Dark Halo

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
Dark Halo is a threat actor identified by Volexity, a cybersecurity firm, known for its malicious activities against organizations. The group gained notoriety for its involvement in the SolarWinds compromise, a significant cybersecurity incident that took place in June and July 2020. Leveraging vulnerabilities in the SolarWinds Orion software, Dark Halo successfully breached an organization's network, demonstrating their advanced capabilities and strategic approach to cyber-attacks. After being detected and removed from the compromised network, Dark Halo showed persistence by returning for a second attack. This time, they exploited a vulnerability in the organization's Microsoft Exchange Control Panel. Towards the end of this incident, Volexity observed Dark Halo using an innovative technique to bypass Duo multi-factor authentication (MFA), gaining access to a user's mailbox via the organization's Outlook Web App (OWA) service. This event highlighted the group's resilience and adaptability in the face of security measures. The primary objective of Dark Halo's operations, as evidenced by these incidents, was to access and obtain the emails of specific individuals at the targeted organization. While the group did use malware and red-teaming tools, these were largely employed for specific one-time tasks, serving as fallback mechanisms when other access avenues were blocked. This suggests that Dark Halo operates with a high degree of precision, focusing on achieving their objectives while minimizing unnecessary exposure.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Dark Halo Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
5 months ago
SolarStorm Supply Chain Attack Timeline
MITRE
a year ago
Dark Halo Leverages SolarWinds Compromise to Breach Organizations