ICTAM classifications define adversary groups by their specific identity-layer attack patterns. These models focus on state-aligned and APT-class actors who systematically target authentication infrastructure, federation trust boundaries, credential material, and cloud identity systems.
ICTAM-001: APT29 (Cozy Bear / Nobelium)
Federation Exploitation
Targets federation trust paths and token signing material. Conducts SAML token forging operations, exemplified in SolarWinds breach. Exploits misconfigured federation endpoints for silent identity takeover.
Token-Based Persistence
Abuses refresh tokens and OAuth app registrations for resilient, covert access. Leverages long-lived service principal credentials. Establishes persistence using app secrets and certificates undetected.
Stealth Operations
Engages in long-term cloud resource infiltration with low-noise reconnaissance. Performs stealthy lateral movement using cloud tokens. Focuses heavily on Azure AD/Entra ID identity surfaces while avoiding password brute force.
Primary Target: Azure AD / Entra ID federation infrastructure and token signing certificates
Known for aggressive password spraying campaigns and large-scale authentication probing. Targets identity admin accounts with high-frequency attempts using geo-distributed infrastructure.
Exploits MFA enforcement gaps
Brute-forces federated endpoints
Performs username pattern reconnaissance
Attacks hybrid identity links between AD and Azure AD
Leverages legacy authentication paths
Volt Typhoon
Living-Off-the-Land Identity Attacks
Specializes in stealthy operations using legitimate credentials and built-in tools. Avoids malware entirely, relying on identity material and normal cloud traffic patterns for concealment.
Low-noise reconnaissance across cloud endpoints
Abuses long-lived tokens for persistence
Exploits conditional access gaps to bypass MFA
Conducts federated identity impersonation
Prefers valid accounts over brute force
ICTAM-004 & ICTAM-005: Multi-Vector Threats
APT41 (Double Dragon)
Espionage + Financial Motivation
Hijacks machine identities and automation accounts for dual-purpose operations. Targets CI/CD pipelines for credential theft and performs identity-based supply-chain compromise.
Abuses OAuth apps for privilege escalation
Token replay via cloud automation
Cross-cloud lateral movement through identity tokens
Manipulates SCIM provisioning paths
APT10 (Stone Panda)
Supply Chain Focus
Conducts supply-chain-oriented identity attacks by stealing cloud tokens to pivot between managed service providers. Performs bulk credential harvesting from hybrid identity systems.
Targets SSO and federation infrastructure
High-volume authentication testing
Leverages cloud-native admin roles for expansion
Targets API keys and machine identities
ICTAM-006: DarkHalo / UNC2452
The SolarWinds Federation Breach
1
Initial Reconnaissance
Extremely stealthy reconnaissance of identity endpoints and federation infrastructure to map trust relationships and identify token-signing certificate locations.
2
Trust Fabric Infiltration
Manipulated token-signing certificates undetected. Inserted persistence directly inside identity trust fabric, targeting the core of federation authentication mechanisms.
3
Golden SAML Execution
Conducted Golden SAML attacks at global scale. Forged SAML tokens to impersonate high-privilege identities across multiple organizations simultaneously.
4
Silent Persistence
Pivoted through cloud admin roles silently. Exploited OAuth app registrations for long-term persistence without triggering authentication alerts or anomaly detection systems.
"DarkHalo's techniques represented a paradigm shift in identity-layer attacks, demonstrating how federation trust itself could become the attack vector."
ICTAM-007 & ICTAM-008: Post-Breach Operations
1
Hafnium
Focuses on credential harvesting from cloud and hybrid systems. Performs extensive reconnaissance of user identity structures, then leverages token replay for post-breach persistence.
Exploits weak MFA configurations
Uses RDP and webshell footholds to steal tokens
Lateral movement using stolen cloud session tokens
2
Lazarus Group
Performs financially motivated identity attacks. Harvests credentials at scale using malware and phishing, then abuses cloud access tokens for high-impact operations.
Privilege escalation via OAuth applications
Leverages long-lived machine identity credentials
Identity pivoting across cloud tenants
ICTAM-009: Turla
Stealth-First Identity Operations
95%
Stealth Rate
Operations conducted below detection thresholds
180
Avg. Days
Typical dwell time before detection
Operational Characteristics
Turla conducts stealth-first identity and credential collection with exceptional operational security. Prefers silent, long-term identity compromise over rapid exploitation.
Abuses SSO and federation trust chains systematically
Uses covert methods to obtain tokens and session cookies
Performs slow, high-quality reconnaissance on identity endpoints
Focuses heavily on persistence through tokens and certificates
Maintains access through multiple redundant identity pathways
ICTAM-010: Gamaredon
High-Volume, Low-Sophistication Attacks
Noisy Credential Collection
Performs high-volume, easily detectable credential collection campaigns. Engages in repeated authentication attempts across multiple targets without sophisticated evasion techniques.
MFA and CA Policy Exploitation
Targets MFA gaps and weak conditional access policies using simple but effective identity takeover techniques. Focuses on organizations with immature security postures.
Brute Force Campaigns
Uses brute-force and password spraying campaigns at scale. Attempts token replay for persistence once initial access is achieved through credential compromise.
Detection Opportunity: Gamaredon's noisy operations make them ideal targets for demonstrating detection capability maturity
Attack Pattern Comparison Matrix
Analysis of threat actor characteristics across key identity attack dimensions. Stealth level inversely correlates with attack volume, while federation focus strongly predicts token abuse sophistication.
Defensive Implications
Federation Hardening
APT29, DarkHalo, and Turla demonstrate critical need for federation infrastructure protection. Implement token signing certificate monitoring, SAML response validation, and trust relationship auditing.
Detection Engineering
High-stealth actors like Volt Typhoon require behavioral analytics focused on normal credential use patterns. Token lifetime anomalies and conditional access bypass attempts signal advanced compromise.
Access Control
APT41 and Lazarus Group target machine identities and automation accounts. Implement least-privilege for service principals, OAuth app review processes, and CI/CD security controls.