- Cisco Talos has observed a growing trend of attack kill chains being split into two stages — initial compromise and subsequent exploitation — executed by separate threat actors. This compartmentalization increases the complexity and difficulty of performing threat modeling and actor profiling.
- Initial access groups now include both traditional initial access brokers (IABs) as well as opportunistic and state-sponsored threat actors, whose characteristics, motivations and objectives differ significantly.
- In response to these evolving threats, we have refined the definitions of initial access groups to include subcategories such as financially-motivated initial access (FIA), state-sponsored initial access (SIA), and opportunistic initial access (OIA).
- We provide several examples of publicly-known threat groups to explain our methodology and the differentiation between them. Understanding the motivations of initial access groups is crucial for analyzing compartmentalized threats. In the forthcoming blog, we will explain how to model attack kill chains that involve multiple attackers.
What is initial access?
The term “initial access” refers to the initial foothold or entry point that threat actors establish within a target network or system. It is the stage in the cyber attack kill chain in which an attacker has the opportunity to begin working towards their longer-term mission objectives, whatever those may be. Initial access can be gained through a variety of methods, including exploitation of software or hardware vulnerabilities, employment of social engineering tactics to obtain credentials, or delivery of malicious components that, if opened or executed by victims, grant this ability automatically.
In recent years, we have observed the emergence of threat actors who specialize in gaining initial access to computer networks. These threat actors, also referred to as initial access brokers (IABs), traditionally monetize the access they gain by selling it to other threat actors, who may then utilize the provided access for espionage or financial purposes. In short, IABs play a pivotal role in the overall cybercrime ecosystem, as they enable other malicious actors to quickly and efficiently execute their attacks without requiring them to obtain access themselves.
This distinction between IABs and the threat actors they may transfer network/system access to is extremely important. It directly impacts organizational risk assessment and threat modeling activities, as well as how incident response may be conducted if an intrusion occurs. It also complicates intrusion analysis, as it is often difficult to determine when a potential “handoff” of access occurs between threat actors when analyzing log data collected during an active intrusion.
Additionally, the term “initial access” is sometimes misused to refer to infrastructure leveraged by threat actors, such as operational relay box (ORB) networks and those offered as Infrastructure as a Service (IaaS). In this context, “initial access” specifically refers to access to the target’s network, not a network leveraged by threat actors merely as infrastructure for their campaign.
What are the challenges?
One of the primary challenges in modern intrusion analysis is the ability to correctly identify whether an observed adversary is an IAB. This distinction is operationally critical: when the actor responsible for the intrusion focuses solely on initial access, defenders must anticipate and prepare for the likely involvement of secondary actors who may carry out the core objectives of the attack. However, distinguishing IABs from full-spectrum threat actors has become increasingly difficult, as many initial access operations now exhibit the same level of sophistication, targeting and tooling as those conducted by targeted attackers or advanced persistent threats (APT). This overlap in tradecraft significantly complicates attribution, especially in cases where multiple actors interact across different phases of the intrusion.
Another challenge stems from the fact that compartmentalization is no longer exclusive to financially-motivated cybercriminals. In recent years, state-sponsored threat actors have adopted similar operational models, performing initial access and subsequently handing off to other state-sponsored groups within the same state apparatus (e.g., between military or intelligence units). In some cases, state-sponsored initial access groups even transfer access to financially-motivated ransomware operators. These handoffs may be strategic or opportunistic in nature, but they introduce a key problem for defenders: the appropriate preventative, detective and responsive strategies employed must consider not only the threat actor who obtains initial access, but also any other threat actors that may operate during later stages of an intrusion. Likewise, the hunting and containment strategies employed to defend against financially-motivated IABs may not be suitable against state-sponsored initial access groups, whose access operations are typically more stealthy, targeted, and persistent.
Given this evolution across the threat landscape, we argue that a more granular taxonomy of initial access groups is necessary. Specifically, differentiating initial access groups (IAGs) based on threat actor’s perceived motivation for obtaining initial access is essential for accurate actor profiling, campaign tracking, and threat modeling. This refined categorization enables defenders and analysts to better predict follow-on activity, align response strategies with threat actor intent, and improve long-term attribution and understanding of the threat landscape.
