From ff17ac998e213ad205436c0c230959375bb70b09 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Tue, 13 Dec 2016 19:37:30 +0100
Subject: [PATCH] TeleBots group added

---
 clusters/threat-actor.json | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 460c6f8..24842f7 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -797,6 +797,14 @@
       },
       "value": "Sandworm"
     },
+    {
+      "meta": {
+        "country": "RU",
+        "refs": ["http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/"]
+       },
+      "value": "TeleBots",
+      "description": "We will refer to the gang behind the malware as TeleBots. However it’s important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016. In fact, we think that the BlackEnergy group has evolved into the TeleBots group."
+    },
     {
       "meta": {
         "synonyms": [
@@ -1196,5 +1204,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 3
+  "version": 4
 }