{"id":124735,"date":"2022-11-10T09:00:00","date_gmt":"2022-11-10T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=124735"},"modified":"2023-09-11T16:37:01","modified_gmt":"2023-09-11T23:37:01","slug":"microsoft-threat-intelligence-presented-at-cyberwarcon-2022","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/","title":{"rendered":"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>BROMINE<\/strong> is now tracked as <strong>Ghost Blizzard<\/strong><\/li>\n\n\n\n<li><strong>DEV-0401<\/strong> is now tracked as <strong>Cinnamon Tempest<\/strong><\/li>\n\n\n\n<li><strong>GALLIUM<\/strong> is now tracked as <strong>Granite Typhoon<\/strong><\/li>\n\n\n\n<li><strong>DEV-0062<\/strong> is now tracked as <strong>Storm-0062<\/strong><\/li>\n\n\n\n<li><strong>ZINC<\/strong> is now tracked as <strong>Diamond Sleet<\/strong> <\/li>\n<\/ul>\n\n\n\n<p>To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\"><strong>Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n<\/blockquote>\n\n\n\n<p>At <a href=\"https:\/\/www.cyberwarcon.com\/\">CyberWarCon 2022<\/a>, Microsoft and LinkedIn analysts presented several sessions detailing analysis across multiple sets of actors and related activity. This blog is intended to summarize the content of the research covered in these presentations and demonstrates Microsoft Threat Intelligence Center\u2019s (MSTIC) ongoing efforts to track threat actors, protect customers from the associated threats, and share intelligence with the security community.<\/p>\n\n\n\n<p>The CyberWarCon sessions summarized below include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>\u201cThey are still berserk: Recent activities of BROMINE\u201d<\/strong> \u2013 a lightning talk covering MSTIC\u2019s analysis of BROMINE (aka Berserk Bear), recent observed activities, and potential changes in targeting and tactics.<\/li>\n\n\n\n<li><strong>\u201cThe phantom menace: A tale of Chinese nation-state hackers\u201d<\/strong> &#8211; a deep dive into several of the Chinese nation-state actor sets, their operational security patterns, and case studies on related tactics, techniques, and procedures (TTPs).<\/li>\n\n\n\n<li><strong>\u201cZINC weaponizing open-source software\u201d<\/strong> \u2013 a lighting talk on MSTIC and LinkedIn\u2019s analysis of <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/29\/zinc-weaponizing-open-source-software\/\">ZINC<\/a>, a North Korea-based actor. This will be their first public joint presentation, demonstrating collaboration between MSTIC and LinkedIn\u2019s threat intelligence teams.<\/li>\n<\/ul>\n\n\n\n<p>MSTIC consistently tracks threat actor activity, including the groups discussed in this blog, and works across Microsoft Security products and services to build detections and improve customer protections. As with any observed nation-state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to help secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">They are still berserk: Recent activities of BROMINE<\/h2>\n\n\n\n<p>BROMINE overlaps with the threat group publicly tracked as Berserk Bear. In our talk, MSTIC provided insights into the actor\u2019s recent activities observed by Microsoft. Some of the recent activities presented include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Targeting and compromise of dissidents, political opponents, Russian citizens, and foreign diplomats. These activities have spanned multiple methods and techniques, ranging from the use of a custom malicious capability to credential phishing leveraging consumer mail platforms. In some cases, MSTIC has identified the abuse of Azure free trial subscriptions and worked with the Azure team to quickly take action against the abuse.<\/li>\n\n\n\n<li>Continued targeting of organizations in the manufacturing and industrial technology space. These sectors have been continuous targets of the group for years and represent one of the most durable interests.<\/li>\n\n\n\n<li>An opportunistic campaign focused on exploiting datacenter infrastructure management interfaces, likely for the purpose of access to technical information of value.<\/li>\n\n\n\n<li>Targeting and compromise of diplomatic sector organizations focused on personnel assigned to Eastern Europe.<\/li>\n\n\n\n<li>Compromise of a Ukrainian nuclear safety organization previously referenced in our June 2022 Special Report on Defending Ukraine (https:\/\/aka.ms\/ukrainespecialreport).<\/li>\n<\/ul>\n\n\n\n<p>Overall, our findings continue to demonstrate that BROMINE is an elusive threat actor with a variety of potential objectives, yet sporadic insights from various organizations, including Microsoft, demonstrate there is almost certainly more to find. Additionally, our observations show that as a technology platform provider, threat intelligence enables Microsoft\u2019s ability to protect both enterprises and consumers and disrupt threat activity affecting our customers.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The phantom menace: A tale of China-based nation state hackers<\/h2>\n\n\n\n<p>Over the past few years, MSTIC has observed a gradual evolution of the TTPs employed by China-based threat actors. At CyberWarCon 2022, Microsoft analysts presented their analysis of these trends in Chinese nation-state actor activity, covering:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Information about new tactics that these threat actors have adopted to improve their operational security, as well as a deeper look into their techniques, such as leveraging vulnerable SOHO devices for obfuscating their operations.