Dark Halo

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Dark Halo, a cyber threat actor identified by cybersecurity company Volexity, has been linked to several significant cyber attacks. This group initially gained notoriety for its exploitation of the SolarWinds Orion software in June and July 2020, which resulted in a major breach of the targeted organization's network. Despite being ousted from the network, Dark Halo demonstrated its resilience and adaptability by exploiting a vulnerability in the organization's Microsoft Exchange Control Panel to regain access. In a second incident, near the end of their intrusion, Dark Halo bypassed Duo multi-factor authentication (MFA) using a novel technique to access a user's mailbox via the organization's Outlook Web App (OWA) service. The primary objective of these incursions was to obtain emails from specific individuals within the think tank organization. While Dark Halo did use malware and red-teaming tools, these were largely reserved for specific one-time tasks as a fallback mechanism when other avenues of access were closed off. While some agencies have linked Dark Halo's activities to the cyber espionage group Nobelium (also known as APT29, SVR group, Cozy Bear, Midnight Blizzard, BlueBravo, and The Dukes), the French cybersecurity agency ANSSI differentiates these groups into separate threat clusters. According to ANSSI, Dark Halo is a distinct entity, specifically responsible for the 2020 SolarWinds attack. This highlights the complexity and evolving nature of cyber threats, underscoring the need for continuous vigilance and robust cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT29
1
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
Cozy Bear
1
Cozy Bear, also known as APT29, is a threat actor linked to the Russian government that has been implicated in numerous cyber-espionage activities. The group's activities have been traced back to at least 2015, when they were identified as infiltrating the Democratic National Committee (DNC) network
Bluebravo
1
BlueBravo, also known as APT29 or Nobellium, is a threat actor group linked to Russia that has been implicated in several high-profile cyberattacks. Recently, TeamViewer discovered a breach in its corporate network, with some reports attributing the intrusion to this group. BlueBravo, along with oth
The Dukes
1
The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and several other aliases, is a highly active threat actor group widely believed to be associated with the Russian Foreign Intelligence Service (SVR). The group has been operational since at least 2008, targeting various governments, thin
NOBELIUM
1
Nobelium, a threat actor linked to Russia's SVR, has been actively targeting French diplomatic entities as part of its cyber-espionage activities. The Advanced Persistent Threat (APT) group has utilized sophisticated techniques such as phishing and attempts to install Cobalt Strike, an advanced malw
Midnight Blizzard
1
Midnight Blizzard, a Russia-linked Advanced Persistent Threat (APT) group, has emerged as a significant cybersecurity concern. The group is known for executing actions with malicious intent and has been linked to several high-profile cyber attacks on global organizations. Notably, it breached the sy
SolarStorm
1
SolarStorm is a threat actor group known for executing actions with malicious intent. Notable among their operations was the 2020 attack on SolarWinds Orion software, which was a sophisticated supply-chain attack that compromised the company's software updates, resulting in malware being served to i
SolarWinds Compromise
1
The SolarWinds compromise, a highly sophisticated cyber attack campaign, was first brought to light by FireEye in December 2020. The attackers leveraged a supply chain vulnerability in the SolarWinds Orion software, installing a malicious backdoor known as SUNBURST. This allowed them to gain access
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Volexity
Vulnerability
Outlook
Malware
France
Solarwinds
SolarWinds C...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2020-0688Unspecified
1
CVE-2020-0688 is a significant vulnerability found in Microsoft Exchange Server, which pertains to memory corruption. This flaw allows for remote code execution by exploiting the fact that the application uses a static validationKey and decryptionKey (collectively known as the machineKey) by default
Source Document References
Information about the Dark Halo Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
a month ago
Russia-linked APT Nobelium targets French diplomatic entities
MITRE
7 months ago
SolarStorm Supply Chain Attack Timeline
MITRE
a year ago
Dark Halo Leverages SolarWinds Compromise to Breach Organizations