misp / misp-galaxy Goto Github PK
View Code? Open in Web Editor NEWClusters and elements to attach to MISP events or attributes (like threat actors)
Home Page: https://misp-galaxy.org/
License: Other
Clusters and elements to attach to MISP events or attributes (like threat actors)
Home Page: https://misp-galaxy.org/
License: Other
For the threat actor cluster, I suggest the following additional fields that we use in our CTI db.
In our day to day activities, they are quite useful for filtering, statistics/trends, etc.
Field = Motive
Values = Cybercrime, Cyberwar, Espionage, Hacktivism, Hacktivism-Nationalists, Jihadism, Other, Unknown
Field = Type
Values = Indendent group, State or State-sponsored group, Individual, Other, Unknown
Field = First Seen
Value = Date
Field = Last Seen
Value = Date
That's the output of my new test case:
{
"4038c3bc-b559-45bb-bac1-9665a54dedf9": [
"Malpedia|Bahamut (Android)",
"Malpedia|Bahamut (Windows)"
],
"8a42a699-1746-498b-a558-e7113bb916c0": [
"Malpedia|Cpuminer (Android)",
"Malpedia|Cpuminer (ELF)"
],
"8269e779-db23-4c94-aafb-36ee94879417": [
"Malpedia|DualToy (Android)",
"Malpedia|DualToy (iOS)",
"Malpedia|DualToy (Windows)"
],
"4305d59a-0d07-4021-a902-e7996378898b": [
"Malpedia|FlexiSpy (Android)",
"Malpedia|FlexiSpy (symbian)",
"Malpedia|FlexiSpy (Windows)"
],
"0caf0292-b01a-4439-b56f-c75b71900bc0": [
"Malpedia|Lazarus (Android)",
"Malpedia|Lazarus (Windows)"
],
"0a7d9d22-a26d-4a2b-ab9b-b296176c3ecf": [
"Malpedia|X-Agent (Android)",
"Malpedia|X-Agent (ELF)",
"Malpedia|X-Agent (OS X)",
"Malpedia|X-Agent (Windows)"
],
"22ef1e56-7778-41d1-9b2b-737aa5bf9777": [
"Malpedia|Retefe (Android)",
"Malpedia|Retefe (Windows)"
],
"479353aa-c6d7-47a7-b5f0-3f97fd904864": [
"Malpedia|Erebus (ELF)",
"Malpedia|Erebus (Windows)"
],
"17e12216-a303-4a00-8283-d3fe92d0934c": [
"Malpedia|Mirai (ELF)",
"Malpedia|Mirai (Windows)"
],
"6d5a5357-4126-4950-b8c3-ee78b1172217": [
"Malpedia|Mokes (ELF)",
"Malpedia|Mokes (OS X)",
"Malpedia|Mokes (Windows)"
],
"47a8fedb-fd60-493a-9b7d-082bdb85621e": [
"Malpedia|Wirenet (ELF)",
"Malpedia|Wirenet (OS X)"
],
"bc32df24-8e80-44bc-80b0-6a4d55661aa5": [
"Malpedia|WireLurker (iOS)",
"Malpedia|WireLurker (OS X)"
],
"4b2ab902-811e-4b50-8510-43454d77d027": [
"Malpedia|Crisis (OS X)",
"Malpedia|Crisis (Windows)"
],
"d674ffd2-1f27-403b-8fe9-b4af6e303e5c": [
"Malpedia|Uroburos (OS X)",
"Malpedia|Uroburos (Windows)"
],
"7f8166e2-c7f4-4b48-a07b-681b61a8f2c1": [
"Malpedia|Winnti (OS X)",
"Malpedia|Winnti (Windows)"
]
}
There are a few entries of different malwares with the same UUID, and this should be fixed asap (cc @koike). I can easily do it myself, but I don't know how the file is generated (not with the script in the repo, for sure).
Is it a problem if I manually give different UUIDs to the entries?
The validator kill the file is the Json is incorrect :)
$ls clusters/tool.json -lh
-rw-r--r-- 1 thanat0s thanat0s 0 Feb 25 09:31 clusters/tool.json
@iglocska Do you have any info on this one ?? In tools.json. I Can't found any "serious" report on it.
Currently, there is a value "HiddenLynx" in the threat-actor.json but "Hidden Lynx" is also already listed under "Aurora Panda".
