{ "Event": { "analysis": "1", "date": "2021-10-07", "extends_uuid": "", "info": "[Threat Intel] THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE", "protected": false, "publish_timestamp": "1772407634", "published": true, "threat_level_id": "2", "timestamp": "1772407632", "uuid": "fa87cc42-3528-470d-bd88-e5ba65484a78", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:threat-actor=\"ENERGETIC BEAR\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-groups=\"Dragonfly\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-groups=\"Dragonfly 2.0\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-software=\"Backdoor.Oldrea, Havex\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Havex RAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-assets=\"Human-Machine Interface\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-ics-techniques=\"Screen Capture\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#10003d", "local": false, "name": "rectifyq:sub-category=\"TA-profile\"", "relationship_type": "" }, { "colour": "#190061", "local": false, "name": "rectifyq:topic=\"ics-ot\"", "relationship_type": "" }, { "colour": "#1c006d", "local": false, "name": "rectifyq:topic=\"geopolitical\"", "relationship_type": "" }, { "colour": "#f1dfed", "local": false, "name": "rectifyq:TA-category=\"APT\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#f6810a", "local": false, "name": "ICS-capable", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Industrial\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772329463", "to_ids": false, "type": "link", "uuid": "553fc8b7-499c-4c9d-8235-4522bf56129d", "value": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf" }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349643", "to_ids": true, "type": "domain", "uuid": "b5cd664a-ca86-4933-913d-4bc6ab695ad2", "value": "39essex.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349665", "to_ids": true, "type": "domain", "uuid": "3be52b1a-bee9-4300-a3b9-4d2374175ce9", "value": "bsicomputer.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349686", "to_ids": true, "type": "domain", "uuid": "40b37c58-7b99-4246-b73c-59c24fa925c3", "value": "chariotoilandgas.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349708", "to_ids": true, "type": "domain", "uuid": "dd26e9ea-d4b9-4b22-8471-35938b47e61f", "value": "energo-pro.ge", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349729", "to_ids": true, "type": "domain", "uuid": "fe4c970a-c2fc-44cb-9a46-abe5ecc57da4", "value": "energyplatform.eu", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349750", "to_ids": true, "type": "domain", "uuid": "4b50e680-490a-4b72-b7d3-c16f402ab655", "value": "firstenergy.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349772", "to_ids": true, "type": "hostname", "uuid": "f6d368e9-93b2-479a-abac-7ab1030b5104", "value": "gamyba.le.lt", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349794", "to_ids": true, "type": "domain", "uuid": "8cb04d21-79cd-4609-96b8-fc3236c9a5f3", "value": "gritech.fr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349815", "to_ids": true, "type": "hostname", "uuid": "8a95ceac-311c-44b1-a07d-3600bdf2de31", "value": "gse.com.ge", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349836", "to_ids": true, "type": "domain", "uuid": "c6f3d64b-1ee6-485a-9723-3a0ea92ca3cb", "value": "jfaerospace.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349858", "to_ids": true, "type": "domain", "uuid": "b812bfe0-eb49-4e09-b695-1c8e093d2bc3", "value": "longreachoilandgas.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349879", "to_ids": true, "type": "domain", "uuid": "0539c611-0125-4b8f-82c5-852025bb8289", "value": "nahoonservices.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349900", "to_ids": true, "type": "domain", "uuid": "dd36113f-6a73-4590-862b-54d2850f70bd", "value": "rare.fr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349921", "to_ids": true, "type": "domain", "uuid": "46036773-2401-4b31-98c5-7966987f4e15", "value": "samashmusic.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349943", "to_ids": true, "type": "domain", "uuid": "f406cb72-ca06-4715-a761-b1f2cc786db3", "value": "sbmania.