xorl %eax, %eax

US Cyber Operations Groups

leave a comment »

My previous post on the Russian (offensive) Cyber Operations Groups became more popular than what I expected, so I decided to do something similar for other nation-state actors with multiple intelligence organizations performing offensive cyber operations. So, I picked the United States as the second one, and hopefully will continue with more of these in the future.

In the case of the US it was harder since there are very limited details publicly available. The main sources that I used for this one were:

  • Government leaks (E. Snowden, Wikileaks, Shadow Brokers, etc.)
  • Statements from government officials in reputable news outlets

You might notice that I didn’t expand the CYBERCOM (which is massive) and the reason is that although it’s publicly known that it now performs offensive cyber operations, there is no publicly known APT association. So, I decided to avoid making this a huge diagram for no reason. Same with the NSA that has multiple other divisions/offices performing cyber operations but there is no publicly known APT associated with them either.

I hope I got it right, but if you notice any mistakes, missing details or incorrect information please let me know to update it accordingly.

Last update: 18 APRIL 2021

Written by xorl

April 18, 2021 at 11:53

Russia’s Cyber Operations Groups

leave a comment »

Some time ago I published a post where I was briefly discussing some of the most well known APT aliases associated with specific government organizations of the Russian Federation. Since recently we had lots of additional information being released from official sources (US and UK governments), I decided to make this into a more thorough diagram.

The sources used for this were:

  • US government statements
  • UK government statements
  • Supo (Finnish Security Intelligence Service) public reports
  • KaPo (Estonian Internal Security Service) public reports
  • AIVD (Dutch General Intelligence and Security Service) public reports
  • NATO publications
  • EU Commission publications

So I hope that they weren’t wrong, but if you notice any mistakes, missing details or incorrect information please let me know to update it accordingly.

Last update: 16 APRIL 2021

Written by xorl

April 16, 2021 at 15:31

BSides Athens 2020: Threat Landscape: Greece

leave a comment »

In June 2020 I got the opportunity to present at BSides Athens for the first time. As you can see in the agenda, the event had a wide variety of topics ranging from security engineering, to exploitation, case studies, and others.

In my case, I decided to do something to help me better understand what threats my home country is dealing with. So, I spent a few weekends in a period of 2-3 months to study this topic and the outcome was the presentation I did for that conference. You can find the slide deck here.

Of course, the slides themselves are not that useful since they lack the required context. However, BSides Athens recorded all the sessions and made them available through YouTube. This means that you can watch my talk here.

It’s always an honor being able to use your knowledge to give back something to your home country and hopefully that threat landscape provided some insights into the cyber threats that Greece had been dealing with and what this means for the future.

Now that we are almost a year after this presentation, it’s an excellent time to revisit some of the assessments that I made in the final section of the talk, and whether or not those actually reflect what’s happening.

  • In hacktivism my assessment was a medium risk of geopolitically motivated hacktivism movements with low sophistication (DDoS and website defacements) mainly from Turkish threat actorts due to the tensions in East Mediterranean region. This unfortunately was proven true with several such cases during August 2020, others in September 2020, and continuing to this day, clearly following geopolitical tensions between Greece and Turkey. This was reflected also at PwC’s “Cyber Threats 2020: A Year in Retrospective” report from December 2020.
  • Regarding cyber-crime I had assessed that there is medium risk mainly from non-targeted/commodity malware with the domestic activity being mainly around scams. As we can see in the news Greece was involved in some high-profile cyber-crime cases but not targeting Greece. In October 2020 the Hellenic Bank Association (HBA) issued a warning for increase of tech support scams in Greece.
  • Finally, on cyber-espionage due to the continuously increased tensions in East Mediterranean region I was assessing that there is a high risk of cyber-espionage operations mainly from Turkey, Russia, FIVE EYES and China targeting government entities but also specific industries such as telcos. Publicly available attribution is usually non-existent for those types of operations but in October 2020 one of the biggest telcos of Greece responded to a cyber-espionage operation, on September 2020 there were reports on APT35 (although allegedly with tasking from Turkish liaison officers) compromising personal accounts of Greek Navy officers, and even more recently, in March 2021 several Greek journalists started receiving a nation-state attack warning from Google Security that some government actor is trying to infiltrate in their accounts. If you have access to premium threat intelligence reporting it’s easy to validate my other assessments for cyber-espionage too but I was unable to find any public reports to attach here.

