APT Database
Major threat actor profiles β click any card to expand
Notable Campaigns & Operations
Significant cyber operations and their analysis
Major Campaign Timeline
Dec 2020 β Discovered
SolarWinds / SUNBURST (APT29 / Cozy Bear)
Supply chain compromise of SolarWinds Orion. Trojanized update (SUNBURST) deployed to ~18,000 orgs. TEARDROP & RAINDROP secondary payloads. Targeted US government agencies and major technology/security vendors. Demonstrated advanced OPSEC: DGA C2, steganography, SAML token forging (GoldenSAML).
2021 β Ongoing
Hafnium / ProxyLogon & ProxyShell (HAFNIUM)
Multiple Exchange Server zero-day chains. ProxyLogon (CVE-2021-26855 + CVE-2021-27065): SSRF β arbitrary file write β webshell. ProxyShell: Pre-auth RCE chain. Exploited by multiple Chinese APTs, then rapidly adopted by ransomware operators. Mass exploitation event.
2022
Ukraine Wiper Campaigns (Sandworm / Voodoo Bear)
Series of destructive wiper malware: WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2. Timed with kinetic military operations. Industroyer2 targeted Ukrainian power grid (ICS/SCADA). Combination of wipers, ransomware decoys, and supply chain compromise.
2023
Volt Typhoon β Living off the Land (China)
Chinese state actor targeting US critical infrastructure. Minimal malware β extensive use of LOLBins (ntdsutil, netsh, PowerShell). Long-term access to telecom, energy, water sectors. Focus on pre-positioning for potential conflict scenarios. Heavy use of compromised SOHO routers as ORBs (operational relay boxes).
2023
Storm-0558 β Cloud Token Compromise
Chinese threat actor obtained a consumer signing key from a major cloud provider. Forged identity tokens to access email of ~25 organizations including US government. Exploited validation flaw accepting consumer keys for enterprise tenants. Led to a major provider security overhaul.
2023-2024
Midnight Blizzard β Corporate Cloud Compromise (APT29)
Password spray against legacy non-MFA test tenant. Pivoted via OAuth app to access executive email. Exfiltrated source code repositories. Attempted to use stolen secrets for further access. Demonstrated risk of legacy configurations and OAuth app abuse.
2024
Salt Typhoon β Telecom Infiltration (China)
Massive compromise of US telecom providers (AT&T, Verizon, others). Accessed lawful intercept systems and call metadata. Targeted specific government officials' communications. Long-duration access measured in months. One of the largest telecom espionage operations ever disclosed.
2024-2025
Scattered Spider / Octo Tempest β Social Engineering
English-speaking threat actors using advanced social engineering. SIM swapping, helpdesk manipulation, MFA fatigue. Targeted major enterprises (MGM, Caesars, others). Combined social engineering with technical sophistication. Affiliate model with ALPHV/BlackCat ransomware.
Campaign Analysis Template
Structured Campaign Report Format
Campaign Analysis Report βββββββββββββββββββββββ Campaign Name: [Name / Operation codename] Attribution: [APT group / Confidence level (low/medium/high)] Timeframe: [First observed β Last observed] Motivation: [Espionage / Destruction / Financial / Hacktivism] Target Profile: [Sectors, geographies, specific orgs] Kill Chain Mapping: Recon: [Methods: OSINT, scanning, social media] Weaponization: [Malware used, exploits leveraged] Delivery: [Spearphish, watering hole, supply chain] Exploitation: [CVEs, zero-days, social engineering] Installation: [Persistence mechanisms] C2: [Infrastructure, protocols, evasion] Actions: [Data exfil, destruction, lateral movement] Diamond Model: Adversary: [Group, sub-group, operators] Capability: [Tools, malware, exploits] Infrastructure: [Domains, IPs, certificates] Victim: [Target characterization] IOCs: [Hashes, domains, IPs, YARA rules] MITRE Mapping: [Technique IDs with context] Detection: [Sigma rules, KQL queries, behavioral indicators] Recommendations: [Defensive actions, hunting queries]
Diamond Model Analysis
Structured intrusion analysis using the Diamond Model
The Diamond Model
βββββββββββββββ
β ADVERSARY β
β Who is the β
β threat actorβ
ββββββββ¬βββββββ
β
Social-Political β (motivation, targeting)
β
βββββββββββββββββββββββΌββββββββββββββββββββββ
β CAPABILITY β β β INFRASTRUC- β
β Tools, TTPs,βββββββββΌββββββββ TURE β
β malware, β Technical β Domains,IPs,β
β exploits β Axis β certs, C2 β
βββββββββββββββ β βββββββββββββββ
β
β
ββββββββ΄βββββββ
β VICTIM β
β Target org, β
β persona, β
β vulnerab. β
βββββββββββββββ
Axes:
β Technical Axis: Capability ββ Infrastructure (tools connect to infra)
β Social-Political: Adversary ββ Victim (motivation drives targeting)
Meta-Features:
β’ Timestamp β When did each event occur?
