Dark Halo

Dark Halo, a cyber threat actor identified by cybersecurity company Volexity, has been linked to several significant cyber attacks. This group initially gained notoriety for its exploitation of the SolarWinds Orion software in June and July 2020, which resulted in a major breach of the targeted organization's network. Despite being ousted from the network, Dark Halo demonstrated its resilience and adaptability by exploiting a vulnerability in the organization's Microsoft Exchange Control Panel to regain access. In a second incident, near the end of their intrusion, Dark Halo bypassed Duo multi-factor authentication (MFA) using a novel technique to access a user's mailbox via the organization's Outlook Web App (OWA) service. The primary objective of these incursions was to obtain emails from specific individuals within the think tank organization. While Dark Halo did use malware and red-teaming tools, these were largely reserved for specific one-time tasks as a fallback mechanism when other avenues of access were closed off. While some agencies have linked Dark Halo's activities to the cyber espionage group Nobelium (also known as APT29, SVR group, Cozy Bear, Midnight Blizzard, BlueBravo, and The Dukes), the French cybersecurity agency ANSSI differentiates these groups into separate threat clusters. According to ANSSI, Dark Halo is a distinct entity, specifically responsible for the 2020 SolarWinds attack. This highlights the complexity and evolving nature of cyber threats, underscoring the need for continuous vigilance and robust cybersecurity measures.