From 07f388fe5b63c0a7e710fe3f09320f68d1ed38c6 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Mon, 7 Mar 2016 21:24:24 +0100
Subject: [PATCH] More IR

---
 elements/adversary-groups.json | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/elements/adversary-groups.json b/elements/adversary-groups.json
index 23a371f..cca888a 100644
--- a/elements/adversary-groups.json
+++ b/elements/adversary-groups.json
@@ -449,6 +449,17 @@
       "country": "IR",
       "group": "Sands Casino"
     },
+    {
+      "country": "IR",
+      "synonyms": [
+         "TG-2889"
+      ],
+      "refs": [
+        "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/"
+      ],
+      "description": "While tracking a suspected Iran-based threat group known as Threat Group-2889[1] (TG-2889), Dell SecureWorks Counter Threat Unit™ (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. Most of the legitimate LinkedIn accounts associated with the fake accounts belong to individuals in the Middle East, and CTU researchers assess with medium confidence that these individuals are likely targets of TG-2889.",
+      "group": "Threat Group-2889"
+    },
     {
       "country": "TN",
       "synonyms": [
@@ -710,7 +721,8 @@
     "Foxy Panda",
     "SNOWGLOBE",
     "Sands Casino",
-    "Cleaver"
+    "Cleaver",
+    "Threat Group-2889"
   ],
   "type": "Adversary Groups",
   "authors": [