Redefining IABs
As previously mentioned, the concept of obtaining access to protected systems or networks and then transferring that access to third parties is not specific to either financially-motivated or state-sponsored/-aligned threat actors. In response to this shift, we propose expanding the definition of IABs to include several types of initial access groups (IAG) that reflect a broader range of threat actor motivations and affiliations (as not all the groups specialized in gaining initial access are “brokers”, we replace “broker” with “group”) . As such, we define an IAG not strictly by the technical stage of the intrusion in which they operate, but based on their primary operational intent: to obtain and then hand over access to another group. Although initial access groups primarily focus on gaining entry into target environments and may not be heavily involved in later operations within the kill chain, they might have the sophisticated skills necessary for lateral movement, privilege escalation, and other advanced techniques. Being classified as an initial access group does not imply a lack of sophistication in terms of their tactics, techniques and procedures (TTPs) and capabilities. It is also worth noting that while gaining initial access, many IAGs may also maintain persistence on the compromised host or network to ensure the access remains throughout the handover process.
The determination as to whether a threat actor should be considered an IAG is based on consistent observable behavioral patterns. If a group routinely hands over access, regardless of whether it also performs lateral movement, data staging, or limited post-compromise activity prior to the transfer of access, it should still be considered an IAG, as long as the end goal is delegation to another threat actor.
Rather than treating IAGs as a homogenous category, we further distinguish between actors based on their primary drivers and organizational alignment. Specifically, we introduce a new taxonomy comprising:
- Financially-motivated initial access (FIA)
- State-sponsored initial access (SIA)
- Opportunistic initial access (OIA)
Financially-motivated initial access (FIA)
Financially-motivated initial access (FIA) groups are typified by their focus on compromising systems for financial gain, which is more aligned with the conventional definition of an IAB. Their main objective is the maximization of profits derived by monetizing the access they achieve. These groups may occasionally sell access to state-sponsored actors, either with or without full awareness of the buyer’s identity, but their sole driving force remains financial gain. The motivations behind their transactions are not influenced by political objectives or tasking, but rather by the potential for profit, making them distinct from state-sponsored initial access (SIA) or opportunistic initial access (OIA) groups. This singular focus on financial outcomes guides their operations, regardless of the end use of the access they provide.
ToyMaker, also known as UNC961, is one example of an FIA group. ToyMaker typically exploits known vulnerable internet-facing servers and has used custom implants such as LAGTOY to gain initial access to high-value targets, including critical infrastructure organizations. The group has been observed transferring access to multiple ransomware groups including Maze, Egregor and Cactus.
Another example is TA571, which is a threat actor that has been associated with the operation of spam botnets for malware distribution, as well as the use of the 404TDS which is sometimes incorporated into the spam emails. Prior reporting indicates that TA571 operates as an FIA group, and has been observed distributing a variety of malware families, including those associated with threat actors such as TA866/Asylum Ambuscade, a threat actor that has historically been associated with both financially-motivated and espionage operations. In addition, TA571 has been associated with the distribution of other malware families, including variants of IcedID, NetSupportRAT, DarkGate and others. In the context of the categorization described previously, we would characterize TA571 as an FIA group, as their primary motivation is likely financial in nature.
State-sponsored initial access (SIA)
State-sponsored initial access (SIA) groups are typically embedded within a nation’s military cyber units, intelligence agencies, or state-affiliated contractors. These groups focus on gaining a foothold in high-value targets, often government, critical infrastructure or strategic industries, to help the state-sponsored groups achieve their broader operational goals. This type of handoff is often conducted for the purpose of providing isolation between the different phases of a typical attack kill chain. By insulating each phase from the others, the threat actor can lower the risk of exposure of stage-specific tooling and TTPs, making attribution of attacks significantly more difficult.
It’s important to note that for an actor to be classified as a SIA group, the focus should primarily be on securing initial access rather than executing the entire attack campaign. Even if an actor has the capability to complete the full attack kill chain, a SIA group’s defining characteristic is its regular practice of handing over initial access to affiliated groups. This deliberate handoff differentiates SIA groups from conventional APT groups, underscoring their specialized role within the broader context of state-sponsored cyber operations.
One example of an SIA group is ShroudedSnooper, also known as UNC1860, Scarred Manticore and Storm-0861. ShroudedSnooper is widely considered as an IAG and attributed to Iran by industry vendors. Talos assesses with high confidence that ShroudedSnooper is an SIA group. ShroudedSnooper is associated with the Iranian government, mainly tasked with gaining initial access and then deploying webshells and passive implants such as HTTPSnoop, PipeSnoop and more. These implants are later instrumented to transfer access to other threat groups working under the Iranian APT machinery. Once ShroudedSnooper has established persistent access, subsequent threat actors (for example, Storm-0842) may use the access for data exfiltration and espionage, financial gain via ransomware deployment or disrupting victim operations by deploying wipers.
