1. Home
  2. ATT&CK Techniques
  3. T1589
  4. T1589.003
Reconnaissance

T1589.003: Employee Names

Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believ...

T1589.003 · Sub-technique ·1 platforms ·3 groups

Description

Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.

Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).

Platforms

PRE

Mitigations (1)

Pre-compromiseM1056

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Threat Groups (3)

IDGroupContext
G0094Kimsuky[Kimsuky](https://attack.mitre.org/groups/G0094) has collected victim employee name information.(Citation: KISA Operation Muzabi)
G0034Sandworm Team[Sandworm Team](https://attack.mitre.org/groups/G0034)'s research of potential victim organizations included the identification and collection of empl...
G0122Silent Librarian[Silent Librarian](https://attack.mitre.org/groups/G0122) has collected lists of names for individuals from targeted organizations.(Citation: DOJ Iran...

References

Frequently Asked Questions

What is T1589.003 (Employee Names)?

T1589.003 is a MITRE ATT&CK technique named 'Employee Names'. It belongs to the Reconnaissance tactic(s). Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believ...

How can T1589.003 be detected?

Detection of T1589.003 (Employee Names) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1589.003?

There are 1 documented mitigations for T1589.003. Key mitigations include: Pre-compromise.

Which threat groups use T1589.003?

Known threat groups using T1589.003 include: Kimsuky, Sandworm Team, Silent Librarian.