diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5b57f9f..55faeab 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9547,10 +9547,7 @@
       "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.",
       "meta": {
         "attribution-confidence": "75",
-        "cfr-suspected-state-sponsor": [
-          "Lebanon",
-          "Iran"
-        ],
+        "cfr-suspected-state-sponsor": "Iran",
         "cfr-suspected-victims": [
           "Israel"
         ],
@@ -9565,10 +9562,7 @@
           "Transportation systems"
         ],
         "cfr-type-of-incident": "Espionage",
-        "country": [
-          "LB",
-          "IR"
-        ],
+        "country": "IR",
         "refs": [
           "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/"
         ]