adulau
commented
1 year ago Thank you for the contribution.
That's a good question. Maybe we should create a new galaxy/cluster adversary-organisation to map the business relationships between threat actor and some organisations. This could include already a series of meta which are used by other formats like STIX for identity. We can extend it with any additional information like we did for the China Defence Universities Tracker. We could populate it with the existing legal action/sanction regarding some orgs.
Source: https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf
@adulau How can I cluster unique infrastructure TTP? I would like to add also GhostWolf because not RedGolf overlaps with APT41. The GhostWolf infra overlaps with the infra of APT41. Furthermore what would be a good place to add more information about the company Chengdu 404 Network Technology?
p.s. Adds new Microsoft mapping for APT41: https://github.com/microsoft/mstic/blob/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json#L14-L19