β’ Phase β Kill chain phase
β’ Result β Success/failure/unknown
β’ Direction β AdversaryβVictim, VictimβAdversary, Bidirectional
β’ Methodology β General class of activity
β’ Resources β What was required (cost, skill, time)
Diamond Model β Pivot Analysis
| Starting Point | Pivot To | Method | Example |
|---|---|---|---|
| Infrastructure (IP) | Other victims | Passive DNS, scan data | Same C2 IP seen targeting multiple orgs |
| Infrastructure (domain) | Adversary infra | WHOIS, registrar patterns | Same registrant email across domains |
| Capability (malware hash) | Infrastructure | Sandbox C2 extraction | Malware config reveals C2 domains |
| Capability (malware family) | Adversary | Code similarity, TTPs | Shared codebase links campaigns |
| Victim (sector) | Adversary intent | Targeting analysis | Defense sector β nation-state espionage |
| Adversary (known group) | Future targets | Historical targeting | APT28 historically targets NATO |
| Infrastructure (cert) | Related infra | Certificate transparency | Same self-signed cert across IPs |
| Capability (exploit) | Adversary tier | Capability assessment | Zero-day use β well-resourced actor |
Activity Grouping & Clustering
Activity Thread: A sequence of events linked by at least one shared Diamond vertex. Thread = Eventβ β Eventβ β Eventβ ... (shared adversary, infra, or capability) Activity Group: Cluster of activity threads with shared features. Used for campaign-level analysis and actor tracking. Clustering Approaches: Adversary-Centric Grouping: Group all activities attributed to same actor Risk: Attribution errors cascade across entire group Use: When attribution confidence is high Capability-Centric Grouping: Group by shared tools/malware/techniques Risk: Tools can be shared, sold, or false-flagged Use: When unique custom tooling is observed Infrastructure-Centric Grouping: Group by shared C2, hosting, domains Risk: Shared hosting, bulletproof hosts used by multiple actors Use: When infrastructure is unique/custom Victim-Centric Grouping: Group by common targeting patterns Risk: Multiple actors target same sectors Use: When defending specific sector/org
TTP Mapping & Trends
MITRE ATT&CK mapping patterns across APT groups
Most Common APT Techniques (2023-2025)
| Technique | ATT&CK ID | Used By | Trend |
|---|---|---|---|
| Phishing: Spearphishing Attachment | T1566.001 | Nearly all APTs | Evolving (QR codes, OneNote, HTML smuggling) |
| Exploitation of Public-Facing App | T1190 | Volt Typhoon, HAFNIUM, multiple | β Increasing (VPN/firewall zero-days) |
| Valid Accounts | T1078 | APT29, Storm-0558, Scattered Spider | β Major trend (credential theft, token forging) |
| Command & Scripting Interpreter | T1059 | Most APTs | β Stable (PowerShell, cmd, Python) |
| OS Credential Dumping | T1003 | APT28, APT29, Lazarus | β Evolving (LSASS alternatives) |
| Proxy: External Proxy / ORBs | T1090.002 | Chinese APTs (Volt/Salt Typhoon) | β Major trend (compromised routers) |
| Ingress Tool Transfer | T1105 | Most APTs | β Stable |
| Remote Services (RDP, SSH, SMB) | T1021 | Most APTs | β Stable |
| Impair Defenses: Disable Tools | T1562.001 | Sandworm, ransomware actors | β BYOVD trend (bring vulnerable driver) |
| Data from Cloud Storage | T1530 | APT29, Storm-0558 | β Cloud focus |
Emerging TTP Trends
Living-off-the-Land (LOTL)
Nation-state actors increasingly avoid custom malware in favor of built-in OS tools.
