xorl %eax, %eax

Archive for the ‘threat intelligence’ Category

US Cyber Operations Groups

leave a comment »

My previous post on the Russian (offensive) Cyber Operations Groups became more popular than what I expected, so I decided to do something similar for other nation-state actors with multiple intelligence organizations performing offensive cyber operations. So, I picked the United States as the second one, and hopefully will continue with more of these in the future.

In the case of the US it was harder since there are very limited details publicly available. The main sources that I used for this one were:

  • Government leaks (E. Snowden, Wikileaks, Shadow Brokers, etc.)
  • Statements from government officials in reputable news outlets

You might notice that I didn’t expand the CYBERCOM (which is massive) and the reason is that although it’s publicly known that it now performs offensive cyber operations, there is no publicly known APT association. So, I decided to avoid making this a huge diagram for no reason. Same with the NSA that has multiple other divisions/offices performing cyber operations but there is no publicly known APT associated with them either.

I hope I got it right, but if you notice any mistakes, missing details or incorrect information please let me know to update it accordingly.

Last update: 18 APRIL 2021

Written by xorl

April 18, 2021 at 11:53

Russia’s Cyber Operations Groups

leave a comment »

Some time ago I published a post where I was briefly discussing some of the most well known APT aliases associated with specific government organizations of the Russian Federation. Since recently we had lots of additional information being released from official sources (US and UK governments), I decided to make this into a more thorough diagram.

The sources used for this were:

  • US government statements
  • UK government statements
  • Supo (Finnish Security Intelligence Service) public reports
  • KaPo (Estonian Internal Security Service) public reports
  • AIVD (Dutch General Intelligence and Security Service) public reports
  • NATO publications
  • EU Commission publications

So I hope that they weren’t wrong, but if you notice any mistakes, missing details or incorrect information please let me know to update it accordingly.

Last update: 16 APRIL 2021

Written by xorl

April 16, 2021 at 15:31

Why tasking is important in a threat intelligence team (using NSA’s UTT as example)

leave a comment »

Following the theme of my previous posts, I have published an educational video that goes through the well known PRISM slidedeck from the NSA. That slidedeck has tons of useful information for anyone working in threat intelligence, but I’d like to focus on one area only to make this blog post quick and comprehensive. I want to focus on the Unified Targeting Tool (UTT) that was mentioned and explained there.

What I liked about UTT was its pure focus in tasking (meaning assigning intelligence tasks such as collection, exploitation, etc. when the information is not readily available to analysts), something that in the private sector we tend to usually ignore. The job of your analysts isn’t to go out and chat with cyber-criminals, create sock puppet accounts, negotiate with vendors, etc. it is to use all the available information to build intelligence. The above operations are part of the tasking & collection.

Here is a screenshot of the UTT slide I reconstructed for my video and in summary what it says is that the analyst uses UTT to fill in a web form with the information they need from PRISM (but for the sake of this blog post assume your own threat intelligence data lake). Then UTT had two paths, one was for searching in records it already had and the other was for searching for near-realtime information (AKA surveillance). This distinction is CRUCIAL in tasking as intelligence gathering is usually not as time-sensitive as surveillance. Then it does a series of checks (like is this for a U.S. citizen) and if the information wasn’t available the FBI was tasked to go the relevant companies and get/collect that data and feed them back to PRISM.



Now if I had to redesign this for a private entity, what I would do is something like what you see below. Having a solid tasking process for threat intelligence is extremely beneficial for the entire intelligence function. But before going there, what I wrote is basically… First someone needs to review the analyst(s)’ request in case they try to access something which they are not allowed. Then, if it’s something you already have you pass it and if it isn’t, you open a ticket to your collectors to find it. If it’s a near-realtime (AKA surveillance) request, then you need to create the equivalent tracking rules and alerts. The great part is that most of that can be automated with modern TIP and SOAR solutions out there.



So what’s the value of a concrete tasking process (ideally accompanied with a tool like UTT)? Here is what:

  • Provides visibility on what analysts are interested in (AKA helps develop/improve PIRs)
  • Helps identify the best vendors/sources to focus on
  • Create/maintain only alerting for threats the analysts care about
  • Ensures analysts cannot just “read everything” which could result in serious privacy violations
  • Useful to prioritize the intelligence collection and technical requirements
  • Removes the need for analysts to get familiar with all the tools/vendors used (and change over time)
  • Can help in deduplication of work when multiple identical requests are issued
  • Analysts use their time to do analysis, not collection

Written by xorl

February 1, 2021 at 15:50

Passive collection of satellite traffic for threat intelligence

leave a comment »

In Black Hat USA 2020 there was this interesting talk, the: Whispers Among the Stars: A Practical Look at Perpetrating (and Preventing) Satellite Eavesdropping Attacks which touched on a cyber intelligence collection method that became popular in the early 2010s.

In October 2020 I published an educational video showing how DFS, that’s Japan’s military signals intelligence agency, was doing its first steps in exactly this space. That is, using traditional SIGINT (eavesdropping on satellite broadcasts) to detect cyber threats. Japan’s DFS did this in close collaboration with the NSA since their satellite SIGINT stations were operated jointly by both agencies. I published that video because it was a unique opportunity to see the early stages (in 2011-2013) of a SIGINT agency using their skillset and resources to adapt to the rising domain of cyber threats. This is a photo of the MALLARD station in Japan which was (is?) jointly operated by DFS and NSA for satellite SIGINT collection.



