MISP, threat intelligence, and APT28 are terms that appear frequently in security operations centers, threat intelligence reports, and incident response investigations. Before this exercise, I understood that threat intelligence platforms contained indicators of compromise (IOCs), but I had never experienced how analysts actually use those indicators during an investigation.

This scenario changed that perspective.

Instead of reviewing malware samples or vulnerability scan reports, I was tasked with investigating an active threat intelligence event involving APT28, a well-known threat actor associated with attacks targeting government agencies, critical infrastructure, and organizations across Europe.

The objective was simple:

Could I use MISP to identify the threat actor, understand the campaign, extract indicators, and gather intelligence that could be correlated against organizational logs and SIEM data?

This write-up documents how I approached the investigation, the challenges I encountered, and the lessons I learned about threat intelligence analysis.

Scenario Overview

The scenario began with a report republished by CIRCL regarding a CERT-UA event associated with an APT28 campaign targeting European organizations.

As a SOC analyst, my task was not to perform malware analysis or vulnerability scanning.

My task was to investigate intelligence.

Specifically, I needed to identify:

• The threat actor involved
• Associated aliases
• Exploited vulnerabilities
• Malware indicators
• File hashes
• External intelligence sources
• Relevant references

At first glance, this seemed straightforward.

I quickly discovered that intelligence investigations require a very different mindset.

Understanding MISP

MISP (Malware Information Sharing Platform) is a threat intelligence platform used to store, share, correlate, and enrich indicators of compromise.

Organizations use MISP to exchange information about:

• Malicious IP addresses
• Domains
• URLs
• File hashes
• Malware families
• Threat actors
• Campaigns
• Vulnerabilities

Unlike malware scanners or vulnerability assessment tools, MISP focuses on intelligence correlation.

Its purpose is not to detect threats directly.

Its purpose is to help analysts understand them.

Phase 1: Learning How MISP Organizes Intelligence

One of the first concepts introduced during the exercise was the idea of an Attribute.

An attribute represents a single atomic indicator.

Examples include:

• IP addresses
• URLs
• Domains
• File hashes
• Email addresses

At first, this seemed like a simple definition.

However, understanding attributes became critical later in the investigation.

Everything within MISP ultimately revolves around attributes and the relationships between them.

Phase 2: Investigating Malware Through Hashes

The first challenge involved identifying malware associated with a specific MD5 hash.

Initially, I assumed the answer would be easy.

I searched directly for the hash and expected immediate results.

Nothing appeared.

This became my first challenge in the room.

I quickly learned that finding information in MISP is not always about searching for the exact answer.

Instead, it is about understanding how intelligence is connected.

After experimenting with different search options and broadening my search criteria, I eventually discovered an event linked to the malware family:

Prynt Stealer

This was an important lesson.

Threat intelligence investigations often require pivoting between indicators, events, and related artifacts.

A single hash may lead to an event.

That event may reveal a malware family.

That malware family may reveal a campaign.

Phase 3: Tracking APT28 Through Event Intelligence

The most interesting portion of the exercise involved investigating an APT28 campaign.

I located the relevant event and identified:

Event ID: 211

The event referenced an operation targeting European organizations through the exploitation of a Microsoft Office vulnerability.

The event description immediately provided valuable intelligence.

Rather than looking at isolated indicators, I was now investigating a complete campaign.

Phase 4: Understanding Threat Actor Aliases

Threat actors rarely operate under a single name.

Different vendors often assign different aliases to the same group.

One objective required reviewing the event galaxies associated with APT28.

MISP galaxies help organize threat intelligence by linking campaigns, malware families, and threat actors.

While exploring the galaxy information, I discovered Microsoft's designation for APT28:

STRONTIUM

This reinforced an important threat intelligence lesson.

Different intelligence sources may refer to the same threat actor using different names.

A SOC analyst must recognize these aliases to avoid missing relevant intelligence.