Therefore, the "HiddenLynx" key could be deleted and its symantec reference could be merged into "Aurora Panda".
actor "HummingBad" has synonym "Operation C-Major", but "Operation C-Major" is also a key of its own (without "HummingBad" as synonyms, so there is an asymmetry in naming).
I was also not able to find any documentation that indicates a connection between "HummingBad" and "Operation C-Major", so I would propose to delete that synonym for "HummingBad" and treat them individually.
I think these might be duplicates?
Lotus Blossom and Lotus Panda
Tailgater Team is defined twice in the threat-actors:
{
"value": "Aurora Panda",
"refs": [
"http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html"
],
"country": "CN",
"synonyms": [
"APT 17",
"Deputy Dog",
"Group 8",
"APT17",
"Hidden Lynx",
"Tailgater Team"
]
},
{
"value": "Axiom",
"refs": [
"http://securelist.com/blog/research/57585/winnti-faq-more-than-just-a-game/",
"http://williamshowalter.com/a-universal-windows-bootkit/"
],
"country": "CN",
"synonyms": [
"Winnti Group",
"Tailgater Team",
"Group 72",
"Group72",
"Tailgater",
"Ragebeast",
"Blackfly"
]
},```
Hello,
I am looking to see if you could further explain how this is integrated into MISP? I've not seen the concept of clusters till this repo, so not sure where to begin. Interested to start looking at this, looks very promising.
Pre Attack - Relationship - Identify job postings and needs/gaps related-to Identify job postings and needs/gaps
Pre Attack - Relationship - Identify business relationships related-to Identify business relationships
Pre Attack - Relationship - Dynamic DNS related-to Dynamic DNS
Pre Attack - Relationship - Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies
Pre Attack - Relationship - Acquire OSINT data sets and information related-to Acquire OSINT data sets and information
Pre Attack - Relationship - Acquire OSINT data sets and information related-to Acquire OSINT data sets and information
Pre Attack - Relationship - Identify supply chains related-to Identify supply chains
Pre Attack - Relationship - Acquire OSINT data sets and information related-to Acquire OSINT data sets and information
Pre Attack - Relationship - Identify supply chains related-to Identify supply chains
Pre Attack - Relationship - APT1 uses Compromise 3rd party infrastructure to support delivery
Pre Attack - Relationship - Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies
Pre Attack - Relationship - Compromise 3rd party infrastructure to support delivery related-to Compromise 3rd party infrastructure to support delivery
Pre Attack - Relationship - Identify job postings and needs/gaps related-to Identify job postings and needs/gaps
Pre Attack - Relationship - Conduct social engineering related-to Conduct social engineering
Pre Attack - Relationship - Conduct social engineering related-to Conduct social engineering
Pre Attack - Relationship - Identify supply chains related-to Identify supply chains
Pre Attack - Relationship - Identify job postings and needs/gaps related-to Identify job postings and needs/gaps
Pre Attack - Relationship - Identify job postings and needs/gaps related-to Identify job postings and needs/gaps
Pre Attack - Relationship - Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies
Pre Attack - Relationship - Acquire and/or use 3rd party infrastructure services related-to Acquire and/or use 3rd party infrastructure services
Pre Attack - Relationship - Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies
Pre Attack - Relationship - Identify job postings and needs/gaps related-to Identify job postings and needs/gaps
Pre Attack - Relationship - Acquire OSINT data sets and information related-to Acquire OSINT data sets and information
Pre Attack - Relationship - Acquire or compromise 3rd party signing certificates related-to Acquire or compromise 3rd party signing certificates
Pre Attack - Relationship - Conduct social engineering related-to Conduct social engineering
Pre Attack - Relationship - Identify supply chains related-to Identify supply chains
Pre Attack - Relationship - Determine 3rd party infrastructure services related-to Determine 3rd party infrastructure services
Pre Attack - Relationship - Conduct social engineering related-to Conduct social engineering
Pre Attack - Relationship - Obfuscate infrastructure related-to Obfuscate infrastructure
Pre Attack - Relationship - Acquire OSINT data sets and information related-to Acquire OSINT data sets and information
Pre Attack - Relationship - Friend/Follow/Connect to targets of interest related-to Friend/Follow/Connect to targets of interest
Pre Attack - Relationship - Analyze organizational skillsets and deficiencies related-to Analyze organizational skillsets and deficiencies
Pre Attack - Relationship - Identify supply chains related-to Identify supply chains
Pre Attack - Relationship - Acquire and/or use 3rd party software services related-to Acquire and/or use 3rd party software services
Pre Attack - Relationship - Conduct social engineering related-to Conduct social engineering ```
I am currently working on a new version of the MITRE ATT&CK to MISP-galaxy convertor.
