Update threat-actor.json

[validhorizon]

Removed link reference to UNC4841 activity from GhostEmperor value. After research and speaking with authors of the report, these two clusters of activity are unrelated.

[r0ny123]

Ah, that’s on me—thanks for catching it. I initially added that link based on the following observations from Mandiant and to reflect the fact that UNC2286 has overlappings with GhostEmperor / FamousSparrow.

Early in our investigation, we identified overlaps in infrastructure used by UNC4841 with that which we have associated with UNC2286, another China-nexus actor that we have observed active since at least 2019 and which has heavily targeted organizations in the Southeast Asia region. Activity Mandiant has attributed to UNC2286 overlaps with public reporting on GhostEmperor (Kaspersky) and FamousSparrow (ESET). While this finding does indicate a connection in the infrastructure used by both groups, it is likely an artifact of a shared infrastructure anonymization service or an infrastructure provider that is common between them.

However, I overlooked that the blog focuses solely on UNC4841 activities, and I didn’t intend to suggest a direct/indirect link between UNC4841 and GhostEmperor.

[r0ny123]

But, I really thik we should capture the reference of linking UNC2286 to GhostEmperor somehow. What do you think @validhorizon?

[adulau]

A relationship (overlaps) could be created to catch the overlap between the two.

[validhorizon]

But, I really thik we should capture the reference of linking UNC2286 to GhostEmperor somehow. What do you think @validhorizon?

A relationship (overlaps) could be created to catch the overlap between the two.

I'm okay with this though I wouldn't normally describe use of the same anonymization services or service provider as an overlap.

[r0ny123]

I'm okay with this though I wouldn't normally describe use of the same anonymization services or service provider as an overlap.

@validhorizon, I think you misinterpreted. Mandiant said UNC4841 and UNC2286 use the same anonymization service. I'm not talking about linking these two.

A relationship (overlaps) could be created to catch the overlap between the two.

@adulau, I added UNC2286 as an alias under GhostEmperor,

misp-galaxy/clusters/threat-actor.json

Lines 15282 to 15296 in ebb6261

	"UNC2286",
	"Salt Typhoon"
	]
	},
	"related": [
	{
	"dest-uuid": "1f7f4a51-c4a8-4365-ade3-83b222e7cb67",
	"tags": [
	"estimative-language:likelihood-probability=\"likely\""
	],
	"type": "similar"
	}
	],
	"uuid": "3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb",
	"value": "GhostEmperor"

now what I wanted to show is how I made this connection should be referenced in the galaxy.

[adulau]

If it's only similar techniques, then I would go for a new relationship shares-techniques-with or something like that between the two TA.

https://misp-project.org/objects.html#_relationships (for your reference existing relationships but we can easily extend it).

We could also add relationship uses toward the MITRE ATT&ACK cluster describing T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) or something similar.

[r0ny123]

If it's only similar techniques, then I would go for a new relationship shares-techniques-with or something like that between the two TA.

https://misp-project.org/objects.html#_relationships (for your reference existing relationships but we can easily extend it).

We could also add relationship uses toward the MITRE ATT&ACK cluster describing T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) or something similar.

Yes but as I said, I already added UNC2286 as an alias under GhostEmperor. In that case, I would like to retain the link @validhorizon removed from GhostEmperor references, as the blog mentioned the overlaps between UNC2286 and GhostEmperor.

[adulau]

Sure. Will you make an updated PR?

[r0ny123]

No need to update, we can close this PR once if @validhorizon is ok with this as we discussed.

[validhorizon]

After discussion with Rony, this commit is closed

[r0ny123]

If it's only similar techniques, then I would go for a new relationship shares-techniques-with or something like that between the two TA.

https://misp-project.org/objects.html#_relationships (for your reference existing relationships but we can easily extend it).

We could also add relationship uses toward the MITRE ATT&ACK cluster describing T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) or something similar.

Hi @adulau, is there any official documentation outlining the properties (both required and optional) that can be assigned to a threat actor? Currently, we use fields like refs, country, synonyms, etc. under meta for our threat actor entities in the MISP galaxy JSON file.