Summary:
Unit 42 researchers have developed a novel detection methodology that leverages cloud-based logging to "fingerprint" and identify specific threat actor groups based on their unique operational techniques. By analyzing cloud alert data from June 2024 to June 2025 across 22 industries, the study successfully differentiated between the operations of Muddled Libra and Silk Typhoon. The research asserts that while general cloud alerting noise can be overwhelming, mapping specific alerts to MITRE ATT&CK tactics and techniques reveals distinct patterns, or "fingerprints”, unique to each adversary. For instance, while both groups heavily target the High Technology sector, their secondary targets and specific technical approaches differ significantly. Muddled Libra operations correlated with a 25% increase in unique alerts in the Aviation industry, whereas Silk Typhoon showed higher-than-average daily alert volumes in the Federal and State Government sectors. This fingerprinting approach would allow security teams to move beyond generic anomaly detection to predictive, actor-specific defense strategies.

Security Officer Comments:

• Muddled Libra:
  • Active since 2021, this group is known for aggressive social engineering and partnering with RaaS programs like DragonForce (tracked as Slippery Scorpius).
  • TTPs & Social Engineering: They extensively use smishing (SMS phishing), vishing (voice phishing), and spear phishing to target help desks and employees for initial access.
  • Malicious Infrastructure & Tools: Once inside, they utilize cloud enumeration tools like ADRecon (Active Directory reconnaissance) and ransomware variants. Their cloud infrastructure footprint is characterized by extensive Discovery tactics (e.g., Cloud Service Discovery, Cloud Infrastructure Discovery) and Defense Evasion via modifying cloud compute infrastructure (e.g., creating new instances).
  • Top Alerts: "Suspicious cloud infrastructure enumeration activity" and "ML model discovery."
• Silk Typhoon:
  • A state-sponsored threat group (linked to HAFNIUM/Microsoft Exchange targeting history) focused on espionage and data theft.
  • Technical Threat Vectors: Their attack chain heavily favors Collection and Exfiltration over the noisy enumeration seen with Muddled Libra. They exploit public-facing applications (specifically using the Spring4Shell exploit) and abuse trusted relationships.
  • Malicious Infrastructure: Their infrastructure usage involves exfiltration over web services to cloud storage and downloading data from backup storage buckets. They target Microsoft 365 storage services for exfiltration.
  • Top Alerts: "Microsoft O365 storage services exfiltration," "Process execution with a suspicious command line indicative of the Spring4Shell exploit," and suspicious downloads of multiple objects from cloud buckets.

Palo Alto Networks revealed that out of nearly 70 unique alert rules for Muddled Libra and over 50 for Silk Typhoon, only three alert types overlapped (MITRE ATT&CK: T1530, T1078.004, T1098.001). This distinct separation confirms that these actors have unique "fruit baskets" of techniques that can be isolated from general noise. High Technology is the top target for both groups and general cloud noise. Wholesale/Retail ranked 2nd for Muddled Libra and 3rd for Silk Typhoon, despite being only 14th in general global cloud alert volume. This indicates targeted campaigns against this sector that are invisible in high-level aggregate data. Specific campaigns were visible through the data, such as the spike in unique alerts for Muddled Libra in Aviation and persistent high-volume activity by Silk Typhoon in Government sectors. The primary risk identified is the failure of standard cloud alerting to distinguish between typical high-volume activity and targeted persistent threats. Without mapping alerts to specific actor TTPs, organizations risk missing the context of an alert, seeing just a "download" event rather than a "Silk Typhoon exfiltration" event.

Suggested Corrections:

• Patch Public-Facing Applications: Prioritize patching for known vulnerabilities like Spring4Shell (CVE-2022-22965) to block Silk Typhoon's preferred entry vector.
• Restrict Web Shells: Implement strict monitoring for command-line execution by web server processes (e.g., Tomcat, Java) to detect exploitation attempts.
• MFA & Identity Hardening: Enforce phishing-resistant MFA to counter Muddled Libra's vishing and smishing campaigns targeting valid cloud accounts
• Monitor Cloud API Usage: Create alerts for unusual DescribeInstance, ListBuckets, or GetAccountAuthorizationDetails API calls that indicate the use of enumeration tools like ADRecon.
• Baseline Identity Behavior: meaningful anomalies in cloud role assumptions (T1098) or the creation of new cloud compute instances (T1578.002) should trigger immediate investigation.
• Cloud Storage Guardrails: Implement strict policies on S3/Azure Blob buckets to prevent unauthorized public access and monitor for "Massive code file downloads" or "Suspicious identity downloaded multiple objects."
• Data Transfer Monitoring: Alert on large data transfers to unmanaged cloud storage services or Microsoft 365 storage endpoints to detect Silk Typhoon's exfiltration channels.
• Implement "Fingerprint" Alerting: Move beyond generic severity scoring. Tag and group alerts based on the known TTP clusters of threat actors relevant to your industry (e.g., if in Retail, prioritize Muddled Libra/Silk Typhoon specific alert clusters).
• Tailored Defense by Industry: Utilize the industry-specific insights (e.g., Wholesale/Retail specific threats) to prioritize defense controls that might otherwise be deprioritized based on global (generic) trends.

Link(s):
https://unit42.paloaltonetworks.com/tracking-threat-groups-through-cloud-logging/