From 3a657ace363250ca2f35fad4aa2a1aa2f93a6788 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Tue, 13 Dec 2016 09:11:16 +0100
Subject: [PATCH] TERBIUM added

---
 clusters/threat-actor.json | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2d757a3..460c6f8 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -1175,6 +1175,13 @@
       },
       "description": "Threat Group conducting cyber espionage while re-using tools from other teams; like those of Hacking Team, and vmprotect to obfuscate.",
       "value": "Callisto"
+    },
+    {
+      "value": "TERBIUM",
+      "description": "Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.",
+      "meta" : {
+        "refs": ["https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"]
+      }
     }
   ],
   "name": "Threat actor",
@@ -1189,5 +1196,5 @@
   ],
   "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.",
   "uuid": "7cdff317-a673-4474-84ec-4f1754947823",
-  "version": 2
+  "version": 3
 }