From 1a8835bcae516bc0de0c1f65269fa94de9cba96e Mon Sep 17 00:00:00 2001
From: Thomas Dupuy <thom4s.d@gmail.com>
Date: Tue, 12 Jul 2022 13:11:11 +0000
Subject: [PATCH] Remove list from POLONIUM TA.

---
 clusters/threat-actor.json | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5b57f9f..55faeab 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9547,10 +9547,7 @@
       "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.",
       "meta": {
         "attribution-confidence": "75",
-        "cfr-suspected-state-sponsor": [
-          "Lebanon",
-          "Iran"
-        ],
+        "cfr-suspected-state-sponsor": "Iran",
         "cfr-suspected-victims": [
           "Israel"
         ],
@@ -9565,10 +9562,7 @@
           "Transportation systems"
         ],
         "cfr-type-of-incident": "Espionage",
-        "country": [
-          "LB",
-          "IR"
-        ],
+        "country": "IR",
         "refs": [
           "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/"
         ]