From 4f47e6e2d3749aec72a3a0be5bbbf314013fbbff Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Thu, 29 Sep 2022 11:28:54 -0700
Subject: [PATCH] [threat-actors] Equation group: separate from Lamberts and
 add tools

---
 clusters/threat-actor.json | 54 +++++++++++++++++++++++++++++++++-----
 1 file changed, 47 insertions(+), 7 deletions(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 37727b0..6ce8215 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -3875,15 +3875,11 @@
           "https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0",
           "https://en.wikipedia.org/wiki/Stuxnet",
           "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf",
-          "https://attack.mitre.org/groups/G0020/",
-          "https://www.secureworks.com/research/threat-profiles/platinum-terminal"
+          "https://attack.mitre.org/groups/G0020/"
         ],
         "synonyms": [
           "Tilded Team",
-          "Lamberts",
           "EQGRP",
-          "Longhorn",
-          "PLATINUM TERMINAL",
           "G0020"
         ]
       },
@@ -3894,6 +3890,48 @@
             "estimative-language:likelihood-probability=\"likely\""
           ],
           "type": "similar"
+        },
+        {
+          "dest-uuid": "3e0c2d35-87cb-40f9-b341-a6c8dbec697e",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "fb8828a4-76de-467d-9f52-528984aa9b8d",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "a4cebcc4-9e9b-415f-aa05-dd71c4e288fe",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "2407bd9a-a3a4-40c4-86de-be6965243c67",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "1e25d254-3f03-4752-b8d6-023a23e7d4ae",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
+        },
+        {
+          "dest-uuid": "21f7a57b-7778-4b3e-9b50-5289ae3b445d",
+          "tags": [
+            "estimative-language:likelihood-probability=\"very-likely\""
+          ],
+          "type": "uses"
         }
       ],
       "uuid": "7036fb3d-86b7-4d9c-bc66-1e1ead8b7840",
@@ -4105,12 +4143,14 @@
           "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments",
           "https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/",
           "https://www.cfr.org/interactive/cyber-operations/longhorn",
-          "http://blogs.360.cn/post/APT-C-39_CIA_EN.html"
+          "http://blogs.360.cn/post/APT-C-39_CIA_EN.html",
+          "https://www.secureworks.com/research/threat-profiles/platinum-terminal"
         ],
         "synonyms": [
           "Lamberts",
           "the Lamberts",
-          "APT-C-39"
+          "APT-C-39",
+          "PLATINUM TERMINAL"
         ]
       },
       "related": [