{ "id": "b79e77a4-5d56-41bc-970e-fb8956a0d8d8", "created_at": "2026-04-06T00:21:30.161393Z", "updated_at": "2026-04-10T13:12:26.458733Z", "deleted_at": null, "sha1_hash": "f112f37541cb6146fe8e449f9114df5de018d8bb", "title": "Microsoft shares threat intelligence at CYBERWARCON 2023 | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47234, "plain_text": "Microsoft shares threat intelligence at CYBERWARCON 2023 |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2023-11-09 · Archived: 2026-04-02 11:03:06 UTC\r\nAt the CYBERWARCON 2023 conference, Microsoft and LinkedIn analysts are presenting several sessions\r\ndetailing analysis across multiple sets of threat actors and related activity. This blog is intended to summarize the\r\ncontent of the research covered in these presentations and demonstrates Microsoft Threat Intelligence’s ongoing\r\nefforts to track threat actors, protect customers, and share information with the wider security community.\r\nReactive and opportunistic: Iran’s role in the Israel-Hamas war\r\nThis presentation compares and contrasts activity attributed to Iranian groups before and after the October 7, 2023\r\nstart of the Israel-Hamas war. It highlights a number of instances where Iranian operators leveraged existing\r\naccess, infrastructure, and tooling, ostensibly to meet new objectives.\r\nWith the physical conflict approximately one month old, this analysis offers early conclusions in a rapidly\r\nevolving space, specific to observed Iranian actors, such as those linked to Iran’s Ministry of Intelligence and\r\nSecurity (MOIS) and Islamic Revolutionary Guard Corps (IRGC). While the presentation details attack techniques\r\nobserved in specific regions, Microsoft is sharing this information to inform and help protect wider organizations\r\naround the world facing attack methods similar to those used by Iranian operators, such as social engineering\r\nmethods for deceiving victims, and exploitation of vulnerable devices and sign-in credentials.\r\nFirst, Microsoft does not see any evidence suggesting Iranian groups (IRGC and MOIS) had coordinated, pre-planned cyberattacks aligned to Hamas’ plans and the start of the Israel-Hamas war on October 7\r\n. Although media\r\nand other public accounts may suggest that Iran played an active role in planning the October 7 physical attacks\r\non Israel, Microsoft data tells a different part of the story.\r\nObservations from Microsoft telemetry suggest that, at least in the cyber domain, Iranian operators have largely\r\nbeen reactive since the war began, exploiting opportunities to try and take advantage of events on the ground as\r\nthey unfold. It took 11 days from the start of the ground conflict before Microsoft saw Iran enter the war in the\r\ncyber domain. On October 18, 2023 Microsoft observed the first of two separate destructive attacks targeting\r\ninfrastructure in Israel. While online personas controlled by Iran exaggerated the claims of impact from these\r\nattacks, the data suggests that both attacks were likely opportunistic in nature. Specifically, operators leveraged\r\nexisting access or acquired access to the first available target. Further, the data shows that, in the case of a\r\nransomware attack, Iranian actors’ claims of impact and precision targeting were almost certainly fabricated.\r\nSecond, Microsoft observes Iranian operators continuing to employ their tried-and-true tactics, notably\r\nexaggerating the success of their computer network attacks and amplifying those claims and activities via a well-integrated deployment of information operations. This is essentially creating online propaganda seeking to inflate\r\nthe notoriety and impact of opportunistic attacks, in an effort to increase their effects. For example, Microsoft\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/\r\nPage 1 of 3\n\nobserved Iranian actors compromising connected webcams and framing the activity as more strategic, claiming\r\nthey targeted and successfully compromised cameras at a specific Israeli military installation. In reality, the\r\ncompromised cameras were located at scattered sites outside any one defined region. This suggests that despite\r\nIran actors’ strategic claims, this camera example was ultimately a case of adversaries continuing to\r\nopportunistically discover and compromise vulnerable connected devices and try to reframe this routine work as\r\nmore impactful in the context of the current conflict.\r\nThird, Microsoft recognizes that, as more physical conflicts around the world spur cyber operations of varying\r\nlevels of sophistication, this is a rapidly evolving space requiring close monitoring to assess potential escalations\r\nand impact on wider industries, regions, and customers. Microsoft Threat Intelligence anticipates Iranian operators\r\nwill move from a reactive posture to more proactive activities the longer the current war plays out and continue to\r\nevolve their tactics in pursuit of their objectives.\r\nThe digital reality: A surge on critical infrastructure\r\nIn this presentation, Microsoft Threat Intelligence experts walk the audience through the timeline of Microsoft’s\r\ndiscovery of Volt Typhoon, a threat actor linked to China, and the adversary group’s activity observed against\r\ncritical infrastructure and key resources in the U.S. and its territories, such as Guam. The presentation highlights\r\nsome of the specific techniques, tactics, and procedures (TTPs) Volt Typhoon uses to carry out its operations. The\r\ntalk features insights on how Microsoft tracked the threat actor and assessed that Volt Typhoon’s activity was\r\nconsistent with laying the groundwork for use in potential future conflict situations. These insights show the\r\nbackstory of threat intelligence collection and analysis, leading to Microsoft’s May 2023 blog on Volt Typhoon,\r\nsharing the actor’s reach and capabilities with the community.