Threat actors/ghost emperor alias #1052
Conversation
|
Hi, thanks for the PR. However, the references you've added to support your assertion are primarily news media articles. I've already included them as overlapping activities, so I'd like to maintain the current version, as there aren't enough legitimate public references available on this topic. |
|
Thank you for the prompt review @r0ny123. I have added another article to support my PR. It is written by threat analyst so should be more credible. Here is the article: https://www.trendmicro.com/en_us/research/24/k/earth-estries.html. Does this count as valid resource to support my PR? I have also added this article in the list of references for Ghost Emperor. Thanks! |
|
They are not sure that both are the same actor, they just mentioned TTP overlap. This fact is already captured in MISP. So, I would like to close this as for now. If you still want to use it, you can fork the branch and use it by yourself. |
|
Thank you for the review @r0ny123. There is another research article which mentions the alias quite clearly: https://www.cyfirma.com/research/apt-profile-earth-estries/. Adding this alias is quite important for our downstream work. If you think it might not be convincing enough for Earth Estries to be an alias of Ghost Emperor, feel free to close this PR. |
|
Cyfirma compiles original research and just provides a summary of findings. Yeah, I will lean toward closing the PR. But thanks for your research. @adulau, we can close this. |
|
Thanks! |
This PR adds Earth Estries as an alias of Ghost Emperor and removes it as an independent TA. Also adds reference articles where Earth Estries is mentioned as an alias of Ghost Emperor.