From 1cee9d71e0e9925dd439d2b4ca53163a06e7f2a6 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 20 Sep 2018 15:38:32 +0200
Subject: [PATCH 1/3] update Lazarus group cluster

---
 clusters/threat-actor.json | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9f02bd5b..e59b4fa9 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2568,13 +2568,17 @@
           "Germany",
           "Brazil",
           "Thailand",
-          "Australia"
+          "Australia",
+          "Cryptocurrency exchanges in South Korea"
         ],
         "cfr-target-category": [
           "Government",
           "Private sector"
         ],
-        "cfr-type-of-incident": "Espionage",
+        "cfr-type-of-incident": [
+          "Espionage",
+          "Sabotage"
+        ],
         "country": "KP",
         "refs": [
           "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
@@ -2587,7 +2591,8 @@
           "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/",
           "https://www.cfr.org/interactive/cyber-operations/lazarus-group",
           "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret",
-          "https://securelist.com/operation-applejeus/87553/"
+          "https://securelist.com/operation-applejeus/87553/",
+          "https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea"
         ],
         "synonyms": [
           "Operation DarkSeoul",

From 3c7e367cbf0ad2918000b4fbb9bcc23de309075f Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 21 Sep 2018 11:14:19 +0200
Subject: [PATCH 2/3] fix field mistake

---
 clusters/threat-actor.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index e59b4fa9..268d6f52 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -381,7 +381,7 @@
           "Private sector",
           "Government"
         ],
-        "cfr-type-of-incident": "China",
+        "cfr-type-of-incident": "Espionage",
         "country": "CN",
         "refs": [
           "http://www.crowdstrike.com/blog/whois-numbered-panda/",

From 5a1734f170b9a2c3e0f423ce7840af14b3ea7629 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 21 Sep 2018 11:16:36 +0200
Subject: [PATCH 3/3] update version

---
 clusters/threat-actor.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 268d6f52..b0006a78 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5861,5 +5861,5 @@
       "uuid": "bea5e256-bcc0-11e8-a478-bbf7e7585a1e"
     }
   ],
-  "version": 63
+  "version": 64
 }