Phase 5: Identifying the Exploited Vulnerability

The event also contained information regarding the vulnerability used during the campaign.

Through event analysis, I identified:

CVE-2026-21509

This vulnerability targeted Microsoft Office and served as the initial access vector within the campaign.

At this stage, the investigation became increasingly realistic.

The event was no longer just intelligence.

It was beginning to resemble something that could be actively searched for within an organization's environment.

Questions I would ask in a real SOC include:

• Are vulnerable versions present internally?
• Have users opened suspicious Office documents?
• Are there indicators of exploitation?
• Do our logs contain related activity?

This is where threat intelligence starts supporting detection efforts.

Phase 6: Following the Evidence Trail

The final challenges required identifying:

• Covenant C2 infrastructure
• Malware hashes
• External CERT-UA reporting

Initially, I struggled.

Searches did not immediately reveal the information I expected.

Instead of relying solely on search functions, I manually reviewed event objects and attributes.

That decision proved valuable.

Eventually, I identified:

• Covenant DLL indicators
• MD5 hash values
• SHA256 hashes
• External report references

I also located the referenced CERT-UA report used within the event.

This was perhaps the most realistic part of the exercise.

Real investigations rarely provide answers instantly.

Analysts often need to manually review artifacts and pivot through multiple sources before reaching conclusions.

What I Found Challenging

The biggest challenge was understanding where information lived inside MISP.

Unlike traditional databases, intelligence can appear in:

• Attributes
• Objects
• Event descriptions
• References
• Galaxy clusters
• External links

Several times I searched for an answer directly and found nothing.

Only after manually reviewing event data did I locate the information I needed.

This experience taught me that successful threat intelligence investigations depend as much on methodology as they do on tools.

Key Lessons Learned

Threat Intelligence Is About Context

Indicators alone have limited value.

Threat intelligence provides the context necessary to understand them.

MISP Is More Than A Search Tool

MISP connects indicators, malware, campaigns, vulnerabilities, and threat actors into a single intelligence ecosystem.

Threat Actor Aliases Matter

APT28 may also be known as:

STRONTIUM

Understanding aliases prevents intelligence gaps.

Investigation Requires Persistence

Important evidence may not always appear in the first search result.

Manual review remains a critical analyst skill.

Intelligence Supports Detection

Threat intelligence becomes most valuable when correlated against SIEM data, endpoint logs, and security alerts.

Analyst Report Summary

Investigation Overview

A threat intelligence investigation was conducted using MISP to analyze an APT28 campaign targeting European organizations.

Key Findings

• Threat Actor: APT28
• Microsoft Designation: STRONTIUM
• Event ID: 211
• Exploited Vulnerability: CVE-2026-21509
• Malware Indicators Identified
• Covenant C2 Infrastructure Observed
• CERT-UA Reporting Referenced

Risk Assessment

The campaign leveraged a Microsoft Office vulnerability and demonstrated the use of post-exploitation tooling associated with advanced adversary activity.

Recommended Actions

1. Review exposure to CVE-2026-21509.
2. Search SIEM data for identified indicators.
3. Monitor for Covenant-related activity.
4. Ingest relevant threat intelligence into detection systems.
5. Maintain awareness of APT28-related campaigns.

Conclusion

This MISP threat intelligence investigation demonstrated how threat intelligence transforms isolated indicators into actionable security knowledge.

The exercise began with simple searches and evolved into a campaign-level investigation involving threat actors, malware indicators, vulnerabilities, and intelligence reporting.

More importantly, it reinforced a lesson that applies across all security disciplines:

Tools provide information.

Analysts create understanding.

By following the intelligence trail through MISP, I gained a deeper appreciation for how SOC teams enrich alerts, investigate campaigns, and use threat intelligence to support real-world detection and response activities.

Have you seen this most popular post: Real WordPress Security Incident & Credential Compromise Case Study? It's a hectic day of work experience as a WordPress developer. Yeah, an attacker got in!

Visit my everyday Cyber Playground