Merge pull request #228 from Delta-Sierra/master

add Thrip as threat actor
MISP · Jun 20, 2018 · d398508 · d398508
2 parents 7a51f55 + dcda058
commit d398508
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
@@ -2701,6 +2701,16 @@
         ]
       },
       "uuid": "4af45fea-72d3-11e8-846c-d37699506c8d"
+    },
+    {
+      "value": "Thrip",
+      "description": "Symntec have been monitoring Thrip since 2013 when they uncovered a spying campaign being orchestrated from systems based in China. Since their initial discovery, the group has changed its tactics and broadened the range of tools it used. Initially, it relied heavily on custom malware, but in this most recent wave of attacks, which began in 2017, the group has switched to a mixture of custom malware and living off the land tools. All of these tools, with the exception of Mimikatz (which is almost always used maliciously), have legitimate uses.",
+      "meta": {
+        "refs": [
+          "https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets"
+        ]
+      },
+      "uuid": "1533bc1a-745a-11e8-90e3-efa3e975fef3s"
     }
   ],
   "name": "Threat actor",
@@ -2715,5 +2725,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 42
+  "version": 43
 }