T1195.002 · initial-access · 10 actors · 5 correlated reports

Compromise Software Supply Chain

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.

Open detection, hunting, mitigation, and evidence workspace

Detection logic

Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity.

Observed actors

APT41
G0096 Dragonfly
G0035 FIN7
G0046 Sandworm Team
G0034 APT29
G0016 GOLD SOUTHFIELD
G0115 Cobalt Group
G0080 Moonstone Sleet
G1036 Daggerfly
G1034 Threat Group-3390
G0027

Correlated CTI and IR reports

CTI Research: Sandworm / APT44
1200km CTI repository · explicit report mention CTI Research: Sandworm / APT44
1200km CTI repository · explicit report mention From Threat Intelligence to Detection: A Practitioner's Guide
1200km CTI repository · explicit report mention CTI Research Sandworm APT44
1200km Medium · authored report mention From Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research