test_scratch
/
cti-ATT-CK-v13.1
/ics-attack
/intrusion-set
/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json
| { | |
| "type": "bundle", | |
| "id": "bundle--e6a6e0b9-6b67-4ccc-8556-517018ace9e8", | |
| "spec_version": "2.0", | |
| "objects": [ | |
| { | |
| "modified": "2023-02-06T20:58:52.317Z", | |
| "name": "OilRig", | |
| "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", | |
| "aliases": [ | |
| "OilRig", | |
| "COBALT GYPSY", | |
| "IRN2", | |
| "APT34", | |
| "Helix Kitten", | |
| "Evasive Serpens" | |
| ], | |
| "x_mitre_deprecated": false, | |
| "x_mitre_version": "3.1", | |
| "x_mitre_contributors": [ | |
| "Robert Falcone", | |
| "Bryan Lee", | |
| "Dragos Threat Intelligence" | |
| ], | |
| "type": "intrusion-set", | |
| "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", | |
| "created": "2017-12-14T16:46:06.044Z", | |
| "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
| "revoked": false, | |
| "external_references": [ | |
| { | |
| "source_name": "mitre-attack", | |
| "url": "https://attack.mitre.org/groups/G0049", | |
| "external_id": "G0049" | |
| }, | |
| { | |
| "source_name": "IRN2", | |
| "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)" | |
| }, | |
| { | |
| "source_name": "OilRig", | |
| "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)" | |
| }, | |
| { | |
| "source_name": "COBALT GYPSY", | |
| "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)" | |
| }, | |
| { | |
| "source_name": "Helix Kitten", | |
| "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)" | |
| }, | |
| { | |
| "source_name": "Evasive Serpens", | |
| "description": "(Citation: Unit42 OilRig Playbook 2023)" | |
| }, | |
| { | |
| "source_name": "Check Point APT34 April 2021", | |
| "description": "Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.", | |
| "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" | |
| }, | |
| { | |
| "source_name": "ClearSky OilRig Jan 2017", | |
| "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017.", | |
| "url": "http://www.clearskysec.com/oilrig/" | |
| }, | |
| { | |
| "source_name": "Palo Alto OilRig May 2016", | |
| "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.", | |
| "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" | |
| }, | |
| { | |
| "source_name": "Palo Alto OilRig April 2017", | |
| "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017.", | |
| "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/" | |
| }, | |
| { | |
| "source_name": "Palo Alto OilRig Oct 2016", | |
| "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.", | |
| "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" | |
| }, | |
| { | |
| "source_name": "Unit 42 QUADAGENT July 2018", | |
| "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.", | |
| "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" | |
| }, | |
| { | |
| "source_name": "Crowdstrike Helix Kitten Nov 2018", | |
| "description": "Meyers, A. (2018, November 27). Meet CrowdStrike\u2019s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.", | |
| "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" | |
| }, | |
| { | |
| "source_name": "FireEye APT34 Dec 2017", | |
| "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.", | |
| "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" | |
| }, | |
| { | |
| "source_name": "Secureworks COBALT GYPSY Threat Profile", | |
| "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021.", | |
| "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy" | |
| }, | |
| { | |
| "source_name": "APT34", | |
| "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.(Citation: Unit 42 QUADAGENT July 2018)(Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)" | |
| }, | |
| { | |
| "source_name": "Unit 42 Playbook Dec 2017", | |
| "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.", | |
| "url": "https://pan-unit42.github.io/playbook_viewer/" | |
| }, | |
| { | |
| "source_name": "Unit42 OilRig Playbook 2023", | |
| "description": "Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.", | |
| "url": "https://pan-unit42.github.io/playbook_viewer/?pb=evasive-serpens" | |
| } | |
| ], | |
| "object_marking_refs": [ | |
| "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
| ], | |
| "x_mitre_domains": [ | |
| "enterprise-attack", | |
| "ics-attack" | |
| ], | |
| "x_mitre_attack_spec_version": "3.1.0", | |
| "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" | |
| } | |
| ] | |
| } |