cti-ATT-CK-v13.1/enterprise-attack/intrusion-set/intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0.json

{
    "type": "bundle",
    "id": "bundle--d29d6bf6-25d9-47d3-bf5c-80e8648e3881",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-22T05:08:20.780Z",
            "name": "Patchwork",
            "description": "[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)",
            "aliases": [
                "Patchwork",
                "Hangover Group",
                "Dropping Elephant",
                "Chinastrats",
                "MONSOON",
                "Operation Hangover"
            ],
            "x_mitre_deprecated": false,
            "x_mitre_version": "1.5",
            "type": "intrusion-set",
            "id": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
            "created": "2017-05-31T21:32:07.145Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/groups/G0040",
                    "external_id": "G0040"
                },
                {
                    "source_name": "Patchwork",
                    "description": "(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)"
                },
                {
                    "source_name": "Chinastrats",
                    "description": "(Citation: Securelist Dropping Elephant)"
                },
                {
                    "source_name": "Dropping Elephant",
                    "description": "(Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)"
                },
                {
                    "source_name": "Hangover Group",
                    "description": "[Patchwork](https://attack.mitre.org/groups/G0040) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)"
                },
                {
                    "source_name": "Cymmetria Patchwork",
                    "description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.",
                    "url": "https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf"
                },
                {
                    "source_name": "Operation Hangover May 2013",
                    "description": "Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.",
                    "url": "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
                },
                {
                    "source_name": "Symantec Patchwork",
                    "description": "Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.",
                    "url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries"
                },
                {
                    "source_name": "Unit 42 BackConfig May 2020",
                    "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.",
                    "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/"
                },
                {
                    "source_name": "Operation Hangover",
                    "description": "It is believed that the actors behind [Patchwork](https://attack.mitre.org/groups/G0040) are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)"
                },
                {
                    "source_name": "Securelist Dropping Elephant",
                    "description": "Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.",
                    "url": "https://securelist.com/the-dropping-elephant-actor/75328/"
                },
                {
                    "source_name": "PaloAlto Patchwork Mar 2018",
                    "description": "Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.",
                    "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/"
                },
                {
                    "source_name": "TrendMicro Patchwork Dec 2017",
                    "description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.",
                    "url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf"
                },
                {
                    "source_name": "Volexity Patchwork June 2018",
                    "description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.",
                    "url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/"
                },
                {
                    "source_name": "MONSOON",
                    "description": "MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)"
                },
                {
                    "source_name": "Forcepoint Monsoon",
                    "description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.",
                    "url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}