Opportunistic initial access (OIA)
Opportunistic initial access (OIA) groups often straddle the line between the two previously described categories. OIA groups may be financially-motivated and possess the means to monetize their access by selling it to either financially-motivated or state-sponsored threat actors. They may also operate in different capacities at different times. For example, actors like government contractors may operate as an SIA group as part of their normal means of employment while operating as an FIA group to generate additional income. Once the state-sponsored actor’s operation has been conducted, the initial access may then be re-sold under the pretext of “financial gain” while providing plausible deniability and forensic confusion once the access is reused.
One example of an OIA group is UNC5174. The persona tied to this group, uetus, is suspected to be a former member of Chinese hacktivist groups 騰蛇 (Teng Snake), aka 晓骑营 (Xiaoqiying)/Genesis Day), who research suggests is an IAB for nation state groups. The Teng Snake team was reported selling Personally Identifiable Information (PII) and initial access to the South Korean health department in an underground forum in 2022. In 2023, UNC5174 obtained access to entities that are deemed to be of high interest to espionage groups, primarily targeting organizations in North America, the U.K., Australia and Southeast Asia. Initial access is obtained by exploiting known vulnerabilities in services exposed to the internet and the subsequent deployment of bespoke or open-sourced tooling to maintain persistent access to victims. This access is subsequently monetized by UNC5174 and transferred to state-sponsored groups who then undertake a more comprehensive set of tasks to conduct long-term espionage operations within the victim enterprise.
FIA and SIA groups: Similarities and distinctions
While many IAG characteristics (motivation, objectives, etc.) differ significantly when comparing FIA and SIA groups, many of the TTPs, toolsets and infrastructure employed by FIA and SIA groups are often very similar, making differentiation challenging. For instance, both FIA and SIA groups commonly utilize spear-phishing emails, exploitation of known vulnerabilities and proprietary malware. Despite these similarities, several distinct characteristics observed during our investigations help indicate the potential motivation behind attacks. While these characteristics alone may not definitively confirm motivation, they serve as valuable indicators.
Target selection
SIA groups primarily focus on targets aligned with a nation-state’s strategic interests (e.g. government, critical infrastructure or industries of strategic importance to the tasking organization). Even if SIA groups eventually transfer access to financially-motivated actors, their main objective remains fulfilling the nation-state’s geopolitical goals.
Although FIA groups can also target entities of interest to nation-states, this is typically coincidental, as they are often more opportunistic and generally have a broader targeting scope with potentially higher volume operations.
Data exfiltration practices
FIA groups typically prioritize rapid credential exfiltration rather than spending significant time and effort locating, staging, and exfiltrating strategically important data from compromised environments. From the perspective of the FIA group, authentication data like credentials is one of the primary ways that access can be monetized. For example, during the initial phase of the ToyMaker campaign, despite targeting high-value entities, we observed no attempts to locate data of significant importance, and no data other than credentials was exfiltrated from the environment, supporting the hypothesis that the actor was likely financially-motivated. On the other hand, SIA groups that collaborate with APT groups might also perform data exfiltration after gaining initial access. For example, ShroudedSnooper (Storm-0861) was reported to have exfiltrated mail from the victim’s network after gaining initial access.
Handover process
FIA groups often sell access through dark web forums or underground marketplaces. Monitoring these platforms can aid in identifying compromised organizations and preventing subsequent attacks. On the other hand, SIA groups transfer access discreetly, usually without public advertisement and often within controlled channels or partnerships.
Handover pattern consistency
When collaborating with APT groups, SIA actors typically exhibit a more structured and consistent handover process due to repeated collaboration with the same or similar threat actors. For example, in ShroudedSnooper’s operation, access is often provided to the recipient group via a webshell and is typically leveraged by the recipient (Storm-0842 in many cases) right after the webshell is dropped on the system. This smoother coordination results in more predictable handover patterns based on the toolset and behaviors previously observed since they are often repeated across campaigns as future collaboration between threat actors occurs.
For FIA groups, although the threat actors usually try to sell the access quickly, the handover timing (the time when the buyer starts using the access) can vary significantly due to market transaction processes and the operational timeline of the buyer. However, FIA groups closely aligned with dedicated ransomware gangs may exhibit faster and more predictable handovers as they are accustomed to working with the same threat actor repeatedly over time.