| LOLBin | Abuse |
|---|---|
| ntdsutil.exe | AD database (NTDS.dit) extraction |
| netsh.exe | Port forwarding, firewall changes |
| certutil.exe | Download files, encode/decode |
| wmic.exe | Recon, lateral movement |
| PowerShell | Everything (encoded commands) |
| reg.exe | SAM/SECURITY hive export |
Edge Device Exploitation
VPN appliances, firewalls, and routers are prime initial access targets.
| Target | Example CVEs |
|---|---|
| Ivanti/Pulse Secure VPN | CVE-2023-46805, CVE-2024-21887 |
| Fortinet FortiGate | CVE-2022-42475, CVE-2023-27997 |
| Citrix NetScaler | CVE-2023-3519 (CitrixBleed) |
| Palo Alto PAN-OS | CVE-2024-3400 |
| SOHO Routers | Used as ORB infrastructure |
TTP Comparison: Russia vs China vs DPRK vs Iran
| Aspect | Russia (SVR/GRU) | China (MSS/PLA) | DPRK (RGB) | Iran (MOIS/IRGC) |
|---|---|---|---|---|
| Primary Goal | Espionage + Disruption | Espionage + IP Theft + Pre-positioning | Financial Theft + Espionage | Espionage + Retaliation |
| Initial Access | Spearphish, supply chain, cred theft | N-day exploits, edge devices, LOTL | Social engineering, supply chain, crypto | Spearphish, web exploits, VPN exploits |
| Stealth | Very high (APT29), moderate (APT28) | Very high (Volt Typhoon LOTL) | Moderate (improving) | Moderate |
| Custom Tooling | Extensive (SUNBURST, custom implants) | Mix (some custom, heavy LOTL) | Custom (BLINDINGCAN, AppleJeus) | Moderate (MuddyC2Go, custom) |
| Destructive | Yes (Sandworm wipers) | Rare (pre-positioning focus) | Occasionally (DarkSeoul) | Yes (Shamoon, wipers) |
| Cloud Focus | High (token forging, OAuth) | Growing (Storm-0558) | Moderate | Growing |
IOC Analysis Framework
Indicator processing, enrichment, and correlation
Pyramid of Pain
β±β²
β± β² TTPs (Tactics, Techniques, Procedures)
β± TOUGH β² β Hardest for adversary to change
β±βββββββββββ² Detection = behavioral, highest value
β± β²
β± Challenging β² Tools (malware families, custom tools)
β±βββββββββββββββββ² β Requires retooling
β± β²
β± Annoying β² Network/Host Artifacts
β±βββββββββββββββββββββββ² (URI patterns, C2 protocols, mutexes)
β± β²
β± Simple β² Domain Names
β±βββββββββββββββββββββββββββββ² β Easy to register new ones
β± β²
β± Easy β² IP Addresses
β±βββββββββββββββββββββββββββββββββββ² β Trivial to change
β± β²
β± Trivial β² Hash Values (file hashes)
β±βββββββββββββββββββββββββββββββββββββββββ² β One-bit change = new hash
β±βββββββββββββββββββββββββββββββββββββββββββ²
Investment strategy: Focus detection at TOP of pyramid
IOC feeds give you the bottom; behavioral detection gives you the top.
