Dark Halo

Dark Halo is the name Volexity uses for a state-sponsored threat actor linked to multiple intrusions in late 2019 and 2020, including activity overlapping with FireEye’s UNC2452 reporting and the SolarWinds Orion compromise. Reporting cited in the content also notes that anonymous government sources associated the group behind the hacks with APT29 / Cozy Bear, believed to be tied to Russia’s FSB, but Volexity itself is described as tracking the actor as Dark Halo. Based on the provided content, Dark Halo targeted a US-based think tank and focused primarily on stealing email from selected executives, policy experts, and IT staff. Volexity investigated three separate incidents involving this actor at one think tank. In the first, the actor used multiple tools, backdoors, and malware implants and remained undetected for several years. In the second, the actor returned after remediation by exploiting a vulnerability in the organization’s Microsoft Exchange Control Panel. In the third, Volexity concluded the likely infection vector was the compromised SolarWinds Orion platform in June and July 2020. The actor’s tradecraft included living off the land where possible, selective malware use, evidence cleanup, and repeated re-entry after apparent eviction. Observed techniques included Exchange Management Shell reconnaissance using cmdlets such as Get-ManagementRoleAssignment and Get-WebServicesVirtualDirectory; use of a renamed AdFind binary as sqlceip.exe; PowerShell and schtasks.exe for lateral movement via scheduled tasks; mailbox theft using New-MailboxExportRequest; deletion of evidence with Remove-MailboxExportRequest; and manipulation of ActiveSync access using Set-CASMailbox to add attacker-controlled device IDs. Exported PST files were compressed with 7z into password-protected archives and staged in Exchange OWA web-accessible directories for HTTP retrieval. Volexity also documented a notable MFA bypass during OWA access. After compromising the OWA server, Dark Halo obtained Duo’s integration secret key (akey) and used it to precompute a valid duo-sid cookie. With a valid username and password, this allowed the actor to access a mailbox protected by Duo MFA without triggering a second-factor challenge. The content explicitly states this was not a vulnerability in Duo, but a consequence of compromise of the integration secret on the server. Infrastructure overlap with the SolarWinds campaign was observed through shared command-and-control indicators and a backdoored SolarWinds Orion server. Domains and infrastructure mentioned in the content include avsvmcloud.com, freescanonline.com, lcomputers.com, webcodez.com, and solartrackingsystem.net. Known aliases directly mentioned in the content are UNC2452, APT29, and Cozy Bear.