Dwell time
FIA groups generally exhibit shorter dwell times because they aim to monetize their initial access quickly to maintain its value. An SIA group may maintain longer dwell time and prioritize stealth until tasked to transfer access. This differentiates SIA groups from FIA groups because in most cases the access achieved is used operationally rather than monetized quickly. Operational cadence may contribute to longer periods between when the access was gained and when it is operationalized. For example, in the ShroudedSnooper campaign that reportedly targeted victims in Israel, the handover for one victim occurred over a year after initial access was gained.
Relationship consistency
SIA groups typically operate within closed ecosystems or in close coordination with state structures, and are often collaborating with the same APT groups consistently over time. In contrast, FIA groups may monetize initial access by advertising on darknet markets and work with various types of threat actors, including ransomware groups, data theft criminals, malware operators and so on. Analysis of persistent relationships between IAGs and the entities they repeatedly transfer access to may help an analyst determine whether the IAG is FIA or SIA. Threat actor involvement in intrusions where handover has occurred with both financially- and state-sponsored threat actors may indicate an OIA operation.
Relationship characteristics
No redefinition would be complete without a look into the way these IAGs may interact with each other. In order to do so, we have mapped these interactions in two dimensions.
Level of collaboration: Indicates how directly the IAG coordinates or hands off access to the counterpart group (the group receiving access to the compromised environment). Some coordination might be transient while others are tightly integrated, repeated collaborations between threat actors.
Level of knowledge: This dimension illustrates the level of knowledge the IAG group has about the identity or role of the recipient group (or vice versa). This ranges from anonymous or transactional exchanges to full organizational or operational awareness.
The quadrant below contains examples that illustrate such interactions, with examples of IAGs mapped according to their category. Each group positioning is explained in the sections ahead.
Q1 (High Collaboration, Low Knowledge): In the first quadrant, we can find IAGs that work closely with clients in tasking and targeting but without necessarily full knowledge of their recipient’s identity or motivations. For example, a state-sponsored group might regularly acquire access from TA571 for access to a specific victim without revealing its own true identity to them.
Q2 (High Collaboration, High Knowledge): IAGs inside a larger organization may be tasked with obtaining access to a specific target and then handing the access to another group inside the same organization. These actors operate in tightly integrated ecosystems, often within state-sponsored command structures (SIA). Here, IAGs coordinate directly with known entities, such as intelligence units, under clear tasking or operational alignment.
For example, an SIA like ShroudedSnooper operates under the directive of the state, and access obtained by ShroudedSnooper is typically handed over to another state-sponsored group.
Q3 (Low Collaboration, Low Knowledge): These actors operate independently and rarely interact with or have knowledge of the entities to which they are transferring access. When handoffs do occur, they tend to be infrequent and opportunistic, often through anonymous channels. FIA groups often fall into this category.
Q4 (Low Collaboration, High Knowledge): This is where an IAG passes on access to other groups without intentional collaboration but with knowledge of who they are supplying the access to. For example, an espionage group may transfer access to a ransomware group in the hope that this group’s activities hinder forensic reconstruction and analysis of earlier malicious activities.
Another example might be an FIA group partnering with a ransomware group. While the FIA group might be aware of the identity of the ransomware group, they might have limited collaboration. This is what has been observed in previous ToyMaker intrusion activity, where they only transfer access to ransomware groups, but we have not observed any evidence of direct interactions on compromised hosts.
Conclusion
Depending on the type of initial access, the role an IAB plays in an attack, the TTPs used to obtain initial access, the activities conducted directly following initial access, and the timeframe and means by which handoff occurs may differ drastically. As such, it is important to understand both the types of IAGs and the threat actors they maintain business relationships with. When analyzing intrusion activity, one should understand these business relationships, while also differentiating between the threat actor(s) who gained initial access and the threat actor(s) operating at later stages of the intrusion, particularly if some evidence of handoff is observed.
By distinguishing between FIA, SIA and OIA groups, we offer a clearer definition for understanding how these groups operate and interact within the broader threat landscape. In the next blog, we will demonstrate how Talos adjusts diamond models used in intrusion analysis and threat modeling to effectively incorporate the nuances of compartmentalized attack, allowing for more precise threat analysis and improved attribution of complex intrusion campaigns.
