T1591.002: Business Relationships
Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise, Drive-by Compromise, or Trusted Relationship).
Analyst context for executives and security teams
Business Relationships is a pre-compromise reconnaissance behavior: adversaries look for who an organization depends on, connects to, buys from, ships through, or trusts. This matters because partner and supplier details can turn into targeting paths against managed service providers, contractors, supply chains, or other trusted relationships before the victim sees any intrusion activity.
Executive priority
Treat this as a supplier-risk and exposure-management issue, not just a SOC alerting problem. Leaders should ask what business relationship data is publicly exposed, which third parties have connected or elevated access, and whether vendor, contractor, and supply-chain access is documented well enough to support incident decisions and audit evidence. Priority is highest where trusted partners support critical operations, cloud/identity administration, managed services, or cyber-physical supply chains.
Technical view
ATT&CK places this sub-technique under Gather Victim Org Information in the Reconnaissance tactic on the PRE platform, so validation should focus on pre-incident exposure rather than endpoint-only detection. SOC, threat intelligence, and IR teams should review how partner names, domains, access relationships, support portals, procurement/shipping information, and service-provider dependencies appear in public websites, social media, leaked datasets, and phishing-for-information scenarios. The supplied ATT&CK object has no official detection text, but it is related to DET0855, Detection of Business Relationships, so teams should map any local detection strategy to exposed relationship data and suspicious collection attempts.
Likely telemetry
- Public website and subdomain content that references vendors, contractors, managed service providers, integrations, or support relationships
- Social media and public communications mentioning partners, projects, shipments, suppliers, or operational dependencies
- Third-party access inventories, identity and access management records, and privileged/vendor account listings
- Procurement, supplier, and contract records used for defensive validation of externally exposed relationships
- Security mailbox, phishing-reporting, and helpdesk records for elicitation attempts seeking vendor or relationship details
Detection direction
- Because official ATT&CK detection guidance is not provided, do not assume conventional SIEM coverage; validate whether the organization can identify suspicious attempts to elicit partner, supplier, or access relationship information.
- Use the DET0855 relationship as a prompt to define a local detection strategy: monitor for phishing-for-information themes, unusual inquiries about vendors or support paths, and unexpected public exposure of partner/access details.
- Tune for false positives: legitimate procurement, sales, press, recruiting, and partner-management activity can resemble relationship discovery, so detection should rely on context, source, request content, and sensitivity of the relationship being discussed.
- Correlate reconnaissance findings with higher-risk follow-on paths named in the object, including supply chain compromise, trusted relationship abuse, drive-by compromise, establishing accounts, and compromising accounts.
- Maintain a current inventory of third parties with connected or elevated access so analysts can quickly distinguish low-value public partnerships from relationships that materially change access risk.
Mitigation priorities
- Start with pre-compromise controls aligned to M1056: reduce unnecessary public exposure of relationship, supplier, domain, shipment, and access-path information.
- Prioritize governance over third parties that have connected or elevated access, including clear ownership, approval, review, and incident contact paths.
- Review websites, social media, public documents, and accessible datasets for avoidable disclosures about MSPs, contractors, suppliers, operational dependencies, and supply chains.
- Train personnel who handle procurement, vendor management, helpdesk, communications, and executive support to recognize elicitation attempts for relationship details.
- Ensure incident response and vendor-risk processes can rapidly answer which partners have access, what privileges they hold, and how to suspend or validate that access during an investigation.
Analyst notes and limits
The relationship context shows use by Sandworm Team, Dragonfly, and LAPSUS$, but this should be treated as ATT&CK historical/use context only, not evidence of current targeting of any specific organization. The technique is most useful for prioritizing exposure reviews, third-party access validation, and pre-compromise threat intelligence requirements.
The supplied ATT&CK object provides no official detection procedure and only a high-level mitigation relationship. Local telemetry, business relationship inventories, public exposure reviews, and third-party access records are required to determine actual risk and coverage.
Business Relationships
Adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.
Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise, Drive-by Compromise, or Trusted Relationship).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1591 | Gather Victim Org Information | This object subtechnique of Gather Victim Org Information. |
Groups, software, and campaigns
G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
G1004: LAPSUS$
LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c7adb8900434… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ThreatPost Broadvoice Leak
Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.
Open source URL -
[2]
mitre-attack T1591.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.