xorl %eax, %eax

Iran Cyber Operations Groups

leave a comment »

Unsurprisingly, after Russia, US, China, DPRK (North Korea), and EU… Here comes the mapping of the offensive cyber operations groups of Iran that have been attributed to a known government entity. Just like in the previous posts, sources and change log are available under the diagram.

If you notice anything missing, incorrect information, mistakes or anything like that please let me know to update it accordingly.

Last update: 06 May 2021

Sources

ChangeLog

  • Version 1.0 (06 May 2021): First publication.
  • Version 1.2 (06 May 2021): Minor fixes (typos, etc.)
  • Version 1.5 (06 May 2021): Fixed a typo. Added missing “Focus” entries.

Written by xorl

May 6, 2021 at 13:00

Exploitation of data breaches for executive protection

leave a comment »

People that know me or work with me are well aware of my efforts to expand the scope of threat intelligence functions beyond the cyber domain. I have published posts, presented use cases, and have done a lot practical application of that with various organizations in both the private and public sectors. And just to be clear, I’m not a lawyer so make sure you do your due diligence, and as always, everything mentioned here is my personal views and are not related by any means with my employer.

Now one topic I’d like to cover here is how can a threat intelligence capability exploit the incredible amount of breached data that are constantly appearing to improve Executive Protection (EP). I’ll pick two examples here:

  • Facebook data breach (533 million accounts)
  • Dating & adult websites breaches (there are like a dozen in just Q1 2021)

Facebook use case

Data breaches almost always provide some information that you didn’t have before. For example, the Facebook one allows high confidence correlation of an email with a phone number and a Facebook account (at a minimum). Here are two ideas on how to exploit this for actionable EP (also sometimes called protective) intelligence:

  1. Look if details of your executives or their family members are leaked. If so, recommend them to change their phone numbers or be prepared to receive fake threats, phishing links, etc. If you implement proactive security controls on mobile phones (via some MDM solution), then you can even mark those as high risk accounts due to the discovered breached data.
  2. Use the breached data to enrich your analysis on individuals threatening your executives. For example, search if the phone number corresponds to a Facebook or email account and vice versa. Once you have a lead, build a threat actor profile and share it with the appropriate law enforcement agency along with the threat your executive received.

DATING & ADULT WEBSITES use case

I had a quick look in two data sets from recent data breaches of such websites (one popular dating website and an adult content one) and identified over 3000 registered users with corporate email addresses, and even some from government email addresses. If I was a criminal or a foreign intelligence service, that would be a treasure trove. I could use that for extortion, recruitment, or any other malevolent action. Now, as a threat intelligence function we can also exploit this and here are a couple of ideas for that:

  1. If you identified such records, proactively notify the victims with a carefully crafted explanation of how those data are likely to be used in the near future for sextortion scams, blackmail, or even recruitment pitches. Recommend them to change those contact details to avoid this threat altogether recommend the use of fake personas for such websites in the future.
  2. If you identified a threat actor that was after your executives using any of those websites, then use it when building their psychological profile and exploit it as a lure to trick them into providing you more details (whether this is through elicitation or technical means).

I want to stress the fact that those two are just some examples. Each data breach provides another piece to the puzzle a person’s online life, and given enough of them you can have an incredible amount of detail which could be utilized in dozens of threat intelligence areas. Here I focused on EP but the same data are priceless for:

  • Attribution & de-anonymization
  • Threat actor profiles
  • Threat actor tracking
  • Malware analysis enrichment
  • Threat actors/groups correlation
  • Fraud investigations enrichment
  • etc.

Written by xorl

May 3, 2021 at 12:30

EU Cyber Operations Groups

leave a comment »

And after Russia, US, China and DPRK (North Korea), here is the one for APT groups associated with European Union (EU) nation-states. A big disclaimer here that I know that many more nation-states might be operating offensive cyber operations groups, but I only included those for which there has been some publicly known reporting associated with them.

If you think I got something wrong or there are more groups that I’m missing, please let me know and I’ll update the diagram as soon as possible.

Just like in the previous cases, the sources and changes log are available under the diagram.

Last update: 28 April 2021

Sources

ChangeLog

  • Version 1.0 (28 April 2021): First publication.
  • Version 1.5 (28 April 2021): Update DGSE/STR name based on the 2012 legislation (credits: @Horgh_rce)

Written by xorl

April 28, 2021 at 16:51

OSAC NL Chapter: Cyber Threat Briefing

leave a comment »

Recently (February 2021) a colleague of mine and the Diplomatic Security Service with U.S. Embassy of the Hague gave me the opportunity to present at the Overseas Security Advisory Council (OSAC), Netherlands chapter. My presentation was titled “Cyber Threat Briefing: A look at 2020 and assessing the near future” and although I cannot share the slides of my talk, I’ll do my best to go through the experience of presenting at OSAC.

First of all, the OSAC-NL/U.S. Embassy of the Hague team were incredible and I want to thank them for all their feedback, help, and support. Having said that, my presentation was structured as follows:

  • Cyber domain trends
  • Cyber-actors activities related to EU and the Netherlands
    • Hacktivism
    • Cyber-crime
    • Cyber-espionage
  • Case studies from 2020
  • Cyber threat forecast for 2021

I really enjoyed the engagement with the participants of the event but more importantly, the openness even for controversial subjects to be heard in a U.S. government sponsored event such as how specific cyber operations of the the U.S. government and/or the FIVE EYES can have negative impact (e.g. collateral damage, retaliation) to private sector entities.

Overall, it was an event where I got the vibe that all participants deeply cared on how to protect their organizations, with all the potential political aspects completely removed. It was a great event and an honor to be part of it. I hope to be able to participate in more of them in the future.

Written by xorl

April 27, 2021 at 11:01

North Korea (DPRK) Cyber Operations Groups

leave a comment »

After Russia, US and China, here is my mapping of known APT groups with (offensive) cyber operations capabilities from DPRK (commonly referred to as North Korea). As always, please let me know if you notice any mistakes, errors, or missing information since this is supposed to be a live document, updated as soon as new information becomes available.

The sources used are listed below the diagram, similarly to the other cases.

Last update: 28 April 2021

Sources

ChangeLog

  • Version 1.0 (24 April 2021): First publication.
  • Version 1.5 (28 April 2021): Added Bureau 325. (credits: @SwitHak)

Written by xorl

April 24, 2021 at 13:39