\r\nAt CYBERWARCON, Microsoft provides an update on Volt Typhoon activity, highlighting shifts in TTPs and\r\ntargeting since Microsoft released the May blog post. Specifically, Microsoft sees Volt Typhoon trying to improve\r\nits operational security and stealthily attempting to return to previously compromised victims. The threat actor is\r\nalso targeting university environments, for example, in addition to previously targeted industries. In this\r\npresentation, Microsoft experts compare their Volt Typhoon analysis with third-party research and studies of\r\nChina’s military doctrine and the current geopolitical climate. This adds additional context for the security\r\ncommunity on possible motivations behind the threat actor’s current and future operations.\r\nMicrosoft also describes gaps and limitations in tracking Volt Typhoon’s activity and how the security community\r\ncan work together to develop strategies to mitigate future threats from this threat actor.\r\nFor many years, the security community has watched various Russian state-aligned actors intersect with\r\ncybercrime ecosystems to varying degrees and with different purposes. At CYBERWARCON 2022, Microsoft\r\ndiscussed the development of a never-before-seen “ransomware” strain known as Prestige by Seashell Blizzard\r\n(IRIDIUM), a group reported to be comprised of Russian military intelligence officers. The cyberattack, disguised\r\nas a new “ransomware” strain, was meant to cause disruption while providing a thin veneer of plausible\r\ndeniability for the sponsoring organization.\r\nThis year at CYBERWARCON, Microsoft experts profile a different threat actor, Storm-0978, which emerged in\r\nthe early 2022 as credibly conducting both cybercrime operations, as well as espionage/enablement operations\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/\r\nPage 2 of 3\n\nbenefiting Russia’s military and other geopolitical interests, with possible ties to Russian security services. The\r\nduality of this Storm-0978 adversary’s activity intersecting with both crime and espionage leads to questions\r\nMicrosoft are engaging conference attendees in exploring. Is Storm-0978 a cybercrime group conducting\r\nespionage, or a government-sponsored espionage group conducting cybercrime? Why are we seeing the\r\nconfluence of what historically have been separate crime and geopolitical objectives? Is this duality in some way a\r\nreflection of Russia becoming limited in its ability to scale wartime cyber operations? Is Russia activating\r\ncybercriminal elements for operations in order to provide a level of plausible deniability for future destructive\r\nattacks? The Ukraine war has illustrated that Russia has likely had to activate other capabilities on the periphery.\r\nStorm-0978 is one probable example where it’s clear that other elements have been co-opted to achieve objectives\r\nof both a wartime environment and strategic landscape either to achieve effects-led operations or prepositioning.\r\nMicrosoft’s extensive insight on the ransomware economy and other cybercrime trends, coupled with experience\r\ntracking Russian nation-state adversaries, allows for presenting this profile of the Storm-0978 actor at\r\nCYBERWARCON, which Microsoft hopes will be further enriched and analyzed by the wider security\r\ncommunity’s experiences, data sets and conclusions.  \r\nA LinkedIn update on combating fake accounts\r\nThis presentation focuses on what LinkedIn’s Threat Prevention and Defense team has learned from its\r\ninvestigations of cyber mercenaries, also referred to as private-sector offensive actors (PSOAs), on the platform.\r\nThe focus of this presentation is on Black Cube (Microsoft tracks this actor as Blue Tsunami), a well-known\r\nmercenary actor, and what we’ve learned about how they attempt to operate on LinkedIn. The discussion includes\r\ninsights on how Black Cube has previously leveraged honeypot profiles, fake jobs, and fake companies to engage\r\nin reconnaissance or human intelligence (HUMINT) operations against targets with access to organizations of\r\ninterest and/or concern to Black Cube’s clients.\r\nFurther reading\r\nFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat\r\nIntelligence Blog: https://aka.ms/threatintelblog.\r\nTo get notified about new publications and to join discussions on social media, follow us on X\r\nat https://twitter.com/MsftSecIntel.\r\nSource: https://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/\r\nhttps://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2023/11/09/microsoft-shares-threat-intelligence-at-cyberwarcon-2023/" ], "report_names": [ "microsoft-shares-threat-intelligence-at-cyberwarcon-2023" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "555e2cac-931d-4ad4-8eaa-64df6451059d", "created_at": "2023-01-06T13:46:39.48103Z", "updated_at": "2026-04-10T02:00:03.342729Z", "deleted_at": null, "main_name": "RomCom", "aliases": [ "UAT-5647", "Storm-0978" ], "source_name": "MISPGALAXY:RomCom", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d58052ba-978b-4775-985a-26ed8e64f98c", "created_at": "2023-09-07T02:02:48.069895Z", "updated_at": "2026-04-10T02:00:04.946879Z", "deleted_at": null, "main_name": "Tropical Scorpius", "aliases": [ "DEV-0978", "RomCom", "Storm-0671", "Storm-0978", "TA829", "Tropical Scorpius", "UAC-0180", "UNC2596", "Void Rabisu" ], "source_name": "ETDA:Tropical Scorpius", "tools": [ "COLDDRAW", "Cuba", "Industrial Spy", "PEAPOD", "ROMCOM", "ROMCOM RAT", "SingleCamper", "SnipBot" ], "source_id": "ETDA", "reports": null }, { "id": "cf02412a-041a-4c8d-8ffa-3bff7dd812b5", "created_at": "2024-02-02T02:00:04.018717Z", "updated_at": "2026-04-10T02:00:03.524693Z", "deleted_at": null, "main_name": "Blue Tsunami", "aliases": [ "Black Cube" ], "source_name": "MISPGALAXY:Blue Tsunami", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434890, "ts_updated_at": 1775826746, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f112f37541cb6146fe8e449f9114df5de018d8bb.pdf", "text": "https://archive.orkl.eu/f112f37541cb6146fe8e449f9114df5de018d8bb.txt", "img": "https://archive.orkl.eu/f112f37541cb6146fe8e449f9114df5de018d8bb.jpg" } }