IOC Types & Analysis
| IOC Type | Sources | Enrichment | Shelf Life |
|---|---|---|---|
| File Hashes (MD5/SHA256) | Sandbox, AV, IR | VT, MalwareBazaar, YARA match | Hours-Days (recompile) |
| IP Addresses | Network logs, sandbox | Whois, ASN, geolocation, reputation | Hours-Weeks |
| Domains | DNS logs, sandbox, CT logs | WHOIS, pDNS, registration patterns | Days-Months |
| URLs | Proxy logs, email headers | URL reputation, content analysis | Hours-Days |
| Email Addresses | Phishing analysis | Breach databases, OSINT | Weeks-Months |
| SSL Certificates | CT logs, scanning | Subject, issuer, serial patterns | Months (until revoked) |
| YARA Rules | Malware analysis | Retrohunt, file scanning | Months-Years (behavioral) |
| Behavioral (TTPs) | IR, threat research | ATT&CK mapping, detection rules | Months-Years |
IOC Enrichment Workflow
# Automated IOC enrichment pipeline 1. Ingest: Receive IOC (hash, IP, domain, URL) β 2. Validate: Format check, defang, dedup β βββ Strip [.] β ., hxxp β http, etc. β 3. Classify: Determine IOC type β βββ Hash (MD5/SHA1/SHA256), IPv4/v6, FQDN, URL, Email β 4. Enrich: Query multiple sources β βββ VirusTotal (detections, relationships, behavior) β βββ Passive DNS (domain β IP history) β βββ WHOIS (registration, registrant) β βββ Shodan/Censys (open ports, services, certs) β βββ Threat intel feeds (known bad, campaigns) β βββ GeoIP (location, ASN, ISP) β βββ Internal telemetry (seen in our environment?) β 5. Correlate: Link related IOCs β βββ Same infrastructure cluster? β βββ Same malware family? β βββ Same campaign / threat actor? β βββ Diamond Model vertex alignment β 6. Score: Confidence + Severity β βββ How many sources confirm? β βββ How fresh is the IOC? β βββ Context (targeted vs commodity)? β βββ Relevance to our environment? β 7. Action: Block, Alert, Hunt, or Monitor βββ Deploy to detection systems (SIEM, EDR, firewall)
STIX/TAXII Intelligence Sharing
STIX 2.1 Domain Objects
| Object | Purpose | Key Fields |
|---|---|---|
| Attack Pattern | TTP description | ATT&CK technique mapping |
| Campaign | Named operation | First/last seen, objectives |
| Indicator | Observable IOC | Pattern (STIX patterning), valid_from/until |
| Intrusion Set | Threat actor grouping | Aliases, goals, resource_level |
| Malware | Malware instance | Malware types, capabilities, architecture |
| Threat Actor | Individual/group | Roles, sophistication, motivation |
| Tool | Legitimate/dual-use | Tool types (info-gathering, credential-exploitation) |
| Vulnerability | CVE reference | CVE ID, description |
| Relationship | Links objects | Uses, targets, attributed-to, indicates |
Attribution Methodology
Linking cyber operations to threat actors with appropriate confidence
Attribution Evidence Layers
Layer 5: Geopolitical Context [Lowest confidence alone]
βββ Motivation alignment, timing with events, targeting patterns
"Who benefits? Does timing align with geopolitical events?"
Layer 4: Organizational Behavior
βββ Working hours (timezone), language artifacts, operational tempo
"9-5 Beijing time? Mandarin compiler? Holiday patterns?"
Layer 3: Campaign & Infrastructure Patterns
βββ Domain registration, hosting providers, C2 patterns, reuse
"Same registrant? Same bulletproof host? Same C2 protocol?"
Layer 2: Malware & Tool Analysis
βββ Code similarity, shared libraries, unique artifacts, PDB paths
"Same codebase? Same build environment? Unique encryption?"
Layer 1: Forensic Evidence [Highest confidence alone]
βββ OPSEC failures, metadata, direct evidence
"Left debug symbols? Logged into personal account? VPN leaked?"
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β STRONG attribution requires MULTIPLE layers of evidence. β
β Single-layer attribution is EASILY manipulated (false flag). β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
False Flag Indicators
| False Flag Technique | Example | How to Detect |
|---|---|---|
| Planted language artifacts | Olympic Destroyer (Russian ops planted DPRK code) | Inconsistency with other evidence layers |
| Reused known APT tools | Using leaked Equation Group tools | Tool alone β attribution (tools get shared/leaked) |
| Fake WHOIS data | Registration mimicking known actor patterns | Cross-reference with passive DNS history |
