From 90da0d798f88d6c383c5773840bc73abfccc2917 Mon Sep 17 00:00:00 2001
From: Thomas Dupuy <thom4s.d@gmail.com>
Date: Tue, 12 Jul 2022 16:21:41 +0000
Subject: [PATCH] Set country to LB instead of IR based on operational
 activity.

---
 clusters/threat-actor.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 55faeab..5dd0a53 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -9547,7 +9547,7 @@
       "description": "Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.",
       "meta": {
         "attribution-confidence": "75",
-        "cfr-suspected-state-sponsor": "Iran",
+        "cfr-suspected-state-sponsor": "Lebanon",
         "cfr-suspected-victims": [
           "Israel"
         ],
@@ -9562,7 +9562,7 @@
           "Transportation systems"
         ],
         "cfr-type-of-incident": "Espionage",
-        "country": "IR",
+        "country": "LB",
         "refs": [
           "https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/"
         ]