Closed utkonos closed 1 month ago
I think I see what happened with G0058. The entry in Mitre was merged with G0059 but the misp-galaxy did not update to follow the merge: https://web.archive.org/web/20201025005359/https://attack.mitre.org/groups/G0058/
Curious, as MITRE still has G0058 in the enterprise attack STIX JSON file:
The MITRE ATT&CK to MISP Galaxy conversion script therefore still keeps this entry, as it's present in the original source.
It looks like MITRE only merged this by doing a creative hack on their website when requesting https://attack.mitre.org/groups/G0058/
<meta http-equiv="refresh" content="0; url=/groups/G0059"/>
Should APT35 and Charming Kitten be differentiated by two separate entries? Should there be a synonym link between the two? Or should they be merged?
Because Malpedia relies on MISP-galaxy data to create the threat actor buckets that data goes in, there are separate entries there as well:
https://malpedia.caad.fkie.fraunhofer.de/actor/apt35
https://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten
MITRE ATT&CK has both under the same entry: https://attack.mitre.org/groups/#:~:text=G0059,APT35%2C%20Mint%20Sandstorm
Another confusing part is: what is G0058? This looks like maybe a typo for G0059, the entry in Mitre?