| Timezone manipulation | Setting compile times to wrong timezone | Look for inconsistencies across artifacts |
| Metadata planting | Inserting specific usernames or paths | Compare with behavioral and infrastructure evidence |
Confidence Assessment Framework
| Level | Meaning | Evidence Required | Language |
|---|---|---|---|
| High | Attribution is well-established | Multiple independent layers, corroborated by multiple sources | "We assess with high confidence that..." |
| Moderate | Attribution is credibly supported | Multiple evidence types, some gaps | "We assess with moderate confidence that..." |
| Low | Attribution is plausible but uncertain | Limited evidence, single source or layer | "We assess with low confidence that..." |
| Unattributed | Insufficient evidence | Insufficient evidence for any attribution | "The activity remains unattributed..." |
Malware Family Tracker
Major malware families used by APT groups
APT Malware Arsenal
| Malware | Type | APT Group | Key Capabilities |
|---|---|---|---|
| SUNBURST | Backdoor | APT29 (Cozy Bear) | Supply chain trojan, DGA C2, steganography, anti-analysis |
| Cobalt Strike Beacon | RAT/C2 | Multiple (also eCrime) | HTTP/HTTPS/DNS C2, BOFs, malleable profiles, memory-only |
| CHOPSTICK / X-Agent | Modular backdoor | APT28 (Fancy Bear) | Keylogging, file theft, screenshot, modular plugins |
| PlugX / ShadowPad | RAT | Multiple Chinese APTs | DLL sideloading, modular, shared across Chinese groups |
| Industroyer / CrashOverride | ICS malware | Sandworm | ICS protocol manipulation (IEC 104, OPC DA), grid disruption |
| BLINDINGCAN / DRATzarus | RAT | Lazarus Group | Full RAT capabilities, defense/aerospace targeting |
| AppleJeus | Trojan | Lazarus Group | Fake crypto trading apps, macOS + Windows |
| Shamoon / Disttrack | Wiper | APT33 (Iran) | MBR wipe, file destruction, used against Saudi Aramco |
| BlackCat/ALPHV | Ransomware | eCrime (affiliates) | Rust-based, cross-platform, triple extortion |
| BPFDoor | Backdoor | Red Menshen (China) | BPF-based passive backdoor, evades firewalls |
| MuddyC2Go | C2 Framework | MuddyWater (Iran) | Golang C2, PowerShell payloads |
| PIPEDREAM / INCONTROLLER | ICS framework | Likely state-sponsored | Multi-ICS protocol, Schneider/Omron targeting |
Malware Analysis Indicators for Attribution
Code-Level Indicators: β’ PDB paths β Developer environment, username, project names β’ Compiler β MSVC version, GCC, Clang, Delphi, Go, Rust β’ Build timestamps β Timezone inference (if not zeroed/faked) β’ String artifacts β Language, debug messages, error handling β’ Code reuse β Shared libraries, copy-paste between families β’ Crypto constants β Custom vs standard implementations β’ Mutex names β Campaign identifiers, versioning Behavioral Indicators: β’ C2 protocol β Custom vs standard, beacon patterns β’ Sleep patterns β Jitter, business hours awareness β’ Anti-analysis β Specific VM/sandbox checks β’ Persistence β Registry keys, services, scheduled tasks β’ Collection β What data is targeted, staging methods β’ Exfil methods β Encrypted, steganography, legitimate services
Infrastructure Patterns
C2 infrastructure analysis and tracking
Operational Relay Box (ORB) Networks
Adversary Operator
β
βΌ
βββββββββββββββββββ
β VPN / Tor β Layer 1: Anonymization
β Entry Point β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Compromised β Layer 2: ORB Network
β SOHO Routers β (residential IPs, hard to block)
β (TP-Link,ASUS) β Hundreds of nodes, rotating
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Relay / Proxy β Layer 3: Relay Infrastructure
β (Cloud VPS) β Leased servers, bulletproof hosting
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β C2 Server β Layer 4: Command & Control
β (Domain frontedβ Legitimate-looking domains
β or legitimate β CDN abuse, cloud service abuse
β service) β
ββββββββββ¬βββββββββ
β
βΌ
Victim Network
Volt Typhoon model: SOHO router botnets as ORBs
Traffic appears as residential IP β very hard to detect/block
Infrastructure Tracking Techniques
| Technique | Tool/Source | What You Find |
|---|---|---|
| Passive DNS | Farsight DNSDB, RiskIQ, SecurityTrails | Historical domainβIP mappings, DNS changes |
| Certificate Transparency | crt.sh, Censys, CT logs | SSL certs issued, domain associations |
