From 7a2cfa4f42a2cb175e78a663f7f4179a0122536d Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:02:00 -0800
Subject: [PATCH] [threat-actors] Add Silent Chollima aliases

---
 clusters/threat-actor.json | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 4280c88..088da3b 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3087,11 +3087,13 @@
       "value": "UNION SPIDER"
     },
     {
+      "description": "Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.",
       "meta": {
         "attribution-confidence": "50",
         "country": "KP",
         "refs": [
-          "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf"
+          "https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf",
+          "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/"
         ],
         "synonyms": [
           "OperationTroy",
@@ -3099,7 +3101,9 @@
           "GOP",
           "WHOis Team",
           "Andariel",
-          "Subgroup: Andariel"
+          "Subgroup: Andariel",
+          "Onyx Sleet",
+          "PLUTONIUM"
         ]
       },
       "uuid": "245c8dde-ed42-4c49-b48b-634e3e21bdd7",