Also Known As
Solorigate | StellarParticle | Dark Halo
Origin
Russia
Target Countries
Argentina | Australia | Austria | Belgium | Bolivia | Bulgaria | Canada | Colombia | Côte d'Ivoire | Denmark | Dominican Republic | France | Germany | Hong Kong | India | Indonesia | Iran | Israel | Italy | Japan | Kenya | Kuwait | Luxembourg | Mexico | Namibia | Netherlands | New Zealand | Pakistan | Peru | Philippines | Qatar | Saudi Arabia | Singapore | South Africa | Spain | Sweden | Switzerland | Thailand | Turkey | Ukraine | United Arab Emirates | United | Kingdom | United States | Vietnam
Targeted Verticals
Education
Critical Infrastructure
Financial Services
Government | Military
Telecommunications
Healthcare
MITRE TTPs
Account Manipulation: Exchange Email Delegate Permissions
Account Manipulation: Additional Cloud Credentials
Application Layer Protocol: Web Protocols
Archive Collected Data: Archive via Utility
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Credentials from Password Stores
Data Staged: Remote Data Staging
Deobfuscate/Decode Files or Information
Domain Policy Modification: Domain Trust Modification
Email Collection: Remote Email Collection
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
Exploit Public-Facing Application
Forge Web Credentials: Web Cookies
Forge Web Credentials: SAML Tokens
Impair Defenses: Disable or Modify System Firewall
Impair Defenses: Disable Windows Event Logging
Impair Defenses: Disable or Modify Tools
Match Legitimate Name or Location
Obfuscated Files or Information
Remote Services: Windows Remote Management
Scheduled Task/Job: Scheduled Task
Signed Binary Proxy Execution: Rundll32
Steal or Forge Kerberos Tickets: Kerberoasting
Subvert Trust Controls: Code Signing
Supply Chain Compromise: Compromise Software Supply Chain
Unsecured Credentials: Private Keys