| WHOIS Analysis | DomainTools, WHOIS | Registrant patterns, registration dates, privacy services |
| Port Scanning | Shodan, Censys, ZoomEye | Open ports, services, banners, TLS configs |
| JARM/JA3 Fingerprinting | Shodan, custom scanning | TLS implementation fingerprints for C2 identification |
| HTTP Response Hashing | Shodan favicon hash, HTML body hash | Unique server configurations across IPs |
| ASN Analysis | BGP data, ASN lookups | Hosting patterns, bulletproof providers |
| Domain Generation Algorithm | DGA detection tools | Predicted future C2 domains |
C2 Framework Fingerprinting
| Framework | Default Indicators | JARM Hash (Default) |
|---|---|---|
| Cobalt Strike | checksum8 URI, x86/x64 stager, default cert | 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1 |
| Metasploit | Default URI patterns, Meterpreter beacon | 07d14d16d21d21d00042d41d00041de5fb3038104f457d92ba02e9311512c2 |
| Sliver | mTLS, HTTP(S), DNS, WireGuard | Varies (Go TLS implementation) |
| Brute Ratel | DOH C2, sleep obfuscation | Varies (customizable) |
| Havoc | HTTPS, SMB named pipes | Newer, less signature coverage |
Collection & Sources
Intelligence sources for threat research
Open Source Intelligence (OSINT) Sources
| Category | Source | What You Get |
|---|---|---|
| Malware Analysis | VirusTotal, MalwareBazaar, Hybrid Analysis, ANY.RUN | Samples, detections, behavior, relationships |
| Threat Reports | Vendor blogs (MS, Mandiant, CrowdStrike, ESET, Recorded Future) | Campaign analysis, IOCs, TTPs |
| IOC Feeds | AlienVault OTX, Abuse.ch, OpenCTI, MISP | Community IOC sharing |
| Vulnerability Intel | NVD, CVE, CISA KEV, Exploit-DB | CVE details, exploit availability, EPSS |
| Infrastructure | Shodan, Censys, Farsight DNSDB, crt.sh | Internet scanning, passive DNS, certificates |
| Code/Leaks | GitHub, Pastebin monitoring | Leaked tools, credentials, configs |
| Dark Web | Dark web monitoring services | Actor communications, sales, leaks |
| Government | CISA Advisories, FBI Flash, NSA CSAs, Five Eyes | Official attribution, defensive guidance |
Intelligence Cycle for APT Tracking
1. Direction / Requirements βββ What APT groups target our sector? What TTPs are trending? What's our coverage gap? 2. Collection βββ Monitor feeds, vendor reports, OSINT sources Track infrastructure changes, new malware samples Internal telemetry (EDR, SIEM, network sensors) 3. Processing βββ Normalize IOCs, extract metadata Map to MITRE ATT&CK, enrich indicators Dedup, validate, timestamp 4. Analysis βββ Cluster activities β campaigns β actors Diamond Model analysis for each intrusion set Identify trends, predict future operations 5. Dissemination βββ Strategic intel β leadership (threat landscape) Operational intel β security teams (campaigns) Tactical intel β SOC/IR (IOCs, detection rules) 6. Feedback βββ Were detections effective? Did hunting queries find anything? Adjust collection priorities
Threat Actor Naming Crosswalk
Weather-themed actor names and common cross-references
Weather-Themed Naming Convention
Some vendor taxonomies use weather-themed names based on nation-state affiliation or activity clusters. "Storm-XXXX" style names often designate developing clusters not yet attributed to a known group.
| Weather Theme | Nation/Motivation | Examples |
|---|---|---|
| Blizzard βοΈ | Russia | Midnight Blizzard (APT29), Forest Blizzard (APT28), Seashell Blizzard (Sandworm) |
| Typhoon π | China | Volt Typhoon, Salt Typhoon, Silk Typhoon (HAFNIUM), Flax Typhoon |
| Sandstorm ποΈ | Iran | Mango Sandstorm (APT35), Mint Sandstorm (APT35), Peach Sandstorm (APT33) |
| Sleet π§οΈ | North Korea | Diamond Sleet (Lazarus), Jade Sleet, Citrine Sleet, Ruby Sleet |
| Tempest πͺοΈ | eCrime / Financial | Octo Tempest (Scattered Spider), Manatee Tempest, Pistachio Tempest |
| Tsunami π | Private Sector Offensive | Commercial surveillance vendors |
| Storm-XXXX βοΈ | Developing / Unattributed | Storm-0558, Storm-0501, Storm-1567 |
| Flood π | Influence Operations | Information operations, disinformation |
Key Tracked Actors β Cross-Reference
| Weather-Themed Name | Other Names | Nation | Notable Activity |
|---|---|---|---|
| Midnight Blizzard | APT29, Cozy Bear, The Dukes, NOBELIUM | Russia (SVR) | SolarWinds, major cloud provider breach, diplomatic espionage |
