Profile picture
Katie Nickels @likethecoins
, 14 tweets, 6 min read Read on Twitter
I previously tweeted that a prior indictment was ~APT10. I was analytically lazy & wrong. So I want to highlight parts of the actual #APT10 indictment from today. First, DOJ used the term APT10. I can't recall other cases where DOJ has used an existing group name, can you? (1/n)
They also mentioned other group aliases. A reminder to consider @RobertMLee's valid points about how group names can't be exact overlaps due to different visibility and analysis methodology between companies (sans.org/webcasts/threa…). (2/n)
Noteworthy that the actors were associated with a company acting "in association with" MSS. This made me think of @Jason_Healey's Spectrum of State Responsibility (atlanticcouncil.org/images/files/p…). (3/n)
Victims spanned a wide range of sectors. A good reminder that while it may make sense to focus on threats targeting your sector, some don't specialize. (4/n)
Wow, that's a lot of machines and data. I don't recall seeing this breach acknowledged previously - admitting compromise of Navy systems is notable. (5/n)
Emailing employees of a helicopter manufacturing company about aircraft antennae seems pretty targeted. Stuff like this puts the "advanced" in APT because this requires some level of planning and coordination, not just spray and pray. (6/n)
Use of dynamic DNS domains isn't new, but worth remembering. Lots of good research on how to detect them. (7/n)
(Just noticed @cglyer did a similar thread. I think we have different perspectives so I'll continue. His thread is good.) (8/n)
Wow, NASA and Lawrence Berkeley National Lab? I'm hoping this just normalizes that many orgs are victims, rather than finger pointing and blaming them. (9/n)
1,300 domains! This is specific evidence to point toward about why tracking domains isn't sufficient. At that volume it would be incredibly tough to get them all, and may not be worth the time. (10/n)
I wonder how many MSPs are actively monitoring RDP connections to their customers for anomalies. Worth asking if you use an MSP. (11/n)
Again, not new, but a great example of actors abandoning infrastructure after it's publicly reported. A reminder that can be a strategy to make them change infra, but also a reason to hold back info (though that pains me to say because I'm a huge fan of info sharing). (12/n)
In summary, not a ton new about TTPs (there were great reports previously, see attack.mitre.org/groups/G0045 for some of these), but victims were quite interesting. Strategic aims aside, I'm happy how this indictment backed up the good work folks from this community have done. (13/13)
How could I forget the FIN7 indictment?!? Thanks @instacyber @a_tweeter_user @kyleehmke. Need a vacation. Is this the first state-sponsored group name in an indictment, or am I forgetting another one?
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Katie Nickels
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#APT10

More from @likethecoins see all

Profile picture
I want a list of all "cyber" indictments from the US DOJ and couldn't find one. Here are the 11 I have so far…which am I forgetting/getting wrong? (I’m using name/topic from the indictment as shorthand.)
(1) May 2014 PLA Unit 61398 (justice.gov/opa/pr/us-char…) (1/n)
(2) March 2017 FSB (justice.gov/opa/pr/us-char…) (2/n)
(3) November 2017 Boyusec (justice.gov/opa/pr/us-char…) (3/n)
Read 19 tweets

Related threads

Profile picture
FIRST DOJ INDICTMENTS UNSEALED: Clinton Foundation-Connected Bank “Mossack Fonseca” Tied To Money Laundering dailycrusader.com/2018/12/first-…
WASHINGTON, DC – As reported by Courthouse News Service, Federal prosecutors announced #charges this Tuesday against #FourMen connected to the law firm #MossackFonseca which has extensive ties with the #ClintonFoundation
The #charges line up with several of the #SealedIndictments requesting #wiretaps, #PRTTorders, and search warrants which were leaked by the DOJ recently and reported on by the Daily Crusader (see our full report on the #DOJ’s leaked search #WarrantIndictments 👇🏻👇🏻👇🏻
Read 13 tweets
Profile picture
Every time I post more avant-garde designs, I get a lot of people questioning how practical the designs actually are for every day wear & WHY fashion houses make designs that are not designed to be worn so I'll do a thread to answer What Couture Is, Really, & Why People Make It:
I want to preface this by saying that I am far more of a hobbyist than a historian so I a lot of what is to follow is either my own opinion/observations or what I've come across in my research because fashion is a really interesting topic to me and I self-study a lot but-
The short answer is that there's a distinction between (Haute) Couture and (Ready-to-Wear) RTW Collections. Think of a Couture collection as a gallery show for an artist. They are one part physical art pieces, one part art installations, and one part performance art.
Read 22 tweets
Profile picture
Let’s talk about gaslighting. There’s 11 aspects to gaslighting. Over the next two weeks I want to highlight these aspects.
THEY TELL BLATANT LIES is the first technique used by Trump to gaslight the populous. This tweet is riddled with blatant lies that can easily be fact checked.
As Senator Schumer states this investigation has yielded guilty pleas with one felon currently in jail.
Read 7 tweets
Profile picture
🛑BREAKING🛑

Following his #indictment of #Russians🇷🇺for social media trolling and illegal-ad-buying, #Mueller is assembling a CRIMINAL CHARGES against Russians who HACKED and LEAKED private info designed to hurt Democrats in the election‼️ 1/

nbcnews.com/politics/2016-…
Mueller's newest charges are expected to rely heavily on secret intelligence gathered by the CIA, FBI, NSA and Homeland Security (DHS).😎 2/

#FVEY
#TrumpRussia
Potential charges include violations of statutes on #conspiracy, election law, and the Computer Fraud and Abuse Act (CFAA). One source said the charges are not imminent, but other knowledgeable sources said they are expected in the next few weeks or months.🤗 3/

#TrumpRussia
Read 15 tweets

Trending hashtags

#Russians #MAPPED #ThreatFusionCenter #Denial #LookAt #Russia #TrumpRussia #Vote #CORPSes #DigitalSoldiers #victims #SoMuch #terrorist #MAY #man #Satire #CirizeStorm #MERCY #asYet #MossackFonseca #StoPtheWARonPublicEduCation #VoluntaryWiretaps #Co #president #Node

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!