From 88025a541fc4f7a78ebb3b8f1d482104c1f17b74 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Mon, 14 Oct 2019 16:07:35 +0200
Subject: [PATCH 1/3] add operation soft cell

---
 clusters/threat-actor.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index b6e836ac..bd4f5fee 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7744,7 +7744,17 @@
       },
       "uuid": "5cd95926-0098-435e-892d-9c9f61763ad7",
       "value": "LookBack"
+    },
+    {
+      "description": "In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10.  This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.",
+      "meta": {
+        "refs": [
+          "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers"
+        ]
+      },
+      "uuid": "8dda51ef-9a30-48f7-b0fd-5b6f0a62262d",
+      "value": "Operation Soft Cell"
     }
   ],
-  "version": 135
+  "version": 136
 }

From 0a8f989e1c5a3ebcff0676097de1690122a7b072 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 31 Oct 2019 10:36:15 +0100
Subject: [PATCH 2/3] add Winnti related tools etc.

---
 clusters/threat-actor.json |  6 +++++-
 clusters/tool.json         | 16 +++++++++++++---
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index bd4f5fee..f57358b0 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -671,8 +671,12 @@
           "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/"
         ],
         "synonyms": [
+          "Winnti Umbrella"
           "Winnti Group",
           "Tailgater Team",
+          "Suckfly"
+          "APT41",
+          "APT 41"
           "Group 72",
           "Group72",
           "Tailgater",
@@ -7756,5 +7760,5 @@
       "value": "Operation Soft Cell"
     }
   ],
-  "version": 136
+  "version": 137
 }
diff --git a/clusters/tool.json b/clusters/tool.json
index 577e7527..b6a9bb74 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -663,7 +663,9 @@
         "synonyms": [
           "Etso",
           "SUQ",
-          "Agent.ALQHI"
+          "Agent.ALQHI",
+          "RbDoor",
+          "RibDoor","HIGHNOON"
         ],
         "type": [
           "Backdoor"
@@ -5352,7 +5354,8 @@
       "meta": {
         "refs": [
           "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
-        ]
+        ],
+        "synonyms":[ "POISONPLUG", "Barlaiy"]
       },
       "related": [
         {
@@ -7859,7 +7862,14 @@
       "description": "Legitimate tool - tool used to scan IPv4/IPv6 networks and remotely execute PowerShell commands.",
       "uuid": "bbba3a35-5064-4e60-ad4b-0ba16cc81a23",
       "value": "Netscan"
+    },
+    {
+      "value":"ShadowHammer",
+      "description": "Malware embedded in Asus Live Update in 2018. ShadowHammer triggers its malicious behavior only if the computer it is running on has a network adapter with the MAC address whitelisted by the attacker.",
+      "meta": {
+        "refs": ["https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf"]
+      }
     }
   ],
-  "version": 126
+  "version": 127
 }

From bee9b80898dd52bd99b07906acbe4daaee52605a Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 31 Oct 2019 10:37:36 +0100
Subject: [PATCH 3/3] jq

---
 clusters/threat-actor.json |  6 +++---
 clusters/tool.json         | 17 ++++++++++++-----
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index f57358b0..24179d9f 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -671,12 +671,12 @@
           "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/"
         ],
         "synonyms": [
-          "Winnti Umbrella"
+          "Winnti Umbrella",
           "Winnti Group",
           "Tailgater Team",
-          "Suckfly"
+          "Suckfly",
           "APT41",
-          "APT 41"
+          "APT 41",
           "Group 72",
           "Group72",
           "Tailgater",
diff --git a/clusters/tool.json b/clusters/tool.json
index b6a9bb74..8c8241bd 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -665,7 +665,8 @@
           "SUQ",
           "Agent.ALQHI",
           "RbDoor",
-          "RibDoor","HIGHNOON"
+          "RibDoor",
+          "HIGHNOON"
         ],
         "type": [
           "Backdoor"
@@ -5355,7 +5356,10 @@
         "refs": [
           "https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf"
         ],
-        "synonyms":[ "POISONPLUG", "Barlaiy"]
+        "synonyms": [
+          "POISONPLUG",
+          "Barlaiy"
+        ]
       },
       "related": [
         {
@@ -7864,11 +7868,14 @@
       "value": "Netscan"
     },
     {
-      "value":"ShadowHammer",
       "description": "Malware embedded in Asus Live Update in 2018. ShadowHammer triggers its malicious behavior only if the computer it is running on has a network adapter with the MAC address whitelisted by the attacker.",
       "meta": {
-        "refs": ["https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf"]
-      }
+        "refs": [
+          "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf"
+        ]
+      },
+      "uuid": "c1815516-aa2a-43d2-9136-78a8feb054b6",
+      "value": "ShadowHammer"
     }
   ],
   "version": 127