From 1cee9d71e0e9925dd439d2b4ca53163a06e7f2a6 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 20 Sep 2018 15:38:32 +0200
Subject: [PATCH] update Lazarus group cluster

---
 clusters/threat-actor.json | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9f02bd5..e59b4fa 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2568,13 +2568,17 @@
           "Germany",
           "Brazil",
           "Thailand",
-          "Australia"
+          "Australia",
+          "Cryptocurrency exchanges in South Korea"
         ],
         "cfr-target-category": [
           "Government",
           "Private sector"
         ],
-        "cfr-type-of-incident": "Espionage",
+        "cfr-type-of-incident": [
+          "Espionage",
+          "Sabotage"
+        ],
         "country": "KP",
         "refs": [
           "https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/",
@@ -2587,7 +2591,8 @@
           "https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/",
           "https://www.cfr.org/interactive/cyber-operations/lazarus-group",
           "https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret",
-          "https://securelist.com/operation-applejeus/87553/"
+          "https://securelist.com/operation-applejeus/87553/",
+          "https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea"
         ],
         "synonyms": [
           "Operation DarkSeoul",