And the following slide (this is from my reconstruction of the slidedeck) shows the process that DFS was following to take advantage of this new intelligence source. To simplify this for the average reader… Think of J6 as your cybersecurity department, DFS as your threat intelligence team(s), CIRO as the leadership of your threat intelligence team(s), MOD as your company’s leadership, and SIGINT collection as eavesdropping on internet traffic from satellites that are broadcasting it back to earth.



Some of the challenges that DFS faced back then was not knowing which communication satellites/frequencies/channels to monitor (and NSA was helping by providing details on that), but also handling the amount of broadcasted data in near real-time meant that their processing and storage requirements skyrocketed. Nowadays, another challenge would be that some parts of the internet (like web traffic) are mostly encrypted, but this Black Hat USA talk surfaced an interesting area that I’m sure threat intelligence companies will be considering which is… Why not replicate what signals intelligence agencies have been doing for more than a decade now in the private sector?

By that I mean monitoring/receiving satellite broadcasts (AKA passive SIGINT collection) and look for indicators and warnings of cyber operations – e.g. C2 traffic, spear-phishing campaigns, exploitation of certain vulnerabilities, etc. Now this brings a ton of ethical and legal considerations such as: Is it illegal if you are just “listening”? Most email traffic is still unencrypted, is it the same as people talking in public domain then? What happens if you start processing sensitive personal information? etc.

On the technical side, there are also some interesting challenges and opportunities such as: Would there be a need for a private sector XKeyscore utility for “selectors” or will industry-used technologies like Sigma rules and YARA cover those needs? Also, some cloud providers now offer satellite ground stations as a service. Does this mean that setting up a global SIGINT collection network is something trivial or there is still a need for company-owned resources?

In any case… I find it interesting that the private sector is catching up on this and I’m very curious to see what this is going to bring in the threat intelligence industry.

Written by xorl

January 26, 2021 at 12:36

On attribution: APT28, APT29…Turla: No, they are NOT the same

leave a comment »

Earlier today someone forwarded me (outside of work) a threat intelligence “report” – quotes because it was far from being a finished product – that was recommending that people impacted by one of those three nation-state actors should be communicated as “Russia targeting your organization”. I found this assessment dangerously wrong and inaccurate so let me explain here why and maybe my post will help others avoid similar oversimplifications.

I cannot reference classified attribution intelligence products, but one of the most reputable public sources is Välisluureamet, Estonia’s foreign intelligence service. In Välisluureamet’s 2018 unclassified report they attributed those groups to specific organizations within the Russian Federation government. So let’s assume that this is accurate for the sake of this blog post.



Why is it dangerously wrong to communicate that getting targeted by APT28, APT29 or Turla is “Russia targeting you” rather than the specific actors? Simply because they are significantly different organizations, with different modus operandi, different objectives, and different TTPs. This means that your threat model will be entirely different if you want to be protected against APT28 versus Turla or APT29. To be more precise…

APT28 (GRU’s 6th Directorate/Military Intelligence)
A military intelligence agency is usually after intelligence of military value. Specifically this agency has shown that they are one of the most active actors in cyber with massive resources but not extremely sophisticated. Of course, when there are big geopolitical events, military research, investigations on Russian military activities or military exercises they will be around, and they will be after any connected systems that can get them military intelligence that could benefit the Russian Federation and its allies. They have been seen using all intelligence disciplines without any noticeable preference on cyber over other means of collection.

APT29 (SVR/Foreign Intelligence)
This is the equivalent of the CIA for Russia and just like the CIA, their cyber operations are typically more on the targeted and less on the bulk collection. In numerous occasions they have been seen conducting close access operations, and their objectives typically are related to political and economical information. For example, finding dirt to recruit someone as an SVR agent or finding out the details of a commercial agreement or research that could benefit the Russian state or its allies. They are less in the SIGINT and more in the HUMINT space so they are more likely to recruit an insider to get them what they want than perform an extremely sophisticated cyber operation.

Turla (FSB’s 16th Center/Signals Intelligence)
Turla is the equivalent of the NSA’s Signals Intelligence Directorate (SID) and because of that, they are one of the most sophisticated cyber actors out there operating at a level similar to that of the NSA, including bulk collection. This means that they collect intelligence for a variety of agencies both for Russia but also Russia’s allies under various agreements. So their target space is massive and they are the most advanced cyber operators of the Russian government. They have a massive organization and their sole purpose is SIGINT. So if you are targeted by Turla then expect some very advanced and complex cyber operations. Also, if you are targeted by Turla it doesn’t mean that it’s Russia targeting you, it could be that they execute an intelligence collection agreement for an ally of Russia that doesn’t have such cyber intelligence collection capabilities, similarly to what the NSA’s SID and other large SIGINT agencies do.

And this is why oversimplifying in a threat intelligence product that any of the above actors should be treated as simply “Russia is after you” is dangerous for cyber security departments/customers that have to develop defensive controls to protect their assets.

If you are unsure about the attribution it’s better to stay away from attributing it at all until you have sufficient evidence, and focus on the lower level indicators and warnings that you can share to help defenders take some action. For example, what did you observe in terms of TTPs or even IOCs. It’s better to share high confidence intelligence than “it’s the Russians” that has zero practical application to develop protections without more context that can help in understanding the motivations and intentions.

The same applies if you are a briefer delivering those threat intelligence products, choose your words wisely. Finally, do not forget that some of those agencies collaborate on certain projects including sharing some software tools, libraries and TTPs (typically through lessons-learned sessions and internal policies).

Hopefully that clears it out…

Written by xorl

January 25, 2021 at 10:59