Posts

The Russian APT Tool Matrix

Image
Introduction Based on feedback I have received from fellow CTI researchers, incident responders, and managed detection and response teams around my Ransomware Tool Matrix project, I decided to make another Tool Matrix focused on one hostile state in particular: Russia. Again, as defenders, we should exploit the fact the tools used by these Russian APT groups are often reused and through proactive defensive work, we can frustrate and even eliminate the ability of certain adversaries to launch intrusions. Using the Russian APT Tool Matrix comes with its own challenges. While it is undoubtedly useful to have a list of tools commonly used by Russian APTs to hunt, detect, and block, there are some risks, as noted in the repository. The new repository also contains multiple types of Russian threat groups, this includes adversaries part of the GRU, SVR, and FSB. The alias of each Russian threat group has been chosen by what the author of this repo believes it is most well-known as.

Examining Mobile Threats from Russia

Image
Introduction Russian state-sponsored threat groups, such as Fancy Bear (APT28), Cozy Bear (APT29), Turla, and Sandworm, among others, are well-known for complex cyber-espionage operations, targeted intrusions, destructive attacks, and disinformation campaigns. Some of the capabilities of Russian threat groups, however, are not well-known and extend beyond the usual targeting of government and critical infrastructure enterprise networks. The main three Russian intelligence services (GRU, FSB, and SVR) have also conducted less well-known and underreported intelligence gathering campaigns against Android and iPhone users delivering spyware as well as collecting credentials for specific mobile applications. In this blog, I will be examining open source intelligence (OSINT) reports, leveraging the findings and citing investigations conducted by other threat researchers, to present my key findings and an overall assessment of these mobile threat campaigns. Background on Mobile Threat

The Ransomware Tool Matrix

Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on

Tracking Adversaries: The Qilin RaaS

Image
This blog is part of my Tracking Adversaries blog series, whereby I perform a summary analysis of a particular adversary that has caught my attention and made me feel like they deserve special attention and investigation. Qilin has been covered already by experts from Trend Micro , Secureworks , Group-IB , SentinelOne , SOCRadar , BleepingComputer , and MalwareHunterTeam . Kudos to them, because without these researchers sharing their findings with the community, we would be a lot less informed about this prominent ransomware gang. Background Active since at least May 2022, Qilin ransomware is named after the mythical Chinese creature  which you may  pronounce as "Chee-lin". The origin of this cybercriminal threat group, however, is believed to be from Russia. Like many other ransomware campaigns run by organised cybercriminal gangs, Qilin ransomware is used for domain-wide encryption of servers and workstations and its operators steal vast quantities of data. A ran

Strengthening Threat Hunting Programs - Part 1: Requests for Threat Hunts

Image
  This is the first part of a threat hunting blog series I want to start. I plan to share some insights on several related ideas such as risk hunting, incident-based hunting, and leveraging a system similar to requests for intelligence (RFIs) in cyber threat intelligence (CTI) but for threat hunting. These ideas and concepts came to me from creating and running a professional threat hunting program over the course of more than two years, from early 2022 to mid 2024. In this blog are many of the lessons I have learned in my time venturing on this journey. If you are just looking for some threat hunting resources in general, please find this collection on my GitHub I’ve compiled and were helpful to me during my journey. Introduction If you are like myself and have been generating and disseminating cyber threat intelligence (CTI) for many years, it may be an obvious choice to transition into a role whereby you consume and leverage it. Threat Hunting is an activity that experienced

Strengthening Threat Hunting Programs - Part 2: Risk Hunting

Image
  This is the second part of my threat hunting blog series. Please click here for the first part. Introduction It was once put to me that, much like hunting in the wilderness, so much of what matters is not the last pursuit of target, but the long stalk. It is crucial to learn to read the land and the patterns of the local wildlife as well as the predators. Understanding the lay of the land is as important as it was for our hunter-gatherer ancestors as it is to hunting threats in your organisation’s network. To increase the overall security posture of an organisation as an in-house security or managed security service provider (MSSP) you need to learn what is normal and what is abnormal in that organisation. You must understand what that organisation’s current policies around software downloads are, website filtering, vulnerability patching, remote login abilities, or file access permissions, among other controls (or lack thereof). The types of risky behaviour you will naturally uncov