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349964", "to_ids": true, "type": "domain", "uuid": "3450f7fa-7466-42ee-996a-b4b93103be9e", "value": "strainstall.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772349986", "to_ids": true, "type": "hostname", "uuid": "669a4971-a286-4f6a-8cf3-62f49fc7c555", "value": "utilico.co.uk", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772350007", "to_ids": true, "type": "domain", "uuid": "6251b44d-5e58-4f00-976b-4f280e610995", "value": "vitogaz.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772350029", "to_ids": true, "type": "domain", "uuid": "2a6f59d0-1719-44fa-861d-4aa5e64ed86a", "value": "vitoreseau.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites noted in public reporting", "deleted": false, "disable_correlation": false, "timestamp": "1772350050", "to_ids": true, "type": "domain", "uuid": "4e0eb4aa-cdd2-4858-a348-196eebd7e4c6", "value": "yell.ge", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350072", "to_ids": true, "type": "domain", "uuid": "11e61577-9291-4e8f-947b-b9cceb5310e2", "value": "ameresco.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350093", "to_ids": true, "type": "domain", "uuid": "b52092be-1ef8-4209-ba09-9db02387396d", "value": "cfemedia.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350114", "to_ids": true, "type": "hostname", "uuid": "1c80ad32-cf30-4b02-a0b1-4834d11c79f6", "value": "cfemedia.gcnpublishing.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350135", "to_ids": true, "type": "domain", "uuid": "179635d3-be22-444f-9b90-5aa681b42ce1", "value": "controleng.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350157", "to_ids": true, "type": "domain", "uuid": "79ee8cf1-2157-4b34-a69d-f67142fe7852", "value": "csemag.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350178", "to_ids": true, "type": "hostname", "uuid": "b4c7977a-ff3a-4c8a-918d-69321baed6c2", "value": "gama.com.tr", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350199", "to_ids": true, "type": "domain", "uuid": "0af10090-af33-4c1b-a666-4d03e90cf5c7", "value": "grand-central.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350221", "to_ids": true, "type": "domain", "uuid": "b08128f5-b736-49fb-b33d-631922572c31", "value": "oilandgaseng.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350243", "to_ids": true, "type": "domain", "uuid": "bdccb852-dcb9-4fc0-b033-d2e31ddb951d", "value": "plantengineering.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772350264", "to_ids": true, "type": "domain", "uuid": "69fb0671-370e-405f-848d-ea1c9e15be43", "value": "reenergyholding.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "compromised sites involved in the incident", "deleted": false, "disable_correlation": false, "timestamp": "1772329672", "to_ids": true, "type": "filename", "uuid": "83970249-57ee-4ced-bfa1-991ce00d33b7", "value": "turcas.com.tr" }, { "category": "Network activity", "comment": "Ukrainian websites featuring compromises", "deleted": false, "disable_correlation": false, "timestamp": "1772350285", "to_ids": true, "type": "domain", "uuid": "f5ae403c-021a-4c86-87b7-edbc09cb18c6", "value": "dtek.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Ukrainian websites featuring compromises", "deleted": false, "disable_correlation": false, "timestamp": "1772350308", "to_ids": true, "type": "hostname", "uuid": "4549eafd-f03b-4bbf-a1b9-f7c80be7df0d", "value": "unn.com.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Ukrainian websites featuring compromises", "deleted": false, "disable_correlation": false, "timestamp": "1772350329", "to_ids": true, "type": "domain", "uuid": "aeede120-0084-41d2-9c30-98c4a0bc5567", "value": "ntn.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Ukrainian websites featuring compromises", "deleted": false, "disable_correlation": false, "timestamp": "1772350350", "to_ids": true, "type": "domain", "uuid": "5039789c-ae61-490d-84c3-d2a981d8cba1", "value": "zomua.tv", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Ukrainian websites featuring compromises", "deleted": false, "disable_correlation": false, "timestamp": "1772350372", "to_ids": true, "type": "hostname", "uuid": "e8ef9f36-2b65-4fb8-bf9f-f890b66e772e", "value": "fcdynamo.kiev.ua", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }