Profile picture
Katie Nickels @likethecoins
, 14 tweets, 6 min read Read on Twitter
I previously tweeted that a prior indictment was ~APT10. I was analytically lazy & wrong. So I want to highlight parts of the actual #APT10 indictment from today. First, DOJ used the term APT10. I can't recall other cases where DOJ has used an existing group name, can you? (1/n)
They also mentioned other group aliases. A reminder to consider @RobertMLee's valid points about how group names can't be exact overlaps due to different visibility and analysis methodology between companies (sans.org/webcasts/threa…). (2/n)
Noteworthy that the actors were associated with a company acting "in association with" MSS. This made me think of @Jason_Healey's Spectrum of State Responsibility (atlanticcouncil.org/images/files/p…). (3/n)
Victims spanned a wide range of sectors. A good reminder that while it may make sense to focus on threats targeting your sector, some don't specialize. (4/n)
Wow, that's a lot of machines and data. I don't recall seeing this breach acknowledged previously - admitting compromise of Navy systems is notable. (5/n)
Emailing employees of a helicopter manufacturing company about aircraft antennae seems pretty targeted. Stuff like this puts the "advanced" in APT because this requires some level of planning and coordination, not just spray and pray. (6/n)
Use of dynamic DNS domains isn't new, but worth remembering. Lots of good research on how to detect them. (7/n)
(Just noticed @cglyer did a similar thread. I think we have different perspectives so I'll continue. His thread is good.) (8/n)
Wow, NASA and Lawrence Berkeley National Lab? I'm hoping this just normalizes that many orgs are victims, rather than finger pointing and blaming them. (9/n)
1,300 domains! This is specific evidence to point toward about why tracking domains isn't sufficient. At that volume it would be incredibly tough to get them all, and may not be worth the time. (10/n)
I wonder how many MSPs are actively monitoring RDP connections to their customers for anomalies. Worth asking if you use an MSP. (11/n)
Again, not new, but a great example of actors abandoning infrastructure after it's publicly reported. A reminder that can be a strategy to make them change infra, but also a reason to hold back info (though that pains me to say because I'm a huge fan of info sharing). (12/n)
In summary, not a ton new about TTPs (there were great reports previously, see attack.mitre.org/groups/G0045 for some of these), but victims were quite interesting. Strategic aims aside, I'm happy how this indictment backed up the good work folks from this community have done. (13/13)
How could I forget the FIN7 indictment?!? Thanks @instacyber @a_tweeter_user @kyleehmke. Need a vacation. Is this the first state-sponsored group name in an indictment, or am I forgetting another one?
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Katie Nickels
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!