<\/li>\n\n\n\n<li>Three different case studies, including China-based DEV-0401 and nation-state threat actors GALLIUM and DEV-0062, walking through (a) the initial vector (compromise of public-facing application servers, with the actors showing rapid adoption of proofs of concept for vulnerabilities in an array of products), (b) how these threat actors maintained persistence on the victims (some groups dropping web shells, backdoors, or custom malware), and (c) the objectives of their operations: intelligence collection for espionage.<\/li>\n\n\n\n<li>A threat landscape overview of the top five industries that these actors have targeted\u2014governments worldwide, non-government organizations (NGO)s and think tanks, communication infrastructure, information technology (IT), and financial services \u2013 displaying the global nature of China\u2019s cyber operations in the span of one year.<\/li>\n<\/ul>\n\n\n\n<p>As demonstrated in the presentation, China-based threat actors have targeted entities nearly globally, employing techniques and using different methodologies to make attribution increasingly harder. Microsoft analysts assess that China\u2019s cyber operations will continue to move along their geopolitical agenda, likely continuing to use some of the techniques mentioned in the presentation to conduct their intelligence collection. The graphic below illustrates how quickly we observe China-based threat actors and others exploiting zero-day vulnerabilities and then those exploits becoming broadly available in the wild.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"601\" height=\"298\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Fig1-Microsoft-threat-intelligence-CyberWarCon.png\" alt=\"Chart showing that after a vulnerability is publicly disclosed, it takes only 14 days on average for an exploit to be available in wild, 60 days for POC code to be released on GitHub, and 120 days for the exploit to be available in scanning tools.\" class=\"wp-image-124737\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Fig1-Microsoft-threat-intelligence-CyberWarCon.png 601w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Fig1-Microsoft-threat-intelligence-CyberWarCon-300x149.png 300w\" sizes=\"(max-width: 601px) 100vw, 601px\" \/><figcaption class=\"wp-element-caption\">Figure 1. The speed and scale of vulnerability exploitation. Image source: <a href=\"https:\/\/go.microsoft.com\/fwlink\/?linkid=2213817\">Microsoft Digital Defense Report 2022<\/a><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">ZINC weaponizing open-source software<\/h2>\n\n\n\n<p>In this talk, Microsoft and LinkedIn analysts detail recent activity of a North-Korea based nation-state threat actor we track as ZINC. Analysts detailed the findings of their investigation (previously covered in <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/29\/zinc-weaponizing-open-source-software\/\">this blog<\/a>) and walked through the series of observed ZINC attacks that targeted 125 different victims spanning 34 countries, noting the attacks appear to be motivated by traditional cyber-espionage and theft of personal and corporate data. A few highlights include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In September 2022, Microsoft disclosed detection of a wide range of social engineering campaigns using weaponized legitimate open-source software. MSTIC observed activity targeting employees in organizations across multiple industries including media, defense and aerospace, and IT services in the US, UK, India, and Russia.<\/li>\n\n\n\n<li>Based on the observed tradecraft, infrastructure, tooling, and account affiliations, MSTIC attributes this campaign with high confidence to ZINC, a state-sponsored group based out of North Korea with objectives focused on espionage, data theft, financial gain, and network destruction.<\/li>\n\n\n\n<li>When analyzing the data from an industry sector perspective, we observed that ZINC chose to deliver malware most likely to succeed in a specific environment, for example, targeting IT service providers with terminal tools and targeting media and defense companies with fake job offers to be loaded into weaponized PDF readers.<\/li>\n\n\n\n<li>ZINC has successfully compromised numerous organizations since June 2022, when the actor began employing traditional social engineering tactics by initially connecting with individuals on LinkedIn to establish a level of trust with their targets.<\/li>\n\n\n\n<li>Upon successful connection, ZINC encouraged continued communication over WhatsApp, which acted as the means of delivery for their malicious payloads. MSTIC observed ZINC weaponizing a wide range of open-source software including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF\/Subliminal Recording software installer for these attacks. ZINC was observed attempting to move laterally across victim networks and exfiltrate collected information from.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"556\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Figure-5b.-Attack-flow-diagram-for-recent-ZINC-campaign-1024x556.png\" alt=\"Diagram showing end-to-end attack chain of a ZINC attack, from initial compromise and execution, to persistence, command and control, discovery, and collection\" class=\"wp-image-122725\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Figure-5b.