Cyber Threat Actor: Shad0w Security crew
| Actor Type | Location | Known Incidents |
Hacker
|
—
|
0 incidents |
|---|
Profile
Shad0w Security crew, also known as Shad0wS3C or Shad0w Security, operates alongside distinct threat groups referenced in incident reports. Microsoft-tracked clusters Storm-0558 and Storm-1359 (Anonymous Sudan), alongside ransomware operations Play and Royal, demonstrate varied objectives and methodologies. Storm-0558 targeted U.S. State and Commerce Department email accounts via forged Microsoft Outlook authentication tokens, with Microsoft attributing the campaign to Chinese state-linked actors. Anonymous Sudan claimed disruptive DDoS attacks against U.S. tax systems, Microsoft Outlook, Israeli news outlets, airports, and Scandinavian Airlines, citing political grievances like U.S. involvement in Sudan or Quran desecration in Sweden. Some analysts suggested potential Russian ties for Anonymous Sudan, though evidence remains inconclusive.
Play ransomware systematically targeted municipal governments (Oakland, Lowell), financial institutions (Spain’s Globalcaja, Jamaica’s Mayberry Investments), and healthcare providers (French Rugby Federation, Swiss CH Media), exfiltrating sensitive data like passports, contracts, and employee records for extortion. Royal ransomware focused on U.S. education (Montana State University, Lake Dallas ISD), healthcare (Morris Hospital, Clarke County Hospital), and critical infrastructure (Dallas city networks), employing callback phishing and encrypting systems. Both ransomware groups leaked victim data on dark web portals when ransom demands went unmet.
Notable incidents include Storm-0558’s 2023 breach of U.S. federal email systems, Anonymous Sudan’s multi-week DDoS campaign disrupting Israeli media and government sites during national events, Play’s attack on Oakland exposing police and citizen data, and Royal’s encryption of Dallas emergency dispatch systems. These operations reflect differentiated tactics: state-aligned espionage through cloud compromises, hacktivist disruption via volumetric attacks, and financially motivated ransomware extortion across sectors. No collaborative ties between these groups are documented in available reporting.
