diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 13b3926..257473f 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -1891,7 +1891,8 @@
       "meta": {
         "refs": [
           "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf",
-          "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf"
+          "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf",
+          "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
         ],
         "synonyms": [
           "Sandworm"
@@ -2551,7 +2552,8 @@
       "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
       "meta": {
         "refs": [
-          "https://dragos.com/adversaries.html"
+          "https://dragos.com/adversaries.html",
+          "https://dragos.com/blog/20180510Allanite.html"
         ],
         "mode-of-operation": "Watering-hole and phishing leading to ICS recon and screenshot collection",
         "since": "2017",
@@ -2568,7 +2570,8 @@
       "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
       "meta": {
         "refs": [
-          "https://dragos.com/adversaries.html"
+          "https://dragos.com/adversaries.html",
+          "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
         ],
         "mode-of-operation": "IT compromise, information gathering and recon against industrial orgs",
         "since": "2017",
@@ -2586,7 +2589,8 @@
       "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
       "meta": {
         "refs": [
-          "https://dragos.com/adversaries.html"
+          "https://dragos.com/adversaries.html",
+          "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
         ],
         "mode-of-operation": "IT compromise with hardened anti-analysis malware against industrial orgs",
         "since": "2017",
@@ -2604,7 +2608,8 @@
       "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
       "meta": {
         "refs": [
-          "https://dragos.com/adversaries.html"
+          "https://dragos.com/adversaries.html",
+          "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
         ],
         "mode-of-operation": "Deep ICS environment information gathering, operator credentials, industrial process details",
         "since": "2016",
@@ -2622,7 +2627,8 @@
       "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
       "meta": {
         "refs": [
-          "https://dragos.com/adversaries.html"
+          "https://dragos.com/adversaries.html",
+          "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
         ],
         "mode-of-operation": "Electric grid disruption and long-term persistence",
         "since": "2016",
@@ -2639,7 +2645,8 @@
       "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
       "meta": {
         "refs": [
-          "https://dragos.com/adversaries.html"
+          "https://dragos.com/adversaries.html",
+          "https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf"
         ],
         "mode-of-operation": "IT network limited, information gathering against industrial orgs",
         "since": "2016",
@@ -2689,5 +2696,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 39
+  "version": 40
 }