-Attack-flow-diagram-for-recent-ZINC-campaign-1024x556.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Figure-5b.-Attack-flow-diagram-for-recent-ZINC-campaign-300x163.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Figure-5b.-Attack-flow-diagram-for-recent-ZINC-campaign-768x417.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Figure-5b.-Attack-flow-diagram-for-recent-ZINC-campaign-1536x834.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/09\/Figure-5b.-Attack-flow-diagram-for-recent-ZINC-campaign.png 1603w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Figure 2. ZINC attack chain. &nbsp;Read more in our detailed blog: <\/em><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/09\/29\/zinc-weaponizing-open-source-software\/\"><em>ZINC weaponizing open-source software<\/em><\/a><em>.<\/em><\/figcaption><\/figure>\n\n\n\n<p>As the threat landscape continues to evolve, Microsoft strives to continuously improve security for all, through collaboration with customers and partners and by sharing our research with the larger security community. We would like to extend our thanks to CyberWarCon and LinkedIn for their community partnership.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>At CyberWarCon 2022, Microsoft and LinkedIn analysts presented several sessions detailing analysis across multiple sets of actors and related activity.<\/p>\n","protected":false},"author":68,"featured_media":124789,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3660],"topic":[3688],"products":[],"threat-intelligence":[],"tags":[3834,3822,3923,3925],"coauthors":[3380],"class_list":["post-124735","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-events","topic-threat-trends","tag-diamond-sleet-zinc","tag-microsoft-security-insights","tag-sleet","tag-tempest"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Microsoft threat intelligence presented at CyberWarCon 2022\u00a0 | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0 | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"At CyberWarCon 2022, Microsoft and LinkedIn analysts presented several sessions detailing analysis across multiple sets of actors and related activity.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-10T17:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-09-11T23:37:01+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0\",\"datePublished\":\"2022-11-10T17:00:00+00:00\",\"dateModified\":\"2023-09-11T23:37:01+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/\"},\"wordCount\":1295,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png\",\"keywords\":[\"Diamond Sleet (ZINC)\",\"Microsoft Security Insights\",\"Sleet\",\"Tempest\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/\",\"name\":\"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0 | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png\",\"datePublished\":\"2022-11-10T17:00:00+00:00\",\"dateModified\":\"2023-09-11T23:37:01+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png\",\"width\":1200,\"height\":800,\"caption\":\"a man standing in front of a computer screen\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0 | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0 | Microsoft Security Blog","og_description":"At CyberWarCon 2022, Microsoft and LinkedIn analysts presented several sessions detailing analysis across multiple sets of actors and related activity.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/","og_site_name":"Microsoft Security Blog","article_published_time":"2022-11-10T17:00:00+00:00","article_modified_time":"2023-09-11T23:37:01+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png","type":"image\/png"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0","datePublished":"2022-11-10T17:00:00+00:00","dateModified":"2023-09-11T23:37:01+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/"},"wordCount":1295,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png","keywords":["Diamond Sleet (ZINC)","Microsoft Security Insights","Sleet","Tempest"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/","name":"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0 | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png","datePublished":"2022-11-10T17:00:00+00:00","dateModified":"2023-09-11T23:37:01+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/11\/Microsoft-threat-intelligence-CyberWarCon-social.png","width":1200,"height":800,"caption":"a man standing in front of a computer screen"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/11\/10\/microsoft-threat-intelligence-presented-at-cyberwarcon-2022\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft threat intelligence presented at CyberWarCon 2022\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/124735"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=124735"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/124735\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/124789"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=124735"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=124735"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=124735"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=124735"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=124735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=124735"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=124735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}