xorl %eax, %eax

x33fcon: In nation-state actor’s shoes

leave a comment »

x33fcon is a cybersecurity conference that I had the opportunity to attend a couple of times the previous years. This year I decided to submit a topic, and eventually it was accepted. This meant that in 2021 I also had the honour to present at x33fcon. My talk was titled “In nation-state actor’s shoes” and its goal was to give a different perspective, mainly to blue teamers, about nation-state actors.

So, I regularly use the following quote when talking about security:

If you know the enemy and know yourself, you need not fear the result of a hundred battles

Sun Tzu, The Art of War

I like it because it summarizes perfectly the challenge any security organization faces. No matter how well you know your environment, and how well you think you’re protecting it, unless you know equally well your adversaries you’ll fail. So, my talk was about this. What can we learn about nation-state actors by studying leaked material, and how can we use this to protect our organizations more effectively.

I really enjoyed researching this subject and making this talk possible since it combined multiple areas that I regularly find myself involved with. Espionage history, threat research, cryptology, security engineering, training people, etc. If you want to watch it, the x33fcon team has published it (along with all the other talks, check them out too!) in the conference’s channel on YouTube.

On a final note, I’d like to thank the amazing x33fcon team for making this event possible in this flawless manner, and for giving me the opportunity to present this research to that audience. Also, I have done a few virtual conference talks the past couple of years but this was the first time that in the speaker package there was a framed certificate of appreciation together with a beautiful hoodie. Thanks a lot x33fcon team and hope to see you again next year!

Written by xorl

August 15, 2021 at 20:32

My ICCH talk on DE-59 cipher machine

leave a comment »

On July 10, 2021 I had the great honor to present a talk at the International Conference on Cryptologic History (also known as ICCH). Espionage and secure communications history is one of my hobbies for quite some time, and I had even started a Youtube channel last year to share artefacts from my collection, but that talk was a whole new level for me.

In this case I did a far more thorough, multi-month long, research on an OTT-based (One Time Tape) cipher machine used by the Greek government during the Cold War, the DE-59. The device was recently declassified but still there are very few details about it online.

The event was amazing and, as always, the participants included some of the most key people of the cryptologic history space. I would have never even dreamed of meeting those people, not even talking about presenting some cryptologic history content to them and receiving positive feedback about it.

So, excluding the introduction, the talk was revolving about the DE-59. Specifically, I talked about:

  • biographical information of the people behind it
  • situation in Greece at that time
  • its invention
  • how it worked and where it was used
  • pros/cons (based on information from actual users of the device)
  • its (known) cryptanalytic history (AKA foreign intelligence attempts to break it)
  • its decommissioning
  • the important role its inventor played to secure communications in Greece

Before closing, I’d like to thank the following since without them this talk would never have been possible.

  • Association of Retired Signal Corps Officers (ΣΑΑΔΒ)
    • The only DE-59s in display are in this association’s museum, and all the people there were extremely helpful in providing me with all sorts of help and support while doing my research for this talk. If you ever consider donating your radio or crypto equipment, please consider giving it to the museum of this association. If you’re unsure on how to do this, reach out to me and I’ll be happy to help.
  • Tom Perera, Ph. D.
    • Now, if you are into cryptologic history you definitely know who Dr. Tom Perera is. So, this extremely experienced, dedicated, and influential cryptology expert helped me overcome my fear of presenting in front of such an audience of world leaders in cryptology. Thank you for all the support!

Written by xorl

July 19, 2021 at 11:09

BSides Athens 2021: .GR TLD hijacking

leave a comment »

Last year I presented a high-level/strategic cyber threat landscape for Greece as a country. My methodology back then was to split the threats to three broad categories (hacktivism, cyber-crime, and cyber-espionage) and do my research from a historical perspective. Meaning, what has been happening in the past and what assessments we can make from that for the future.

This year I wanted to do something different, move to the tactical level and talk about a specific cyber-espionage operation targeting Greece. Thankfully, my submission was accepted and in mid-June I got the opportunity to present my research which is currently publicly available through BSides Athens official Youtube channel.

I had to rush this talk a little bit due to time constraints, but hopefully I did it on the less important parts, leaving sufficient time to go through the more crucial parts of the presentation.

If you want to know more about the talk, you can watch the video. Here I’d like to use this space to encourage more people to talk about those lesser known cyber-espionage activities since it’s easy to get sucked into the large players like the, so-called, “big 4” threats to the US government, the FIVE EYES, and others. What about the rest of the world though?

Greece is an example of that. Although a small country, I had many recent and interesting cases to choose from for this talk. Multiple Turla operations, numerous cyber-espionage operations from FIVE EYES and China… But this one was one of those subtle, yet very impactful operations for the general region, also considering the past operations of this threat actor (see the presentation for an overview of those).

So, if you’re reading this and you’re looking for research topics for your next presentation, consider researching something regional, something not so well known outside of your country… This will help everyone improve their situational awareness, and who knows… You might even uncover a previously unknown nation-state actor.

