From 184f193342f04ec32b1905bcd1c044ca218bb722 Mon Sep 17 00:00:00 2001
From: "Daniel Plohmann (jupiter)" <plohmann@informatik.uni-bonn.de>
Date: Wed, 4 Mar 2020 19:39:14 +0100
Subject: [PATCH] IMPERIAL KITTEN as alias for Tortoiseshell

---
 clusters/threat-actor.json | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5c7ad12..79b13cc 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -4768,7 +4768,6 @@
       "uuid": "4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8",
       "value": "Cyber Berkut"
     },
-    
     {
       "meta": {
         "attribution-confidence": "50",
@@ -7761,7 +7760,11 @@
       "description": "A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers.\nThe group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.",
       "meta": {
         "refs": [
-          "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain"
+          "https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain",
+          "https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897"
+        ],
+        "synonyms": [
+          "IMPERIAL KITTEN"
         ]
       },
       "uuid": "5f108484-db7f-11e9-aaa4-fb0176425734",
@@ -8029,16 +8032,6 @@
       "uuid": "2154b183-c5c5-418f-8e47-f6e999b64e30",
       "value": "DOPPEL SPIDER"
     },
-    {
-      "description": "IMPERIAL KITTEN has maintained a consistent operational tempo since Q2 2019. Its operations primarily utilize recruitment- and job-themed infrastructure to deliver custom tooling.",
-      "meta": {
-        "refs": [
-          "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
-        ]
-      },
-      "uuid": "937e1bc2-e1ab-4e5b-a697-0415c6070f46",
-      "value": "IMPERIAL KITTEN"
-    },
     {
       "description": "Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.",
       "meta": {