Ta543

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
TA543, also known as Storm-0324 and Sagrid, is a financially-motivated threat actor notorious for its malicious activities. The group has been observed exploiting the Microsoft Teams messaging app to conduct sophisticated phishing operations, which involves sending other attackers' payloads using phishing messages and exploit kits. Leveraging an open-source red-team tool, TeamsPhisher, TA543 not only distributed malware through Microsoft's widely-used collaboration platform but also ingeniously established a path for subsequent cyber-attacks. Microsoft's Threat Intelligence Team has published comprehensive reports highlighting TA543's activities. The group has been found abusing latent vulnerabilities within Teams in the Office 365 environment. This initial access broker group uses email-based infection vectors and typically sells accesses to ransomware operations including notorious groups like FIN7, also known as Sangria Tempest, ELBRUS, and Carbon Spider. This exploitation of Microsoft's Teams app presents a significant cybersecurity concern due to the application's wide usage. Upon establishing access, TA543 often provides access to other threat actors, such as the well-known ransomware group Sangria Tempest. TA543's modus operandi typically involves breaching targets via phishing emails before passing on the access to ransomware groups. This pattern of activity underscores TA543's role as a facilitator in the broader cybercrime ecosystem, significantly contributing to the propagation of ransomware attacks. The breadth and sophistication of TA543's tactics highlight the need for robust cybersecurity measures and constant vigilance against such evolving threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Sagrid
2
Sagrid, also known as Storm-0324 and TA543, is a notorious threat actor known for its financially motivated cyberattacks. The group has been recently observed exploiting vulnerabilities in Microsoft Teams, the widely-used collaboration app, to conduct sophisticated phishing operations. Using an open
Sangria Tempest
1
Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Phishing
Exploit
Malware
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FIN7Unspecified
1
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Ta543 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
Microsoft promises to act as Teams continues to get pummeled by phishing attacks
CERT-EU
8 months ago
Digital Collaboration: A Double-edged Sword
CERT-EU
10 months ago
Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
10 months ago
Storm-0324 Abusing Microsoft Teams To Gain Initial Access And Deploy Ransomware
Checkpoint
10 months ago
18th September – Threat Intelligence Report - Check Point Research
CERT-EU
10 months ago
Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks
CERT-EU
10 months ago
Cyber Security Week in Review: September 15, 2023
CERT-EU
10 months ago
Microsoft Teams Hacks Are Back, As Storm-0324 Embraces TeamsPhisher