(which should be in one script and should also suppor the relationships natively)
The issue I'm encountering is with the enterprise-attack
, pre-attack
and mobile-attack
common entities. They are included in each "domain/phase", but are referred by the same uuid
. (as they are the same object)
For example uuid bef4c620-0787-42a8-a96d-b7eb6e85917c
. In the MITRE ATT&CK they are used in different bundles. (see below where count > 2)
~/Documents/Projects/MITRE-ATTACK$ fgrep -r -h '"id"' . | fgrep -v bundle | sed -E 's/\s+//' | sort | uniq -c | sort -n | tail -n 14
2 "id": "x-mitre-tactic--d90bd741-2edb-4e74-8a6f-435143ad7bbb",
2 "id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17",
2 "id": "x-mitre-tactic--f30c2753-e6b2-4186-818d-99b8b1a0322b",
2 "id": "x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813",
3 "id": "tool--9de2308e-7bed-43a3-8e58-f194b3586700",
3 "id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
4 "id": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae",
4 "id": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
4 "id": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662",
4 "id": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
4 "id": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70",
6 "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
6 "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
9 "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168",
However MISP seems to have included this same object, split over different 'clusters':
~/Documents/Projects/misp-galaxy/clusters$ fgrep -R bef4c620-0787-42a8-a96d-b7eb6e85917c .
./mitre-enterprise-attack-intrusion-set.json: "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
./mitre-intrusion-set.json: "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
./microsoft-activity-group.json: "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
./mitre-mobile-attack-intrusion-set.json: "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
./mitre-enterprise-attack-intrusion-set.new.json: "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c"
./threat-actor.json: "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
./mitre-pre-attack-intrusion-set.json: "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
This gives the impression that these objects are not identical, and will also break automagic correlations (and data-validation of unique uuids)
This was caused by the switch of the mitre-intrusion-set
to separate clusters for enterprise-attack
, mobile-attack
.
My question is therefore: why exactly was everything moved to those 3 sub-clusters?
Shouldn't some "common" things be kept together? (like: malware, tool, intrusion-set)
While we could still split some others?
I know such a change would require implementation changes in MISP. But right now this seems wrong as we are breaking the UUID concept. Now you can't rely on a UUID to be unique.
Adding ISO reference to Preventive Measures galaxy and grouping by meta
CSV to misp galaxy converter to easily converting existing CSV file into a cluster.
The idea is the following, a simple python script to generate a cluster (JSON) from a CSV file. The parameter of the Python script might be the following:
-f 1:description -f 2:value -f 3:abcd
where the number is the field number in the CSV and the field name in the galaxy. Other field than "description" and "value" are considered as meta.
Add CFR.org metadata into the galaxy such as:
https://www.cfr.org/interactive/cyber-operations/pla-unit-61398
Malpedia data is licensed under CC BY-NC-SA 3.0, see https://malpedia.caad.fkie.fraunhofer.de/usage/tos
But the malpedia data here is redistributed under CC0: https://github.com/MISP/misp-galaxy/blob/master/LICENSE.md
There are 3 entries with the same value: "Analyze organizational skillsets and deficiencies"
2 with this one: "Identify business relationships"
2 with "Acquire and/or use 3rd party infrastructure services"
3 with "Identify job postings and needs/gaps"
3 "Conduct social engineering"
3 "Identify supply chains"
2 "Obfuscate infrastructure"
2 "Connect to targets of interest"
2 "Determine 3rd party infrastructure services"
2 "Compromise 3rd party infrastructure to support delivery"
2 "Acquire or compromise 3rd party signing certificates"
3 "Acquire OSINT data sets and information"
2 "Acquire and/or use 3rd party software services"
2 "Dynamic DNS"
In at least one instance the name of the technique does not match that used in the MITRE API.
The galaxy lists "Registry Run Keys / Start Folder - T1060", whereas the API uses "Registry Run Keys / Startup Folder".
atomic threat coverage - https://github.com/krakow2600/atomic-threat-coverage
https://en.wikipedia.org/wiki/Botnet 'Historical list of botnets'
Questions | Answers |
---|---|
Type of issue | Question |
OS version (server) | centOS |
OS version (client) | Ubuntu |
PHP version | 5.6 |
MISP version / git hash | 2.4.101 |
Browser | If applicable |
We have detected that some threat actors from Mitre Attack are missing and we would like to add them to our current galaxies. Is there any way to do that?
