Menu
Browse

Cyber Threat Actor: IRIDIUM

Actor Type Location Known Incidents
 Icon
Nation State
Russia
6 incidents
Profile

IRIDIUM is a threat actor tracked by Microsoft and known by the alias IRIDIUM, with publicly available information linking the group to Russia. The actor has been attributed to cyber operations that align with broader Russian military activities, particularly those occurring during the 2022 conflict in Ukraine. Microsoft’s analysis identified technical overlaps between the IRIDIUM activity and earlier attacks, supporting the attribution claim. The group’s location is noted as Russia, though no further detail about its internal structure or size is provided in the source material. IRIDIUM’s activities have been described as part of a coordinated effort that includes both cyber and kinetic elements, reflecting a strategic objective beyond simple financial gain.

The actor’s targeting has been observed primarily against Ukraine’s transportation and logistics sectors, with additional impact noted in Poland. In the October 2022 incident, IRIDIUM deployed a ransomware variant named Prestige that focused on rapid disk encryption of VMware ESXi servers within victim environments. The malware was designed to encrypt systems quickly across compromised networks, indicating a deliberate disruption motive rather than a financial one. Microsoft highlighted that the ransomware displayed tailored tactics intended to maximize disruption in critical supply chain infrastructure. The timing of the attack coincided with missile strikes in Ukraine, which the reporting suggested pointed to potential coordination between cyber operations and kinetic military actions.

The Prestige ransomware campaign in October 2022 represents a notable operation publicly linked to IRIDIUM, demonstrating the group’s use of ransomware as a tool for operational disruption. The attack affected multiple organizations simultaneously, causing significant operational interruptions in the targeted sectors. No other specific malware families, initial access vectors, or tooling styles are explicitly referenced in the provided material for IRIDIUM beyond the Prestige ransomware and its encryption approach. The actor’s known activities are limited to the described incident, and any further details about additional campaigns or capabilities remain undocumented in the source context. Consequently, the profile focuses exclusively on the confirmed facts concerning IRIDIUM’s alias, geographic association, targeting patterns, observed TTPs, and the attributed Prestige ransomware operation.

Incidents
Attributed incidents available to members
6 incidents
Sources
Sources available to members
0 sources