From 1e5292d9995499b697af57ccb1ca47d7d9fda5ad Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 14 Jun 2019 16:21:33 +0200
Subject: [PATCH] fix duplicate

---
 clusters/threat-actor.json | 77 +++++++++++++++++++-------------------
 1 file changed, 38 insertions(+), 39 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 93d13ed..5dff709 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2315,53 +2315,52 @@
         "cfr-type-of-incident": "Espionage",
         "country": "RU",
         "refs": [
+          "https://attack.mitre.org/groups/G0007/"
+          "https://en.wikipedia.org/wiki/Fancy_Bear",
           "https://en.wikipedia.org/wiki/Sofacy_Group",
-          "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf",
-          "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
-          "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf",
-          "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
-          "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
-          "https://www.cfr.org/interactive/cyber-operations/apt-28",
-          "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
-          "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/",
-          "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
-          "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware",
-          "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
-          "http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament",
-          "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f",
           "https://www.bbc.com/news/technology-37590375",
-          "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html",
-          "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff",
-          "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/",
-          "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/",
-          "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT",
-          "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
-          "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/",
-          "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/",
+          "https://www.bbc.co.uk/news/technology-45257081",
+          "https://www.cfr.org/interactive/cyber-operations/apt-28",
+          "https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f",
+          "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html",
+          "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
           "http://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630",
-          "http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
           "https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/",
-          "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
+          "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
+          "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html",
+          "https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf",
+          "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff",
+          "https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf",
+          "https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware",
+          "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/",
+          "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
+          "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/",
+          "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/",
+          "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/",
+          "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
+          "https://www.msn.com/en-au/news/world/russia-tried-to-hack-mh17-inquiry-system/ar-BBmmuuT",
+          "https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/",
           "https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/",
           "https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/",
-          "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/",
-          "https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html",
-          "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
-          "https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/",
-          "https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/",
-          "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN",
-          "https://www.bbc.co.uk/news/technology-45257081",
-          "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/",
           "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/",
-          "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf",
-          "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae",
-          "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf",
+          "https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/",
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/",
+          "http://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/",
+          "http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf",
+          "https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/",
+          "https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/",
+          "http://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament",
+          "https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/",
+          "http://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508",
+          "https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/",
           "https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected",
-          "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/",
-          "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/",
-          "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government",
-          "https://en.wikipedia.org/wiki/Fancy_Bear",
-          "https://attack.mitre.org/groups/G0007/"
+          "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf",
+          "https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN",
+          "file:///D:/Work/ThaiCERT/Cases/researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/",
+          "https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/",
+          "https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae",
+          "https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1",
+          "https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf",
         ],
         "synonyms": [
           "APT 28",