Cyber Threat Actor: SOA
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
1 incident |
|---|
Profile
SOA is a threat actor known by that alias and has been publicly associated with operations originating from the United States of America. The actor’s identity remains limited to the alias and the geographic attribution that has been noted in open sources. No further personal or organizational details about SOA have been disclosed in the available reporting.
The actor’s observed activity focuses on compromising trusted web platforms to reach privileged information technology accounts within enterprise environments. In the documented incident, SOA injected malicious code into the jQuery website, which then redirected visitors to exploit kits designed to deliver credential‑stealing malware. This approach indicates that the actor targets organizations that rely on widely used web resources, seeking to gain initial access through the credentials of high‑privilege administrators. The ultimate objective demonstrated in the attack was to harvest authentication details that could be used for lateral movement inside compromised networks.
Regarding tactics, techniques, and procedures, SOA employed a watering hole strategy by compromising a legitimate, frequently visited site to serve as a distribution point for malware. The initial access vector involved the injection of redirect scripts that led users to exploit kits, which in turn deployed payloads capable of stealing credentials. The malware used in the operation was described generically as credential‑stealing software, with no specific family named in the public reports. Details about the actor’s preferred tooling, custom utilities, or post‑exploitation frameworks have not been disclosed in the sources examined.
Attribution to any state sponsor, criminal consortium, or other affiliation has not been established in the publicly available information. The jQuery website compromise of September 2014 stands as the sole representative campaign that has been attributed to SOA in open source reporting. This incident illustrates the actor’s capability to exploit supply chain trust and leverage popular web libraries to reach valuable enterprise targets. No additional operations or campaigns have been publicly linked to SOA at this time.
