Ta543

Threat Actor updated 4 months ago (2024-05-04T19:11:22.381Z)

Download STIX

Preview STIX

TA543, also known as Storm-0324 and Sagrid, is a financially-motivated threat actor notorious for its malicious activities. The group has been observed exploiting the Microsoft Teams messaging app to conduct sophisticated phishing operations, which involves sending other attackers' payloads using phishing messages and exploit kits. Leveraging an open-source red-team tool, TeamsPhisher, TA543 not only distributed malware through Microsoft's widely-used collaboration platform but also ingeniously established a path for subsequent cyber-attacks. Microsoft's Threat Intelligence Team has published comprehensive reports highlighting TA543's activities. The group has been found abusing latent vulnerabilities within Teams in the Office 365 environment. This initial access broker group uses email-based infection vectors and typically sells accesses to ransomware operations including notorious groups like FIN7, also known as Sangria Tempest, ELBRUS, and Carbon Spider. This exploitation of Microsoft's Teams app presents a significant cybersecurity concern due to the application's wide usage. Upon establishing access, TA543 often provides access to other threat actors, such as the well-known ransomware group Sangria Tempest. TA543's modus operandi typically involves breaching targets via phishing emails before passing on the access to ransomware groups. This pattern of activity underscores TA543's role as a facilitator in the broader cybercrime ecosystem, significantly contributing to the propagation of ransomware attacks. The breadth and sophistication of TA543's tactics highlight the need for robust cybersecurity measures and constant vigilance against such evolving threats.

Description last updated: 2024-05-04T18:07:55.717Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Sagrid	2	Sagrid, also known as Storm-0324 and TA543, is a notorious threat actor known for its financially motivated cyberattacks. The group has been recently observed exploiting vulnerabilities in Microsoft Teams, the widely-used collaboration app, to conduct sophisticated phishing operations. Using an open

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Ta543 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Microsoft promises to act as Teams continues to get pummeled by phishing attacks
CERT-EU	10 months ago	Digital Collaboration: A Double-edged Sword
CERT-EU	a year ago	Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	a year ago	Storm-0324 Abusing Microsoft Teams To Gain Initial Access And Deploy Ransomware
Checkpoint	a year ago	18th September – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks
CERT-EU	a year ago	Cyber Security Week in Review: September 15, 2023
CERT-EU	a year ago	Microsoft Teams Hacks Are Back, As Storm-0324 Embraces TeamsPhisher