3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Threat Group-1314

Threat Group-1314

ID: 3d0c8b74ca2ad7144e18bb7ee6b1845883307
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-22
Progress: 43% Completeness: 40% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Threat Group-1314 (G0028) is an unattributed intrusion set that used stolen credentials to access Internet-facing remote access (e.g., Citrix) and then moved laterally by abusing enterprise tools such as Altiris, spawning Windows command shells and mapping network shares via SMB.


Technique Technique name Tactics Evidence
T1133 External Remote Services TA0001 TA0003
  • 2015-05-28 — Actors authenticated to an Internet-facing Citrix server with compromised credentials to gain initial access. · ref
T1078.002 Domain Accounts TA0001 TA0003 TA0004 TA0005
  • 2015-05-28 — Use of compromised domain credentials, including an Altiris-associated account, to authenticate and move laterally. · ref
T1072 Software Deployment Tools TA0002 TA0008
  • 2015-05-28 — Abuse of the victim's endpoint management platform (Altiris) to execute commands and propagate across hosts. · ref
T1059.003 Windows Command Shell TA0002
  • 2015-05-28 — Remote Windows command shells were spawned on victim systems (including via PsExec) for command execution. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • 2015-05-28 — Network drives were mapped with `net use` over SMB/Windows Admin Shares during lateral movement. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-23T17:33:53+00:00
THREAT GROUP-1314 — “Living off the land” via valid creds and admin platforms

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Threat Group-1314 (MITRE G0028) is an unattributed intrusion set observed circa 2015 leveraging compromised credentials to enter enterprise environments through remote access infrastructure (e.g., Internet-facing Citrix/VPN) and then moving laterally using built-in admin tools and endpoint management platforms. Dell Secureworks documents a TG-1314 case where the actors authenticated to a Citrix server, abused Altiris (endpoint management) for lateral movement, spawned remote shells (e.g., via PsExec), and mapped network drives with net use using compromised domain credentials tied to Altiris. MITRE summarizes the group as using compromised creds to log into victim remote access infrastructure and links technique mappings to Valid Accounts, Remote Services (SMB/Windows Admin Shares), Windows Command Shell, and Software Deployment Tools (Altiris). Overall confidence in these core facts: high.


  • Industries/Sectors: Not explicitly attributed across sectors in public sources; at least one incident investigated by Secureworks involves an enterprise with Altiris deployed (common in large corporate IT). INFERENCE (confidence: low).
  • Geography (Region): Not specified; technique set is globally applicable to enterprises using Citrix/VPN and endpoint management suites. INFERENCE (confidence: low).
  • Countries (if available): Not specified in primary sources.
  • Timeframe: 2015–2017+ (Secureworks case published 2015-05-28; MITRE G0028 cataloged 2017-05-31, with page updates through 2025-04).
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.