Hugging Face's logo

khoicrtp
/
test_scratch

Model card Files Community
test_scratch / cti-ATT-CK-v13.1 /enterprise-attack /campaign /campaign--808d6b30-df4e-4341-8248-724da4bac650.json
khoicrtp's picture
khoicrtp
Upload 2298 files
5fe70fd
raw
history blame
9.15 kB
{
"type": "bundle",
"id": "bundle--34b0598f-e515-4c04-adfa-9e6f6fabbf00",
"spec_version": "2.0",
"objects": [
{
"modified": "2023-04-14T00:41:06.231Z",
"name": "SolarWinds Compromise",
"description": "The [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) was a sophisticated supply chain cyber operation conducted by [APT29](https://attack.mitre.org/groups/G0016) that was discovered in mid-December 2020. [APT29](https://attack.mitre.org/groups/G0016) used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.(Citation: SolarWinds Advisory Dec 2020)(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Volexity SolarWinds)(Citation: CrowdStrike StellarParticle January 2022)(Citation: Unit 42 SolarStorm December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: Microsoft Internal Solorigate Investigation Blog) \n\nIn April 2021, the US and UK governments attributed the [SolarWinds Compromise](https://attack.mitre.org/campaigns/C0024) to Russia's Foreign Intelligence Service (SVR); public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021)(Citation: Mandiant UNC2452 APT29 April 2022) The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds\u2019 Orion product, a much smaller number were compromised by follow-on [APT29](https://attack.mitre.org/groups/G0016) activity on their systems.(Citation: USG Joint Statement SolarWinds January 2021) ",
"aliases": [
"SolarWinds Compromise"
],
"first_seen": "2019-08-01T05:00:00.000Z",
"last_seen": "2021-01-01T06:00:00.000Z",
"x_mitre_first_seen_citation": "(Citation: Unit 42 SolarStorm December 2020)",
"x_mitre_last_seen_citation": "(Citation: MSTIC NOBELIUM May 2021)",
"x_mitre_deprecated": false,
"x_mitre_version": "1.0",
"type": "campaign",
"id": "campaign--808d6b30-df4e-4341-8248-724da4bac650",
"created": "2023-03-24T14:59:26.744Z",
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"revoked": false,
"external_references": [
{
"source_name": "mitre-attack",
"url": "https://attack.mitre.org/campaigns/C0024",
"external_id": "C0024"
},
{
"source_name": "Volexity SolarWinds",
"description": "Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.",
"url": "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/"
},
{
"source_name": "CrowdStrike StellarParticle January 2022",
"description": "CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.",
"url": "https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/"
},
{
"source_name": "USG Joint Statement SolarWinds January 2021",
"description": "FBI, CISA, ODNI, NSA. (2022, January 5). Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA). Retrieved March 26, 2023.",
"url": "https://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure"
},
{
"source_name": "FireEye SUNBURST Backdoor December 2020",
"description": "FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.",
"url": "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html"
},
{
"source_name": "Mandiant UNC2452 APT29 April 2022",
"description": "Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.",
"url": "https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29"
},
{
"source_name": "MSTIC NOBELIUM May 2021",
"description": "Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.",
"url": "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/"
},
{
"source_name": "Microsoft Internal Solorigate Investigation Blog",
"description": "MSRC Team. (2021, February 18). Microsoft Internal Solorigate Investigation \u2013 Final Update. Retrieved May 14, 2021.",
"url": "https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/"
},
{
"source_name": "Microsoft Analyzing Solorigate Dec 2020",
"description": "MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.",
"url": "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/"
},
{
"source_name": "NSA Joint Advisory SVR SolarWinds April 2021",
"description": "NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.",
"url": "https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF"
},
{
"source_name": "SolarWinds Advisory Dec 2020",
"description": "SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021.",
"url": "https://www.solarwinds.com/sa-overview/securityadvisory"
},
{
"source_name": "SolarWinds Sunburst Sunspot Update January 2021",
"description": "Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.",
"url": "https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/"
},
{
"source_name": "UK NSCS Russia SolarWinds April 2021",
"description": "UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.",
"url": "https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise"
},
{
"source_name": "Unit 42 SolarStorm December 2020",
"description": "Unit 42. (2020, December 23). SolarStorm Supply Chain Attack Timeline. Retrieved March 24, 2023.",
"url": "https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/"
}
],
"object_marking_refs": [
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
],
"x_mitre_attack_spec_version": "3.1.0",
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
"x_mitre_domains": [
"enterprise-attack"
]
}
]
}