BSidesBUD 2023: A Deeper Look at the Disrupted Bot Farms in Ukraine
It would probably take us many years to look into all the intricate details of the countless cyber operations that are taking place globally in relation to the Ukraine/Russia conflict the last couple of years. As a tiny step towards that direction, in 2023 I did some research on how Russian intelligence services have been setting up and utilising “bot farms” inside Ukraine.
Eventually, I was accepted to present this research at BSidesBUD 2023. A really nice event at the capital of Hungary that I’d definitely recommend to everyone from our industry.
In case you want to get an idea of the content, below I’m attaching the slides that I used. However, the slides were mostly to support my presentation so they do not have that much value on their own. Nevertheless, it was a subject that I hadn’t come across in any security conference before, so I thought it’s worth documenting for future reference.
Kaspersky SAS ’23
I’m always seeking to learn and experience different cyber security events since each one of them gives you a different perspective of our industry (and the world), and Kaspersky’s Security Analyst Summit (SAS), was in my “to do” list for a long time.
I planned to attend SAS in 2018-2019 but due to some competing priorities, I couldn’t. Then, in 2020 I applied to do a presentation titled “cyber-crime ecosystem in the travel industry” which was accepted, but the conference was cancelled due to the pandemic, and in 2023 it was the first time since the pandemic that SAS was back. So, after 5 years, I finally managed to attend the SAS ’23 which took place in Phuket, Thailand and was a wonderful, small, security conference.
It was a relatively small event with a couple of hundred of people or so. But the content was incredible. From all sorts of APTs that you rarely hear about, to innovative research, and of course having the ability network and chat with professionals from national CERTs as well as security researchers from countries rarely present in the well-known US and European cyber security events, with a truly amazing organisation, lots of activities and surprises.
As security professionals it’s imperative that we understand the threat landscape globally, and this event was a remarkable place to gain that insight for anyone coming from US or EU background. Both from the defenders and the attackers’ perspective, the event included very interesting TTPs and content that I hadn’t seen before.
Lastly, as Eugene Kaspersky put it in one of the conference activities, a great security conference needs to have: 1) new and innovative security research/content; 2) be hosted in a nice environment/location that allows people to disconnect from their day-to-day work; and 3) be fun. SAS ’23 managed to cover all three areas successfully.
It’s hard to choose my favourite talks from this event, but if I had to pick 5 (in no particular order), based on the knowledge I acquired from them, those would be:
- StripedFly: Traversing the Blue Expanse in Search of Eternal Wonders
- by Sergey Belov and Sergey Lozhkin (Kaspersky GReAT)
- How Many Gates to the Temple of Space? Shapes of Tunnels Drilled by Desecrators
- by Askar Dyussekeyev (KZ-CERT)
- Unearthing TetrisPhantom: Discovering secrets of an intricate cyber threat campaign
- by Noushin Shabab (Kaspersky GReAT)
- Operation Triangulation: Сonnecting the Dots
- by Igor Kuznetsov (Kaspersky)
- Space Pirates: raiders of privacy
- by Denis Kuvshinov (Positive Technologies)
2022 CTI-EU Talk: Threat Landscape and Defences Against Mobile Surveillance Implants
In December 2022 I had a very pleasant surprise, I was given an opportunity to give a lightning talk at the European Union Agency for Cybersecurity (ENISA) Cyber Threat Intelligence (CTI) conference of 2022, known as CTI-EU 2022. I had attended previous editions of this event and it was an amazing experience, so having that opportunity was a great honour.
I had a few different topics that I was researching around that time and after a small discussion with the organisers we agreed that the best option would be the “Threat Landscape and Defences Against Mobile Surveillance Implants”.
If you’d like to see what other presentations took place during the CTI-EU 2022, check out the published agenda for the event. There were some very valuable presentations, but of course, being an on-site event, the most important part was the face-to-face interactions. With this event ENISA manages to bring public and private sector CTI experts together and we had numerous fruitful conversations ranging from CTI topics, to public/private sector collaborations, challenges, and more.
I’m not sure if/when ENISA will publish the slides from the TLP:WHITE talks, but if you’d like to see mine you can get them here. Apparently, being a lightning talk I couldn’t go in-depth in almost anything, but if you are interested in something mentioned in my slides (but with more depth), please contact me. Additionally, if you are researching this space and would like a second pair of eyes, I’d be more than happy to help.
OSINT: A Summary of SIDEWINDER Operations in 2022
SIDEWINDER (also known as RAZOR TIGER, RATTLESNAKE, T-APT-04, HARDCORE NATIONALIST, and APT-C-17) is a cyber espionage actor who has been active at least since 2012. I had a look on all the publicly known 2022 operations (that I could find) attributed to this actor to derive some insights and here’s the outcome.
The main outcome we can derive is that SIDEWINDER is focusing mainly on Pakistani military targets (particularly the Navy) to conduct cyber espionage.
In terms of the data I used, through publicly available information I found 40 unique events (let’s call them operations) for the period of January 2022-December 2022 and here are some statistics…
Note: Apparently this is a tiny number compared to Kaspersky’s “over 1,000 new attacks since April 2020” but I tried to keep it limited to 2022, publicly available reports, and only those that had some context. Not just IOCs.
Many identify SIDEWINDER as an Indian cyber espionage actor and based on the targets of Figure 1 and Figure 2 I’d say that we can safely assume that their main target is Pakistani military entities which makes this actor better aligned with what a military intelligence agency would be performing. Maybe something like India’s Directorate of Military Intelligence? Apparently, there are no hard evidence here to be certain about this, just some food for thought.
Considering the main target is the Pakistani military, here’s a breakdown of the specific SIDEWINDER targets in Pakistan from the limited 2022 dataset I mentioned in the introduction.
Based on that limited dataset, clearly the Pakistani Navy was by far the top target of SIDEWINDER for 2022, strengthening the hypothesis of SIDEWINDER being an actor associated with India’s military intelligence, or even naval intelligence.
With such small sample sets, timelines aren’t particularly valuable but I know that people will be asking for it so here is a timeline analysis too.
BSides Cyprus: Cloud… Just somebody else’s computer
Just noticed that I haven’t published much for the last few talks I’ve been giving and this is one of them…
That was my 8th, and last, talk for 2021. It was a research more on the cloud security architect/engineering side. That was my second time participating in BSides Cyprus, and as always, it was an amazing event with amazing people. The organizers of BSides Cyprus did a remarkable job. From the set up of the remote event, to the CTF, the prizes for the CTF participants, and the overall atmosphere, it was an excellent event.
Now specifically on my talk, that was a subject that I was preparing for around a year and I’m glad I got to talk about it in BSides Cyprus. For various reasons, public cloud providers are intentionally abstracting lots of the plumbing on how everything is put together and how does this affect security.
So, in this talk I picked up a few services from AWS, GCP, and Azure and dissected them to demonstrate that:
- It’s just computers and software under the hood
- How having this “inner” architectural understanding helps you uncover vulnerabilities (using some publicly available ones in the examples, no 0days or embargoed issues revealed)
My goal with this talk wasn’t to uncover some significant design flaw or claim that public cloud is bad. Just to raise awareness and change the mindset of security engineers when working with public cloud to think beyond what the vendor’s documentation says. If you’d like to have a look, you can find my slides here.
xorl %eax, %eax 