Thanks in advance.
Because of 6210f27 all galaxy definitions now need a kill_chain_order, otherwise they will not load. See MISP/MISP#4198
There are two "Fund Transfer":
There are two "Account-Checking Services":
Related
--> Mirai
--> Mirai Sora
--> Mirai Owari
dropped/dropped-by
--> Fallout (exploit-kit) - dropped
--> SmokeLoader (tool) - dropped-by
dropped/dropped-by
--> Fallout (exploit-kit) - dropped
--> Kraken Cryptor Ransomware (ransomware -should be added-) - dropped-by
dropped/dropped-by
--> Fallout (exploit-kit) - dropped
--> Smoke Loader (mitre-entreprise-malware) - dropped-by
dropped/dropped-by
--> Fallout (exploit-kit) - dropped
--> GandCrab Ransomware (ransomware) - dropped-by
dropped/dropped-by
--> Fallout (exploit-kit) - dropped
--> SAVEfiles (ransomware) - dropped-by
uses/used-by
--> APT28 (threat-actor) - uses
--> LoJax (tool) - used-by
variant-of
--> BankBot (android)
--> Razdel (android or banking - galaxy to choose)
find -name "*.json" -exec iconv -f UTF-8 {} -o /dev/null ;
iconv: illegal input sequence at position 499
iconv: illegal input sequence at position 2178
iconv: illegal input sequence at position 479
iconv: illegal input sequence at position 500
iconv: illegal input sequence at position 6374
$./chk_dup.py
Json load error in threat-actor.json
Json load error in tool.json
Json load error in preventive-measure.json
Json load error in microsoft-activity-group.json
Json load error in ransomware.json
Example in ransom
"description": "my-Little-Ransomware; AES(128); .已加密 .encrypted; ",
"description": "my-Little-Ransomware; AES(128); .已[mJ.[mF .encrypted; ",
2e e5 b7 b2 e5 8a a0 e5 af 86
Any correction recommendation ... ?? What is the file encoding supposed to be ??
How should we approach the situation where 2 entries in the threat-actors.json file should be merged to one single entry?
Both already have a uuid.
Example:
I would like to propose the following update to the tool.json cluster specifically regarding xbash:
update description to:
"description": "Xbash is a malware family that is targeting Linux and Microsoft Windows servers. We can tie this malware, which we have named Xbash, to the Iron Group, a threat actor group known for previous ransomware attacks. Xbash was developed using Python and converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution. Xbash aimed on discovering unprotected services, deleting victim’s MySQL, PostgreSQL and MongoDB databases, and ransom for Bitcoins. Linux based systems are targeted for ransomware and botnet capabilities. The ransomware targets and deletes linux databases and there is no evidence of any functionality that makes recovery even possible by payment the ransom. Where as, windows based systems are targeted for coinmining & self-propagating capabilities. Xbash spreads by attacking weak passwords and unpatched vulnerabilities.",
add the following refs:
https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
From https://github.com/MISP/MISP
* branch 2.4 -> FETCH_HEAD
git submodule update --init --force
Submodule path 'Plugin/DebugKit': checked out '8649a612001fa1caee82d9c432b8223cef221104'
Submodule path 'PyMISP': checked out '748a3100528cd91cc49779110884afe0bc80ddb0'
Submodule path 'app/Lib/cakephp': checked out 'ab5578dbc9f88e661d2b017489cd156fca961429'
Submodule path 'app/Lib/random_compat': checked out '088c04e2f261c33bed6ca5245491cfca69195ccf'
Submodule path 'app/files/misp-galaxy': checked out 'de66295539a94b95b7d3be8e3410665502906f46'
Submodule path 'app/files/misp-objects': checked out '39bd2641aa33ce733151bbf74fdbd3da6118a20e'
Submodule path 'app/files/noticelists': checked out '028f569e26b5b47286167b7d39f81cd1791eb04e'
Submodule path 'app/files/taxonomies': checked out '60f62aa527f1b817930cc8aa1c2fdf4a41f9451b'
Submodule path 'app/files/warninglists': checked out '2b6b07b28a2937f658accc2f7eeb825396b8120c'
error: no such remote ref f0ac7aeb3cb857bb2242e69ee2d3471a2e812d22
Fetched in submodule path 'cti-python-stix2', but it did not contain f0ac7aeb3cb857bb2242e69ee2d3471a2e812d22. Direct fetching of that commit failed.