| Forest Blizzard | APT28, Fancy Bear, Strontium, Sofacy | Russia (GRU 26165) | Election interference, NATO targeting, Olympic Destroyer |
| Seashell Blizzard | Sandworm, Voodoo Bear, IRIDIUM | Russia (GRU 74455) | NotPetya, Ukraine wipers, Industroyer, power grid attacks |
| Volt Typhoon | BRONZE SILHOUETTE, Insidious Taurus | China | US critical infrastructure LOTL, pre-positioning |
| Salt Typhoon | GhostEmperor, FamousSparrow | China | Telecom infiltration, lawful intercept access |
| Silk Typhoon | HAFNIUM | China | Exchange Server exploitation (ProxyLogon) |
| Diamond Sleet | Lazarus Group, ZINC, Hidden Cobra | DPRK (RGB) | Crypto theft, defense industry, supply chain |
| Citrine Sleet | AppleJeus operator | DPRK | Cryptocurrency targeting, fake trading platforms |
| Mint Sandstorm | APT35, Charming Kitten, Phosphorus | Iran (IRGC) | Academic/research targeting, credential theft |
| Peach Sandstorm | APT33, Elfin, Refined Kitten | Iran | Defense/energy targeting, Shamoon association |
| Octo Tempest | Scattered Spider, 0ktapus, UNC3944 | eCrime | Social engineering, SIM swap, MFA fatigue, ALPHV affiliate |
Threat Intelligence API Reference
Threat intelligence enrichment patterns for R&D workflows
Threat Intelligence Capabilities
| Feature | Description | R&D Application |
|---|---|---|
| Threat Articles | Vendor-authored threat intel reports | Stay current on campaigns, validate findings |
| Intel Profiles | Detailed actor/tool/vulnerability profiles | Reference during campaign analysis |
| Indicator Search | Enrich IOCs with vendor telemetry and open-source data | Validate IOCs, find related infrastructure |
| Data Sets | Passive DNS, WHOIS, certificates, trackers, components | Infrastructure mapping, pivot analysis |
| Reputation Scoring | IP/domain reputation based on telemetry and intelligence sources | Prioritize investigation targets |
| Attack Surface | External-facing asset discovery | Identify exposure, validate vulnerabilities |
Threat Intel API Example
# Query a threat intelligence API for indicator enrichment # Example: Graph Security threat intelligence endpoints # Get threat intelligence article GET https://graph.microsoft.com/beta/security/threatIntelligence/articles/{articleId} # Search indicators GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{hostName} # Passive DNS for a host GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{hostName}/passivedns # WHOIS record GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{hostName}/whois # Reputation GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{hostName}/reputation # Components (web technologies) GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{hostName}/components # SSL Certificates GET https://graph.microsoft.com/beta/security/threatIntelligence/hosts/{hostName}/sslCertificates
KQL Hunting Queries for APT Activity
SIEM / EDR Advanced Hunting
// Detect Volt Typhoon LOTL techniques DeviceProcessEvents | where FileName in~ ("ntdsutil.exe", "netsh.exe", "certutil.exe") | where ProcessCommandLine has_any ("ifconfig", "portproxy", "urlcache", "activate instance ntds") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine // Detect token forging / Golden SAML patterns AADSignInEventsBeta | where ErrorCode == 0 | where isnotempty(TokenIssuerName) and TokenIssuerType != "AzureAD" | where TokenIssuerName !startswith "https://sts.windows.net" | project Timestamp, AccountUpn, IPAddress, TokenIssuerName // Detect suspicious OAuth app activity (Storm-0558 style) CloudAppEvents | where ActionType == "Add OAuth2PermissionGrant" or ActionType == "Consent to application" | where RawEventData has "ReadWrite.All" or RawEventData has "full_access_as_app" | project Timestamp, AccountDisplayName, ActionType, Application // Detect SOHO router C2 beaconing (ORB detection) DeviceNetworkEvents | where RemoteIPType == "Public" | summarize ConnectionCount=count(), DistinctPorts=dcount(RemotePort) by RemoteIP, bin(Timestamp, 1h) | where ConnectionCount > 20 and DistinctPorts == 1 // Regular beaconing pattern | join kind=inner ( DeviceNetworkEvents | summarize by RemoteIP | where RemoteIP matches regex @"^(10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.)" == false ) on RemoteIP