Menu
Browse

Cyber Threat Actor: US Navy

Actor Type Location Known Incidents
 Icon
Insider - Disgruntled
United States of America
1 incident
Profile

The threat actor is publicly referenced under the alias “US Navy” and is located in the United States of America. It is affiliated with the United States military, specifically elements of the Navy’s legal community, as indicated by the attribution of the activity to Navy prosecutors working on a war crimes case. The actor’s known activity involves targeting personnel within other branches of the U.S. armed forces and associated media outlets that cover military legal proceedings. The sectors observed in the reported incident include defense legal services, military journalism, and related publication editing, with the geographic focus confined to domestic U.S. infrastructure, notably referencing a server in San Diego.

The actor’s tactics, as described in the available reporting, rely on the delivery of custom malware via email. The malware is characterized by its capability to grant full access to a victim’s computer and all files, functioning as tracking software that monitors activity. A distinctive feature of the tool is hidden code designed to extract the network IP address of the infected machine and transmit that information to an external server. The initial access vector appears to be phishing or malicious email attachments, as the malware was sent to the devices of Air Force lawyers and to the editor of a military publication. No specific malware family names are mentioned, but the tooling style reflects a bespoke surveillance-oriented payload rather than a widely known ransomware or banking trojan.

The strategic objective evident from the incident is the collection of intelligence aimed at identifying potential sources of leaked documents related to a court‑protected war crimes trial. By harvesting IP addresses and monitoring user activity, the actor sought to uncover individuals who might be disclosing confidential case information, which the reporting characterizes as an attempt to prevent unauthorized leaks. The 2019 operation targeting Air Force legal counsel and the editors of the USAF Times and US Navy Times serves as the sole publicly reported campaign associated with this actor, illustrating a pattern of using cyber tools to support internal legal and security investigations within the U.S. military establishment. No financial gain, disruptive intent, or connections to criminal consortia are indicated in the source material.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source