Novel Technique to Detect Cloud Threat Actor Operations

Unit 42 maps cloud-related MITRE ATT&CK techniques to specific alerting events observed between June 2024 and June 2025 and demonstrates that two distinct threat actors—Muddled Libra (cybercrime/Scattered Spider) and Silk Typhoon (HAFNIUM/nation-state)—produce identifiable alert “fingerprints” across industries; the research catalogs each group's cloud-centric techniques, the top alerts they trigger, industry targeting patterns, and recommends using these mappings for early-warning detection and tailored cloud defenses.