From 8d01e775745acec7c92cb32610218ad2603f0201 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sun, 3 Nov 2019 08:51:37 +0100
Subject: [PATCH] chg: [threat-actor] Operation WizardOpium added

ref: https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/
---
 clusters/threat-actor.json | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 75993f4..cf45808 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7761,7 +7761,20 @@
       },
       "uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d",
       "value": "Operation Soft Cell"
+    },
+    {
+      "value": "Operation WizardOpium",
+      "uuid": "75db4269-924b-4771-8f62-0de600a43634",
+      "description": "We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.",
+      "meta": {
+        "refs": [
+          "https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/"
+        ],
+        "threat-actor-classification": [
+          "campaign"
+        ]
+      }
     }
   ],
-  "version": 137
+  "version": 138
 }