From 940762e0c5c3fff21eaf039e8d97dd1db3fcff7e Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Tue, 28 May 2019 09:22:26 +0200
Subject: [PATCH] update threat actor

---
 clusters/rat.json          | 28 ++++++++++++++++++++++++++++
 clusters/threat-actor.json | 13 +++++++++++--
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/clusters/rat.json b/clusters/rat.json
index c22ebfe3..687961cd 100644
--- a/clusters/rat.json
+++ b/clusters/rat.json
@@ -92,6 +92,34 @@
         ]
       },
       "related": [
+        {
+          "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
+        {
+          "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7",
+          "tags": [
+            "estimative-language:likelihood-probability=\"likely\""
+          ],
+          "type": "similar"
+        },
         {
           "dest-uuid": "c82c904f-b3b4-40a2-bf0d-008912953104",
           "tags": [
diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index a5fd331d..a928bcbd 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -1471,6 +1471,7 @@
       "value": "Impersonating Panda"
     },
     {
+      "description": "We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.\nIn contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.",
       "meta": {
         "attribution-confidence": "50",
         "country": "CN",
@@ -1852,7 +1853,11 @@
         "refs": [
           "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html"
         ],
-        "synonyms": []
+        "synonyms": [
+          "APT 33",
+          "Elfin",
+          "MAGNALLIUM"
+        ]
       },
       "related": [
         {
@@ -2301,7 +2306,9 @@
           "Minidionis",
           "SeaDuke",
           "Hammer Toss",
-          "YTTRIUM"
+          "YTTRIUM",
+          "Iron Hemlock",
+          "Grizzly Steppe"
         ]
       },
       "related": [
@@ -4080,9 +4087,11 @@
         "synonyms": [
           "OceanLotus Group",
           "Ocean Lotus",
+          "OceanLotus",
           "Cobalt Kitty",
           "APT-C-00",
           "SeaLotus",
+          "Sea Lotus",
           "APT-32",
           "APT 32",
           "Ocean Buffalo"