Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1589.003: Employee Names

Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.

Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).

EnterpriseT1589.003Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Employee Names is a pre-compromise reconnaissance behavior: adversaries collect staff names to make targeting more believable, infer email addresses, and guide follow-on reconnaissance or phishing. For leaders, the issue is not that names are secret by default; it is that unnecessary exposure can improve an adversary’s targeting quality before security tools see an intrusion attempt.

Executive priority

Treat this as an attack-surface and readiness question. Ask whether public staff information is intentionally published, whether high-risk roles are overexposed, and whether phishing, identity, and incident response processes assume adversaries may already know employee names. This supports control prioritization for pre-compromise risk reduction, security awareness, identity protection, and compliance evidence around data minimization where applicable.

Technical view

This ATT&CK sub-technique sits under Gather Victim Identity Information in the reconnaissance tactic and applies to the PRE platform. MITRE provides no official detection text, but the relationship to DET0857 indicates a detection strategy exists for employee-name collection. SOC and detection teams should validate whether they can observe or reason about public employee-name exposure, suspicious reconnaissance against victim-owned sites, and downstream use in phishing for information, phishing, valid-account attempts, or account-compromise activity referenced by the ATT&CK description.

Likely telemetry

  • Inventory of public staff pages, leadership bios, press releases, directories, job postings, and other victim-owned web content exposing names
  • Brand, domain, and open-web monitoring signals related to organization and employee-name harvesting
  • Social-media exposure reviews for employee names and role context where business policy allows
  • Web analytics or access logs for victim-owned sites that publish employee information
  • Phishing reports and email security telemetry showing personalized lures using real employee names

Detection direction

  • Do not rely on endpoint or network intrusion alerts alone; this behavior occurs before compromise and may use public data sources.
  • Use DET0857 as a strategy reference, but validate the actual data sources and analytic logic locally because MITRE provides no official detection procedure for this object.
  • Tune for context: public interest in executives, recruiters, academics, or customer-facing staff can be legitimate, so detections should emphasize unusual scale, timing, source patterns, or linkage to later phishing and identity events.
  • Correlate employee-name exposure with related reconnaissance and access behaviors named in the ATT&CK description, including social media, search of victim-owned websites, phishing for information, phishing, compromised accounts, and valid accounts.
  • Maintain a feedback loop between SOC phishing reports and public-exposure reviews to identify which names and roles are repeatedly used in lures.

Mitigation priorities

  • Apply pre-compromise mitigation: reduce unnecessary public exposure of employee names and role details where business operations do not require publication.
  • Prioritize reviews for sensitive roles, privileged administrators, executives, incident responders, researchers, and other staff whose names could improve targeting.
  • Standardize public-directory and website publishing practices so business-needed transparency is balanced against reconnaissance risk.
  • Strengthen phishing readiness and identity controls under the assumption that adversaries may know employee names and can craft believable lures.
  • Use exposure reviews as evidence for security governance, awareness planning, and incident response preparation rather than treating name removal as a complete defense.
Analyst notes and limits

ATT&CK links this behavior to reconnaissance and notes it can support other reconnaissance, operational resource development, and initial access paths. Relationships show documented use by Sandworm Team, Kimsuky, and Silent Librarian in ATT&CK, but that should be treated as threat-context enrichment, not as evidence of current targeting of any specific organization.

The official ATT&CK object provides no detection guidance and only PRE-platform scope. The supplied mitigation relationship is general pre-compromise guidance, so specific controls must be selected based on the organization’s public presence, identity architecture, legal requirements, and business need to publish employee information.

Official MITRE ATT&CK definition

Employee Names

Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.

Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1589 Gather Victim Identity Information This object subtechnique of Gather Victim Identity Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

Group Enterprise

G0034: Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]

Group Enterprise

G0122: Silent Librarian

Silent Librarian is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of Silent Librarian are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).[1][2][3]

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1589: Gather Victim Identity Information Enterprise uses · Group G0094: Kimsuky Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise uses · Group G0034: Sandworm Team Enterprise uses · Group G0122: Silent Librarian Enterprise detects · Detection Strategy DET0857: Detection of Employee Names Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9f83419acd1c4024...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9f83419acd1c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    OPM Leak

    Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved September 16, 2024.

    Open source URL
  2. [2]
    mitre-attack T1589.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use