From a6cb478a3bd69963a757aa4add6eb6f90440b6ea Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 6 Jan 2017 22:26:53 +0100
Subject: [PATCH] Separate APT30 from Naikon group

---
 clusters/threat-actor.json | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index b9bebd36..285d0409 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -289,7 +289,6 @@
       "meta": {
         "synonyms": [
           "PLA Unit 78020",
-          "APT 30",
           "Override Panda",
           "Camerashy",
           "APT.Naikon"
@@ -1089,10 +1088,13 @@
     {
       "meta": {
         "refs": [
-          "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf"
-        ]
+          "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "https://attack.mitre.org/wiki/Group/G0013"
+        ],
+        "synonyms": ["APT 30"],
+        "country": "CN"
       },
-      "value": "APT30"
+      "value": "APT30",
+      "description": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches."
     },
     {
       "meta": {
@@ -1256,5 +1258,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 9
+  "version": 10
 }