From 050a864be04d1e60257e9033fef4757b33cb831a Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Wed, 8 Aug 2018 14:20:38 +0200
Subject: [PATCH] update some clusters and try to add a relationship system

---
 clusters/ransomware.json   |  4 ++-
 clusters/threat-actor.json | 61 ++++++++++++++++++++++++++++++++++----
 2 files changed, 59 insertions(+), 6 deletions(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index e64aa02c..ed79dad6 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -8016,7 +8016,9 @@
           "https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip",
           "http://blog.talosintel.com/2016/03/samsam-ransomware.html",
           "http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf",
-          "https://www.bleepingcomputer.com/news/security/new-samsam-variant-requires-special-password-before-infection/"
+          "https://www.bleepingcomputer.com/news/security/new-samsam-variant-requires-special-password-before-infection/",
+          "https://www.bleepingcomputer.com/news/security/samsam-ransomware-crew-made-nearly-6-million-from-ransom-payments/",
+          "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf"
         ]
       },
       "uuid": "731e4a5e-35f2-47b1-80ba-150b95fdc14d"
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2b4c7671..db68cd88 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -774,10 +774,22 @@
         "refs": [
           "https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html",
           "http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/",
-          "https://github.com/nccgroup/Royal_APT"
+          "https://github.com/nccgroup/Royal_APT",
+          "https://www.cfr.org/interactive/cyber-operations/mirage"
+        ],
+        "cfr-suspected-victims": [
+          "European Union",
+          "India",
+          "United Kingdom"
+        ],
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-type-of-incident": "Espionage",
+        "cfr-target-category": [
+          "Government"
         ]
       },
       "value": "Mirage",
+      "description": "This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.",
       "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8"
     },
     {
@@ -967,7 +979,19 @@
         ],
         "country": "CN",
         "refs": [
-          "http://www.crowdstrike.com/blog/whois-samurai-panda/"
+          "http://www.crowdstrike.com/blog/whois-samurai-panda/",
+          "https://www.cfr.org/interactive/cyber-operations/sykipot"
+        ],
+        "cfr-suspected-victims": [
+          "United States",
+          "United Kingdom",
+          "Hong Kong"
+        ],
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-type-of-incident": "Espionage",
+        "cfr-target-category": [
+          "Private sector",
+          "Military"
         ]
       },
       "value": "Samurai Panda",
@@ -1082,7 +1106,14 @@
       },
       "value": "Flying Kitten",
       "description": "Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.",
-      "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48"
+      "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
+      "related": [
+        {
+          "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
+          "type": "similar",
+          "likelihood-probability": "very-likely"
+        }
+      ]
     },
     {
       "meta": {
@@ -1189,6 +1220,7 @@
         "synonyms": [
           "TEMP.Beanie",
           "Operation Woolen Goldfish",
+          "Operation Woolen-Goldfish",
           "Thamar Reservoir",
           "Timberworm"
         ],
@@ -1230,7 +1262,14 @@
       },
       "description": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.",
       "value": "Rocket Kitten",
-      "uuid": "f873db71-3d53-41d5-b141-530675ade27a"
+      "uuid": "f873db71-3d53-41d5-b141-530675ade27a",
+      "related": [
+        {
+          "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48",
+          "type": "similar",
+          "likelihood-probability": "very-likely"
+        }
+      ]
     },
     {
       "meta": {
@@ -3056,7 +3095,19 @@
         "refs": [
           "https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments",
           "http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/",
-          "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919"
+          "https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919",
+          "https://www.cfr.org/interactive/cyber-operations/sykipot"
+        ],
+        "cfr-suspected-victims": [
+          "United States",
+          "United Kingdom",
+          "Hong Kong"
+        ],
+        "cfr-suspected-state-sponsor": "China",
+        "cfr-type-of-incident": "Espionage",
+        "cfr-target-category": [
+          "Private sector",
+          "Military"
         ]
       },
       "value": "Maverick Panda",