From c78416eee14b57903c96d13f077cce096e338cff Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 4 Oct 2018 10:09:34 +0200
Subject: [PATCH 1/3] update synonyms & attributions

---
 clusters/threat-actor.json | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2958d02..4973a9d 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -2069,9 +2069,11 @@
           "APT 28",
           "APT28",
           "Pawn Storm",
+          "PawnStorm",
           "Fancy Bear",
           "Sednit",
           "TsarTeam",
+          "Tsar Team",
           "TG-4127",
           "Group-4127",
           "STRONTIUM",
@@ -4620,8 +4622,10 @@
           "Islamic State Hacking Division",
           "CCA",
           "United Cyber Caliphate",
-          "UUC"
-        ]
+          "UUC",
+          "CyberCaliphate"
+        ],
+        "country": "RU"
       },
       "uuid": "76f6ad4e-2ff3-4ccb-b81d-18162f290af0",
       "value": "Cyber Caliphate Army"
@@ -5917,5 +5921,5 @@
       ]
     }
   ],
-  "version": 68
+  "version": 69
 }

From 5bcf34a9531d62a1c39a1e339295fe7e2b50dc5d Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 4 Oct 2018 10:28:22 +0200
Subject: [PATCH 2/3] update regarding
 https://twitter.com/adulau/status/1047764090410737664

---
 clusters/threat-actor.json | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4973a9d..fb81e28 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -4624,8 +4624,7 @@
           "United Cyber Caliphate",
           "UUC",
           "CyberCaliphate"
-        ],
-        "country": "RU"
+        ]
       },
       "uuid": "76f6ad4e-2ff3-4ccb-b81d-18162f290af0",
       "value": "Cyber Caliphate Army"

From 2893d715d6c421e05700c340dfdfe50a3942f5ea Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Thu, 4 Oct 2018 10:52:40 +0200
Subject: [PATCH 3/3] Add ZEBROCY tool

---
 clusters/tool.json | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 90386e7..794c7fd 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -5853,7 +5853,17 @@
           "type": "similar"
         }
       ]
+    },
+    {
+      "value": "ZEBROCY",
+      "description": "ZEBROCY is a tool used by APT28, which has been observed since late 2015. The communications module used by ZEBROCY transmits using HTTP. The implant has key logging and file exfiltration functionality and utilises a file collection capability that identifies files with particular extensions.",
+      "meta": {
+        "refs": [
+          "https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28"
+        ]
+      },
+      "uuid": "8a2ae47a-c7b2-11e8-b223-ab4d8f78f3ef"
     }
   ],
-  "version": 90
+  "version": 91
 }