In conclusion, one side of me is happy that my threat landscape was quite accurate in the future assessment section, but on the other side I’d wished that none of that would have happened. In any case, I’d like to thank the BSides Athens team once again for giving me this opportunity and I’m looking forward to dive more into some of those specific threats against my home country in the future.

Written by xorl

April 2, 2021 at 16:22

HUMINT in the age of cyber

leave a comment »

For the last few years I have been spending significant amount of time learning, researching, and evaluating different intelligence disciplines for use in the cyber/online domain. One of them was Human Intelligence (HUMINT), and no I don’t mean social engineering, more like adapting traditional HUMINT for cyber intelligence operations. At some point in 2020 I got the opportunity to present some of my findings from this research in a private conference event.

There are many TTPs from traditional HUMINT tradecraft that can be used equally effectively in online intelligence collection operations. I cannot publicly share this slide deck but here is a rough overview of the topics I talked about in that private conference from 2020:

  • Definitions/terminology
  • HUMINT examples as a cyber collector and as a cyber defender
  • Preparation (cover story, infrastructure, OPSEC measures)
  • Deep dive in the two main HUMINT collection approaches
    • Elicitation
    • Recruitment
  • Frameworks – theory & practice
  • How to select your approach
  • Key takeaways

Although I cannot share the content, I can share the some important recommendations in case you are performing, or you are interested, in online HUMINT.

  • Your security is the first priority. Remember that you are dealing with either criminals or intelligence professionals.
  • Don’t limit yourselves in any framework, use them as guidelines.
  • Humans change, don’t assume what you used in the past will still work in the future. Do your assessment.
  • Know (and set) your limits. It’s easy to end up doing criminal activities if you don’t.
  • If you are doing that professionally, make sure you have all required legal sign-offs before starting.

In case you want to get this one step further and perform Information Operations (IO) by exploiting the human nature, I highly recommend you to check out this leaked slide deck from GCHQ’s Human Science Operations Cell (HSOC) which goes through the Online Covert Action Accreditation (OCAA) program the Joint Threat Research Intelligence Group (JTRIG) was setting up in 2012-2013. It covers:

  • Introduction to online HUMINT
  • Introduction to online Influence & Information Operations
  • Introduction to Computer Network Attacks (CNA) & Disruption operations

A video presentation of it is available here. It’s slightly outdated, but it has some really good foundations.

Written by xorl

April 1, 2021 at 16:47

PrivSec Global: Mastering the use of Cyber Threat Intelligence

leave a comment »

A couple of months ago I received an invitation to speak at a panel discussion in PrivSec Global 2021, and I accepted it. The panel’s topic was “Mastering the use of Cyber Threat Intelligence” and it was comprised by the following people. It was a great experience for me as a speaker and I hope that it was equally pleasant for all the attendees too.


I really liked the fact that although we didn’t have any prior alignment on our answers, we all had a very similar perspective on what are the key areas for a successful Cyber Threat Intelligence (CTI) program, what CTI is and the value it brings to a business, and what are the pitfalls to be careful of if you are starting your journey now. Most importantly, none of us was focusing on specific products or vendors but on the core components of what’s needed to build an effective CTI team.

Of course, with six people in a panel the time we had for answering was carefully tracked and followed which means that many of our answers were not going into all the details and process as a presentation would. Nevertheless, if you were one of the several hundreds of people that attended PrivSec Global 2021 and have questions about my answers in this session, please let me know. I’d be more than happy to answer them.

On a final note, I’d like to thank Rosie F., Ruki R., and my co-speakers from this panel for this opportunity to participate in this event, and share some of my views on CTI programs with leaders of the industry.

Written by xorl

March 30, 2021 at 14:28