Yo yo yo!
Jimbo from the "D" again -
So the taxonomies are coming out just fine.
Moving on to galaxies.
I was told that I need to place the galaxy data into two separate spots.
I used this reference to make an educated guess as to where:
https://www.misp-project.org/misp-training/3.2-misp-galaxy.pdf
My galaxy file was named test-galaxy.json
I placed this file into both the ./galaxy folder and the ./cluster folder
My ./galaxy folder .json looked like this:
{
"name": "TEST GALAXY",
"type": "test-galaxy",
"description": "This galaxy is to confirm that you can make test galaxies",
"version": 1,
"uuid": "5855933e-45e6-11e9-b210-d663bd873d93"
}
My ./clusters folder .json looked like this:
{
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"type": "tool",
"version": 1,
"name": "test-cluster",
"uuid": "623555c8-45ec-11e9-b210-d663bd873d93",
"authors": "James Palazzolo - LabyrINTh CIS",
"source": "MISP Project",
"values": [{
"description": "Test Value",
"meta": {
"refs": [
"https://thehackernews.com/search/label/Zusy%20Malware",
"http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/"
],
"synonyms": [
"Test Value",
"Testaroo",
"TinyTester"
],
"uuid": "9cccfede-45ec-11e9-b210-d663bd873d93",
"value": "Test Galaxy Value"
}
}]
}
Both files passed through jsonlint and I could have sworn I was following the schema correctly...
MISP did recognize the galaxy:
However, I now have two issues.
First issue: I removed the .json file from both ./galaxy folder and the ./clusters folder. When I hit update galaxies it's still there lol...
How do I purge this from the list?
Second issue: it recognized the galaxy but none of the cluster information was attributed over and so the galaxy values were empty. What am I doing wrong here?
I'm sure it's something simple -
Jimbo
Source: https://malpedia.caad.fkie.fraunhofer.de/
Waiting for authorization 👼
https://twitter.com/adulau/status/1048142123726454784
With more an more galaxies appearing more and more duplicate entries appear in the different galaxies.
This leads to inconsistency in the labeling of the data and confusion of the user.
Examples:
I believe these issues should be tackled before merging pull-requests.
This issue is also for talking about:
Based from https://github.com/Concinnity-Risks/LogisticalBudget/blob/master/scorecards.py#L75
Need to define a prefix.
#
score_descriptions = {
"team_size": "Estimated Organisation Size",
"resource_cost": "Estimated Infrastructure Spend",
"time_cost": "Estimated Time Investment",
"logistical_budget": "Logistical Budget"
};
For example:
uses
should be also made used-by
automagically.A thing that is missing in the relationship definitions is such a reverse-mapping that could be used automagically.
...to avoid confusion when adding a galaxy to an event...
I presume this is a spelling mistake in place of the "Retail" sector?
misp-galaxy/clusters/sector.json
Line 306 in e56cb33
Where should this one go?
Galaxy of security vendors
StrongPity threat actor versus PROMETHIUM and NEODYMIUM?
What is the ISO followed by the threat_actors file in clusters? ISO3166?
Sometimes, there are names like "Russia" or like "Russian Federation".
Shouldn't it be using the same name or convert everything to ISO 3166-1 alpha 2?
{
"value": "ELECTRUM",
"description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
"meta": {
"refs": [
"https://dragos.com/adversaries.html",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
],
"mode-of-operation": "Electric grid disruption and long-term persistence",
"since": "2016",
"capabilities": "CRASHOVERRIDE",
"victimology": "Ukraine, Electric Utilities",
"synonyms": [
"Sandworm"
]
},
"uuid": "a2d44915-6cff-43cf-8a53-f4850058ad05"
},
and
{
"value": "ELECTRUM",
"description": "Dragos, Inc. tracks the adversary group behind CRASHOVERRIDE as ELECTRUM and assesses with high confidence through confidential sources that ELECTRUM has direct ties to the Sandworm team. Our intelligence ICS WorldView customers have received a comp
"meta": {
"refs": [
"https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
"https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
"https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
],
"synonyms": [
"Sandworm"
]
},
"uuid": "feac86e4-6bb2-4ba0-ac99-806aeb0a776c"
},
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.