On a final note, I’d like to give a huge thanks to the BSides Athens team for all their hard work before, during, and after the event, as well as Cisco TALOS who was the only one that publicly released some IOCs for this operation. Those were the most valuable starting point for my research. Lastly, after my talk I had the opportunity to learn many more details about this, and other, operations from several organizations that reached out to me, and I’d like to thank them too for all the feedback, knowledge, and experience they shared with me.

Written by xorl

July 7, 2021 at 12:01

Exploitation of the Swarmshop data leak

leave a comment »

On 17 March 2021 a significant amount of data from the Swarmshop cyber-criminal marketplace were leaked online. Actually, the only threat intelligence vendor that I saw posting a quick analysis of that was Group-IB. In any case, I also had a look at this dataset and decided to write a quick blog post on how you can exploit them for threat intelligence production purposes. As always, this was a personal research project, by no means related to my employer. If you want to do something like that on a professional setting, please first check with your legal and privacy departments to avoid unpleasant surprises.

Group-IB, in their public blog post, describe Swarmshop as a mid-size “neighborhood” store for stolen personal and payment records. This is a nice description of this website which has been operating at least since April 2019 by a Russian-speaking threat actor.

However, the aim of my post is to go through the leaked data and see how could one turn them into actionable intelligence for your organization(s). So, the data leak consisted of four plaintext files with the following information:

  • 623,036 credit card details (which were sold in Swarmshop)
  • 69,592 Social Security Numbers (SSN) details (which were sold in Swarmshop)
  • 497 virtual bank accounts (which were sold in Swarmshop)
  • 12,343 Swarnshop user accounts

Let me pick each one of those leaked datasets and see how we can exploit them for intelligence purposes, starting with the smallest one, the VBAs (Virtual Bank Accounts).

VBA (Virtual Bank Accounts)

Those were online banking accounts opened by threat actors or compromised from legitimate users and put on sale in Swarmshop. The information provided in this dataset was:

  • VBA’s website
  • Username
  • Password
  • Balance
  • Account creation date

For the last field, the date implies the date the account was added to Swarmshop, not the bank account’s creation time. The following graph should give you a general idea of some insights we can deduce from this dataset. Probably the most interesting part there is that there was no VBA after October 2020 although the data breach includes data all the way until March 2021. It is also apparent that the top targets were Simple.com (41.6%), followed by Fairwinds Credit Union (17.7%) and Community First Credit Union (6.8%).

So, how can one exploit those VBAs to produce actionable intelligence? Here are a few examples:

  • If your organization is listed there, then investigate those accounts as a “known bad” with the intention to find more related accounts and better understand how they were opened (or compromised) in order to develop proactive controls that will block those TTPs in the future.
  • Use the leaked usernames to correlate them with other cyber-criminal activity such as forum accounts, credential stuffing tooling, etc. to build more complete threat actor profiles.

Credit card records

This is by far the largest dataset that was leaked with 623,036 unique records. The information available in that dataset include the following information:

  • Credit card number
  • Expiration date
  • CVV
  • Cardholder name
  • Cardholder address
  • Cardholder email (on some records)

Group-IB already published a nice graph for the geographic distribution of those records so I’m not going to repeat this. Instead, here is a breakdown per U.S. State since 62.71% of the victims were from the United States. As you can see in this heatmap, there was no U.S. State with less than 125 compromised credit cards.

It’s also worth highlighting that the top 4 States are exactly the same as with CardingMafia carding forum users, which indicates that those are probably the States with the most online activity; both as unwitting victims like in this case, and as cyber-criminals as I demonstrated in my CardingMafia post.

In general, such data are a very valuable raw intelligence with dozens of opportunities for exploitation to turn them into actionable intelligence, to give you an idea, here are a few:

  • If you are an affected organization or a national cybersecurity organization, inform the victims and the relevant banks accordingly.
  • If you own/issue credit card (virtual or physical) numbers, then check if your BIN is listed anywhere in that dataset. If it is, then immediately block those accounts, notify the victims, and do an investigation to discover the potential impact.
  • If your organization processes payments, then monitor for those credit card numbers as they are likely to be used by cyber-criminals who bought them via Swarmshop or similar cyber-criminal marketplaces.
  • The information can easily be used for pivot searching and enrichment. For example, you identified an adversary in a specific address or with a specific email address, doing a pivot search in this dataset can reveal more details that will allow you to build a higher quality threat actor profile.
  • For executive protection like what I mentioned in my other blog post

Social Security Numbers (SSN)

Then we have the SSNs records which were 69,592 unique entries but not all of them were from the United States. There were also 594 entries from Canada. Each record consisted of the following data:

  • SSN
  • Date of birth
  • Full name
  • Address
  • Phone number
  • Sex

This dataset is similar to the cardholder one in terms of raw intelligence value, but to give you a better perspective of the affected States, here’s a similar to the previous heatmap. There is an obvious insight that can be derived from that graph. That is, that the vast majority of the victims (over 68%) were from Oregon and Indiana. I didn’t spend any more time to research if there was any major SSN-targeting campaign around that time in those States, but if you know of one, then it could be related to this. That can be validated if we identify some of the victims of that campaign and do a cross-correlation with this dataset. The only State without any compromised SSN record was Vermont. The rest had anything from 6 all the way up to 23,297 compromised SSN records.

