search

MISP / misp-galaxy

Clusters and elements to attach to MISP events or attributes (like threat actors)
https://misp-galaxy.org/
Other
513 stars 257 forks source link

Are Separate Charming Kitten and APT35 Entries Redundant? #1009

Closed utkonos closed 1 month ago

utkonos commented 1 month ago

Should APT35 and Charming Kitten be differentiated by two separate entries? Should there be a synonym link between the two? Or should they be merged?

Because Malpedia relies on MISP-galaxy data to create the threat actor buckets that data goes in, there are separate entries there as well:

https://malpedia.caad.fkie.fraunhofer.de/actor/apt35

https://malpedia.caad.fkie.fraunhofer.de/actor/charming_kitten

MITRE ATT&CK has both under the same entry: https://attack.mitre.org/groups/#:~:text=G0059,APT35%2C%20Mint%20Sandstorm

Another confusing part is: what is G0058? This looks like maybe a typo for G0059, the entry in Mitre?

image
utkonos commented 1 month ago

I think I see what happened with G0058. The entry in Mitre was merged with G0059 but the misp-galaxy did not update to follow the merge: https://web.archive.org/web/20201025005359/https://attack.mitre.org/groups/G0058/

cvandeplas commented 1 month ago

Curious, as MITRE still has G0058 in the enterprise attack STIX JSON file: image

The MITRE ATT&CK to MISP Galaxy conversion script therefore still keeps this entry, as it's present in the original source.

It looks like MITRE only merged this by doing a creative hack on their website when requesting https://attack.mitre.org/groups/G0058/

<meta http-equiv="refresh" content="0; url=/groups/G0059"/>