den Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's us 3166-1 A2 codes, ie 2-letter country codes, see the following example:

  "[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored     
threat group that specializes in financial cyber operations; it has been attributed to  
the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)     
Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted 
banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system          
endpoints, and ATMs in at least 38 countries worldwide. Significant operations include  
the 2016 Bank of Bangladesh heist, during which                                         
[APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks    
against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been     
destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38   
Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus    
Under The Hood Blog 2017)\n\nNorth Korean group definitions are known to have           
significant overlap, and some security researchers report all North Korean              
state-sponsored cyber activity under the name [Lazarus                                  
Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or           
subgroups.",                                                                            
  :aliases                                                                              
  ["APT38"                                                                              
   "NICKEL GLADSTONE"                                                                   
   "BeagleBoyz"                                                                         
   "Bluenoroff"                                                                         
   "Stardust Chollima"],                                                                
  :external_references                                                                  
  {:external_id "G0082",                                                                
   :source_name "mitre-attack",                                                         
   :url "https://attack.mitre.org/groups/G0082"},                                       
  :mitre_group_id "G0082",                                                              
  :targeted_industries ["financial-services", "government"]                             
  :targeted_countries ["BD", "MX", "CL"]}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gbuisson gbuisson Awaiting requested review from gbuisson gbuisson will be requested when the pull request is marked ready for review gbuisson is a code owner

@yogsototh yogsototh Awaiting requested review from yogsototh yogsototh will be requested when the pull request is marked ready for review yogsototh is a code owner

@msprunck msprunck Awaiting requested review from msprunck msprunck will be requested when the pull request is marked ready for review msprunck is a code owner

@ereteog ereteog Awaiting requested review from ereteog ereteog will be requested when the pull request is marked ready for review ereteog is a code owner

@turbodog99 turbodog99 Awaiting requested review from turbodog99 turbodog99 will be requested when the pull request is marked ready for review turbodog99 is a code owner

@wandersoncferreira wandersoncferreira Awaiting requested review from wandersoncferreira wandersoncferreira will be requested when the pull request is marked ready for review wandersoncferreira is a code owner

@safi safi Awaiting requested review from safi safi will be requested when the pull request is marked ready for review safi is a code owner

@samwagg samwagg Awaiting requested review from samwagg samwagg will be requested when the pull request is marked ready for review samwagg is a code owner

@marioaquino marioaquino Awaiting requested review from marioaquino marioaquino will be requested when the pull request is marked ready for review marioaquino is a code owner

@brookeswanson brookeswanson Awaiting requested review from brookeswanson brookeswanson will be requested when the pull request is marked ready for review brookeswanson is a code owner

1 more reviewer

@michaels-den michaels-den michaels-den left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@frenchy64 @michaels-den