This is a very challenging problem, especially if you don’t want to be over-concentrated on specific threat actors (as we suspect has happened here).