From e1f5d3b5d81d317583c2513fd9142f95b11a4b07 Mon Sep 17 00:00:00 2001
From: Mathieu Beligon <mathieu@feedly.com>
Date: Tue, 13 Sep 2022 11:40:17 -0700
Subject: [PATCH] [threat-actors] Keep meta from old Xenotime

---
 clusters/threat-actor.json | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 5d6d977..a4ff9d4 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -7109,6 +7109,8 @@
     {
       "description": "TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.",
       "meta": {
+        "capabilities": "TRISIS, custom credential harvesting",
+        "mode-of-operation": "Focused on physical destruction and long-term persistence",
         "refs": [
           "https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/",
           "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
@@ -7116,11 +7118,13 @@
           "https://cyberthreat.thalesgroup.com/attackers/ATK91",
           "https://www.dragos.com/threat/xenotime/"
         ],
+        "since": "2014",
         "synonyms": [
           "Xenotime",
           "G0088",
           "ATK91"
-        ]
+        ],
+        "victimology": "Oil and Gas, Middle East"
       },
       "uuid": "90abfc42-91c6-11e9-89b1-af58de8f7ec2",
       "value": "TEMP.Veles"