Unique identification of threat actors despite referenced in different galaxies

[eromang]

Hello,

By today, MISP propose three different galaxies to identify threats actors

Threat Actor Galaxy with UUID 698774c7-8022-42c4-917f-8d6e4f06ada3
Historic MISP galaxy having 303 entries and majority of linked events

Intrusion Set galaxy with UUID 1023f364-7831-11e7-8318-43b5531983ab
Name of ATT&CK Group having 93 entries and few events

Microsoft Activity Group actor with UUID 74c869e8-0b8e-4e5f-96e6-cd992e07a505
Activity groups as described by Microsoft having 10 entries and few events

Some threat actors are present present in all mentioned galaxies but have a different UUID leading to dispersion of events and fragmentation.

E.g.

APT28 in "Microsoft Activity Group actor" has UUID 213cdde9-c11a-4ea9-8ce0-c868e9826fec APT28 in "Threat Actor galaxy" has UUID 5b4ee3ea-eee3-4c8e-8323-85ae32658754 APT28 in "Intrusion Set galaxy" has UUID bef4c620-0787-42a8-a96d-b7eb6e85917c

Historically Galaxy "Threat Actor" is used by majority of the organizations, leading to non usage of other galaxies like "Intrusion Set galaxy" from ATT&CK.

Threat actors shall be uniquely identified despite potentially referenced in different galaxies.