Cinnamon Tempest

Threat Actors · Cinnamon Tempest

· ATT&CK GroupG1021

DEV-0401Emperor DragonflyBRONZE STARLIGHT

Techniques

Software

Tactics

Aliases

Description

Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.(Citation: Microsoft Ransomware as a Service)(Citation: Microsoft Threat Actor Naming July 2023)(Citation: Trend Micro Cheerscrypt May 2022)(Citation: SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022)

Tactic Coverage

execution (5)stealth (4)privilege escalation (4)persistence (3)initial access (3)command and control (3)lateral movement (2)defense impairment (1)exfiltration (1)resource development (1)impact (1)

Techniques Used (19)

T1021.002SMB/Windows Admin Shares

lateral movement

T1047Windows Management Instrumentation

execution

T1059.001PowerShell

execution

T1059.003Windows Command Shell

execution

T1059.006Python

execution

Registration Required

Create a free account to access full Threat Actor Techniques

Showing 5 of 19 results

✓ Personal dashboard✓ Track 1 vendor/product✓ 1 keyword alert✓ Weekly digest✓ 1 CSV export/month

Already have an account? Sign in →

Software Used (8)

S1096Cheerscryptmalware S0154Cobalt Strikemalware S1097HUI Loadermalware S0357Impackettool S0664Pandoramalware S0013PlugXmalware S1040Rclonetool S0633Sliver

References (10)

https://attack.mitre.org/groups/G1021 https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader https://www.trendmicro.com/en_se/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/https://www.secureworks.com/research/threat-profiles/bronze-starlight