From 273c7c9b97665586ebc9fc138088312b0a969737 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Mon, 12 Sep 2022 17:10:49 -0700
Subject: [PATCH] [threat-actors] Remove Xenotime duplicate

---
 clusters/threat-actor.json | 19 +++----------------
 1 file changed, 3 insertions(+), 16 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 9fd1ae4..5d6d977 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -5708,21 +5708,6 @@
       "uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1",
       "value": "CHRYSENE"
     },
-    {
-      "description": "Adversaries abusing ICS (based on Dragos Inc adversary list).",
-      "meta": {
-        "capabilities": "TRISIS, custom credential harvesting",
-        "mode-of-operation": "Focused on physical destruction and long-term persistence",
-        "refs": [
-          "https://dragos.com/adversaries.html"
-        ],
-        "since": "2014",
-        "synonyms": [],
-        "victimology": "Oil and Gas, Middle East"
-      },
-      "uuid": "3dddc77e-a52a-466a-bf1c-1463e352077f",
-      "value": "XENOTIME"
-    },
     {
       "description": "ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.",
       "meta": {
@@ -7127,7 +7112,9 @@
         "refs": [
           "https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/",
           "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
-          "https://attack.mitre.org/groups/G0088/"
+          "https://attack.mitre.org/groups/G0088/",
+          "https://cyberthreat.thalesgroup.com/attackers/ATK91",
+          "https://www.dragos.com/threat/xenotime/"
         ],
         "synonyms": [
           "Xenotime",