diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index bdcd282e..2fd6f6f5 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -170,7 +170,7 @@
           "https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2"
         ]
       },
-      "value": "darkhotel"
+      "value": "DarkHotel"
     },
     {
       "meta": {
@@ -470,7 +470,10 @@
           "PittyTiger",
           "MANGANESE"
         ],
-        "country": "CN"
+        "country": "CN",
+        "refs": [
+          "http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2"
+        ]
       },
       "value": "Pitty Panda",
       "description": "The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials"
@@ -545,6 +548,9 @@
     {
       "meta": {
         "country": "CN",
+        "refs": [
+          "http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/"
+        ],
         "synonyms": [
           "APT20",
           "APT 20",
@@ -583,6 +589,9 @@
     {
       "meta": {
         "country": "CN",
+        "refs": [
+          "https://community.rapid7.com/community/infosec/blog/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india"
+        ],
         "synonyms": [
           "APT23",
           "KeyBoy"
@@ -599,6 +608,9 @@
           "AjaxSecurityTeam",
           "Ajax Security Team",
           "Group 26"
+        ],
+        "refs": [
+          "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf"
         ]
       },
       "value": "Flying Kitten",
@@ -628,6 +640,9 @@
           "Parastoo",
           "Group 83",
           "Newsbeef"
+        ],
+        "refs": [
+          "https://en.wikipedia.org/wiki/Operation_Newscaster"
         ]
       },
       "value": "Charming Kitten",
@@ -831,6 +846,9 @@
           "Carbon Spider"
         ],
         "country": "RU",
+        "refs": [
+          "https://en.wikipedia.org/wiki/Carbanak"
+        ],
         "motive": "Cybercrime"
       },
       "description": "Groups targeting financial organizations or people with significant financial assets.",
@@ -931,7 +949,10 @@
           "Appin",
           "OperationHangover"
         ],
-        "country": "IN"
+        "country": "IN",
+        "refs": [
+          "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf"
+        ]
       },
       "value": "Viceroy Tiger"
     },
@@ -958,6 +979,9 @@
       "value": "SNOWGLOBE",
       "meta": {
         "country": "FR",
+        "refs": [
+          "https://securelist.com/blog/research/69114/animals-in-the-apt-farm/"
+        ],
         "synonyms": [
           "Animal Farm"
         ]
@@ -1135,12 +1159,12 @@
           "https://attack.mitre.org/wiki/Group/G0013"
         ],
         "synonyms": [
-          "APT 30"
+          "APT30"
         ],
         "country": "CN"
       },
-      "value": "APT30",
-      "description": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches."
+      "value": "APT 30",
+      "description": "APT 30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches."
     },
     {
       "meta": {
@@ -1398,5 +1422,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 16
-}
+  "version": 17
+}
\ No newline at end of file