Another interesting metric that we can deduce from this dataset is the most impacted dates of birth (age). This provides an indication of ages that are more likely to become victims of cyber-criminals in the United States, mainly in Oregon and Indiana, for SSN stealing. Based on this statistical analysis it appears that the most vulnerable ages are 26-31 years old people, followed by 20-25 years old. There was no significant difference relating to their sex. In case you’re curious on the sex grouping of the victims, there were 24,462 SSNs from females, 22,354 from males and 22,182 with empty sex field values. This is resulting in 35.45% (females), 32.4% (males) and 32.15% (empty field).

Now in terms of exploitation of this dataset for actionable intelligence, it’s very very similar to the credit cards so I will not repeat the same opportunities that it provides. Instead, here are a few more that you can produce from it:

  • If you are a State-level cybersecurity organization, use the data to proactively inform and protect the victims.
  • As I hinted above, you can correlate this with known SSN-targeting campaigns in different States to link the two and thus have end-to-end visibility of the cyber-crime. From the campaign all the way to the monetization through Swarmshop, in this case.
  • Identify vulnerable groups and develop appropriate security awareness campaigns and controls.

Swarmshop accounts

At last, here are the users of this cyber-criminal marketplace. There were three different types of accounts (admin, buyer and seller) and all of the 12,343 accounts in the leaked dataset include the following information:

  • Type
  • Username
  • MD5 hashed password
  • Balance
  • (optional) email
  • Status
  • Date

In total there were 4 admin accounts, 90 seller accounts (3 of which were blocked) and 12,250 buyer accounts (22 of which were blocked and 4,296 archived). The 4 admin accounts were the following. It looks like they were recreated after a platform upgrade in early 2021.

UsernameMD5 hashed passwordBalanceemailStatusDate

There were 12 seller accounts set up with Swarmshop’s domain name which indicates that the administrator(s) of the marketplace were also selling illegal digital goods, apart from offering this platform to other sellers. And in case you wonder, yes, the leaked information can be used to de-anonymize several of those sellers and buyers of that platform but that is not something which can be shared in a public blog post.

To give you an idea how much information you can derive, here is a sample link-analysis with only a tiny bit of the information that can be discovered for the administrator (and seller) of this marketplace; who is a Russian-speaking cyber-criminal that has been involved with cyber-criminal activities at least since 2013. Apparently, I did not include anything relating to the real identity of the individual in this sample, but you can get the idea of how you can exploit that dataset for de-anonymization.

Apart from the de-anonymization of cyber-criminals, this dataset gives us insights on the growth of Swarmshop over time. In the following graph there is a clear pattern of the new buyers that were joining the platform over time. This pattern matches with certain advertisement efforts of the operators of the marketplace.

The downside of the above graph is that the amount of buyers was disproportional to the rest of the accounts so the trends of the rest are not clearly visible. So, below is a similar graph excluding the buyers.

And on how you can exploit the Swarmshop users dataset, apart from what I already demonstrated, to turn it from raw intelligence into actionable intelligence, here are some ideas to consider:

  • Use the leaked usernames, passwords, and emails to track the threat actors
  • Pivot search on the leaked passwords used to uncover more links to the threat actors
  • Identify the high-value individuals (buyers with the highest balance, admins and major sellers) and prioritize them first
  • Use the leaked usernames, passwords, and emails to enrich your investigations and provide higher-quality threat actor profiles

In conclusion, I hope that this blog post gave you more inspiration on how to turn raw intelligence from data leaks into actionable intelligence for your customers. Especially, data leaks like this one are very valuable since they provide insights on criminal organizations and as a threat intelligence analyst understanding your adversaries must be one of your top priorities. Happy to hear any more exploitation ideas for this data leak. :)

Written by xorl

May 12, 2021 at 19:17

Iran Cyber Operations Groups

with 2 comments

Unsurprisingly, after Russia, US, China, DPRK (North Korea), and EU… Here comes the mapping of the offensive cyber operations groups of Iran that have been attributed to a known government entity. Just like in the previous posts, sources and change log are available under the diagram.

If you notice anything missing, incorrect information, mistakes or anything like that please let me know to update it accordingly.

Last update: 06 May 2021



  • Version 1.0 (06 May 2021): First publication.
  • Version 1.2 (06 May 2021): Minor fixes (typos, etc.)
  • Version 1.5 (06 May 2021): Fixed a typo. Added missing “Focus” entries.

Written by xorl

May 6, 2021 at 13:00