test_scratch
/
cti-ATT-CK-v13.1
/enterprise-attack
/intrusion-set
/intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0.json
{ | |
"type": "bundle", | |
"id": "bundle--d29d6bf6-25d9-47d3-bf5c-80e8648e3881", | |
"spec_version": "2.0", | |
"objects": [ | |
{ | |
"modified": "2023-03-22T05:08:20.780Z", | |
"name": "Patchwork", | |
"description": "[Patchwork](https://attack.mitre.org/groups/G0040) is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)", | |
"aliases": [ | |
"Patchwork", | |
"Hangover Group", | |
"Dropping Elephant", | |
"Chinastrats", | |
"MONSOON", | |
"Operation Hangover" | |
], | |
"x_mitre_deprecated": false, | |
"x_mitre_version": "1.5", | |
"type": "intrusion-set", | |
"id": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", | |
"created": "2017-05-31T21:32:07.145Z", | |
"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", | |
"revoked": false, | |
"external_references": [ | |
{ | |
"source_name": "mitre-attack", | |
"url": "https://attack.mitre.org/groups/G0040", | |
"external_id": "G0040" | |
}, | |
{ | |
"source_name": "Patchwork", | |
"description": "(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)" | |
}, | |
{ | |
"source_name": "Chinastrats", | |
"description": "(Citation: Securelist Dropping Elephant)" | |
}, | |
{ | |
"source_name": "Dropping Elephant", | |
"description": "(Citation: Symantec Patchwork) (Citation: Securelist Dropping Elephant) (Citation: PaloAlto Patchwork Mar 2018) (Citation: Volexity Patchwork June 2018)" | |
}, | |
{ | |
"source_name": "Hangover Group", | |
"description": "[Patchwork](https://attack.mitre.org/groups/G0040) and the Hangover Group have both been referenced as aliases for the threat group associated with Operation Monsoon.(Citation: PaloAlto Patchwork Mar 2018)(Citation: Unit 42 BackConfig May 2020)(Citation: Forcepoint Monsoon)" | |
}, | |
{ | |
"source_name": "Cymmetria Patchwork", | |
"description": "Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.", | |
"url": "https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" | |
}, | |
{ | |
"source_name": "Operation Hangover May 2013", | |
"description": "Fagerland, S., et al. (2013, May). Operation Hangover: Unveiling an Indian Cyberattack Infrastructure. Retrieved September 26, 2016.", | |
"url": "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" | |
}, | |
{ | |
"source_name": "Symantec Patchwork", | |
"description": "Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.", | |
"url": "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" | |
}, | |
{ | |
"source_name": "Unit 42 BackConfig May 2020", | |
"description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.", | |
"url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" | |
}, | |
{ | |
"source_name": "Operation Hangover", | |
"description": "It is believed that the actors behind [Patchwork](https://attack.mitre.org/groups/G0040) are the same actors behind Operation Hangover. (Citation: Forcepoint Monsoon) (Citation: Operation Hangover May 2013)" | |
}, | |
{ | |
"source_name": "Securelist Dropping Elephant", | |
"description": "Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.", | |
"url": "https://securelist.com/the-dropping-elephant-actor/75328/" | |
}, | |
{ | |
"source_name": "PaloAlto Patchwork Mar 2018", | |
"description": "Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.", | |
"url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" | |
}, | |
{ | |
"source_name": "TrendMicro Patchwork Dec 2017", | |
"description": "Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.", | |
"url": "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" | |
}, | |
{ | |
"source_name": "Volexity Patchwork June 2018", | |
"description": "Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.", | |
"url": "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" | |
}, | |
{ | |
"source_name": "MONSOON", | |
"description": "MONSOON is the name of an espionage campaign; we use it here to refer to the actor group behind the campaign. (Citation: Forcepoint Monsoon) (Citation: PaloAlto Patchwork Mar 2018)" | |
}, | |
{ | |
"source_name": "Forcepoint Monsoon", | |
"description": "Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.", | |
"url": "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" | |
} | |
], | |
"object_marking_refs": [ | |
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" | |
], | |
"x_mitre_domains": [ | |
"enterprise-attack" | |
], | |
"x_mitre_attack_spec_version": "3.1.0", | |
"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" | |
} | |
] | |
} |