Share this page!

J. A. Guerrero-Saade Profile picture
Twitter logo
23 Aug, 9 tweets, 2 min read
When researching MeteorExpress, I couldn't have guessed the direction the discussion would take. Let's take a minute to evaluate these different claims– Indra, non-state-sponsored, MBC, SEA... (thread)
(1)Let's dispense with the patently brittle claims– just because a ransomware group claims they perpetrated an attack doesn't make a credibly claim... looking at you DarkTracer.
(2)Subsequent claims that it's related to SEA are using a reference so outdated as to be meaningless. Additionally, SEA was a pro-regime group so nothing about this adds up other than a vague Syria connection.
(3) On a more interesting note, Checkpoint folks pointed out targets in Syria and a connection to a group that calls themselves Indra. Super interesting and built on solid ground– I found Comet, Comet is related to Stardust, Stardust makes reference to Indra in the code.
Indra, it turns out, not only has a social media presence (@: Indra17857623/ but also claimed the Syrian attacks (showing alleged exfil) before the account went dark in Nov 2020.
Now this is where we need to exercise some caution...
Having a social media presence claiming themselves hacktivists doesn't substantiate the idea that it's an independent, non-state-sponsored entity.We've seen plenty of examples where these masks have crumbled under scrutiny (Guardians of Peace, CyberBerkut, CyberCalliphate,YCA)...
While attacking the Iranian railway system was a loud showy attack, targeting in Syria of money transfer service allegedly helping launder funds and a private airline company transporting Iranian forces to exfil compromising evidence of these claims speaks to a different activity
With entities like Lab Dookhtegan spinning narratives based on leaks wrapped in 'freedom fighting' rhetoric, we need to be particularly discerning about the entities we are imbuing with legitimacy. There are larger forces at play here and they're counting on our amplification.
That should say ‘Meteor’ not comet 🤦🏻‍♂️

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with J. A. Guerrero-Saade

J. A. Guerrero-Saade Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @juanandres_gs

J. A. Guerrero-Saade Profile picture
24 Aug
There are three things you don't want to see made– laws, sausages, and threat intelligence.

Frankly, I'm bummed out at the framing of this issue. It adds fuel to the air-quote 'privacy' debate that keeps eating away at our ability to do security research, as in the case of GDPR.
I've played with Augury before. Netflow can be useful. But for the most part it's spotty, incomplete, and inconclusive. You don't turn into a SIGINT agency because you have visibility into a few hops along a path for a sliver of time. Internet routing doesn't work that way.
You're seeing points connecting to other points at a given time. If the connection is routed a different way, if it takes a hop you don't have access to, if any number of factors changes the connective tissue of the internet, you don't see anything.
Read 7 tweets
J. A. Guerrero-Saade Profile picture
22 Jul
Alright, let's add some substance to this Pegasus discussion. Contrary to what you might read, research into NSO has been going on for years and has involved a lot of great research groups (@citizenlab, @kaspersky, @Lookout, to name a few). It has also included leaks.
Folks are speculating about how we might know about the targets of Pegasus customers. NSO simultaneously claims that they don't know their customers targets but at the same time they know that none of the @AmnestyTech infections are real. Two obviously incompatible statements.
Assuming NSO doesn't have access to their customers targets, a list of targets of interest would have to come from a structural fault in the agent/exploit delivery infrastructure that NSO uses. We have a high-level view of how that system is architected.
Read 17 tweets
J. A. Guerrero-Saade Profile picture
22 Jul
The new cybertruthers have come out the play.
Please beware the false parity of 'experts'. Random technical ppl aren't sources on difficult threat intel topics. Open speculation isn't substantiation for denials ('More details plz'). And neither is technical solipsism ('Everything can be faked! I'd do better than this!').
This uncoordinated flailing is being used to substantiate state interests that would rather not have the spotlight shined on them. We'll all do well to display sound judgement.
Read 4 tweets
J. A. Guerrero-Saade Profile picture
18 Jul
As to NSO’s blanket denial of having any access to how their customers use their software, that’s not entirely true by design —they manage the exploit delivery infrastructure for their clients. This is a hard-earned lesson from the HackingTeam days—
HT had a lot of woes attempting to idiotproof their payload building and exploit delivery process. The former was characterized by a prompt urging operators NOT to upload to VT (aimed primarily at dim Saudi operators). Exploits were handled more carefully via support portal—
The support portal required a backdoor created with the HT masternode and a lure document of the customer’s choosing. HT would create the exploit-laced file and host it via a one-time link that the operators could deliver in the method of their choosing.
Read 5 tweets
J. A. Guerrero-Saade Profile picture
18 Jul
Unbelievable work by @AmnestyTech, done in spite of @Apple’s reticence to provide means to verify the integrity of iOS devices. What’s it going to take for Apple to stop burying its head in the sand?
These remarks on the limitations when inspecting iOS devices should give us pause… there’s a mistaken belief that privacy is protected by limiting checks on system integrity and correlation of anomalies. What privacy is protected in these cases? (@tim_cook @radian)
I love Apple products. Wonderful things are regularly done under the hood to increase the cost of attack. But it’s clearly not enough to tinker with security engineering alone. Plenty of unscrupulous actors are finding it affordable and we can’t even tell how big that iceberg is.
Read 5 tweets
J. A. Guerrero-Saade Profile picture
31 Dec 19
Ok, I have to admit this @Apple vs. @CorelliumHQ business just doesn’t sit right with me. Let me @ @tim_cook and pretend to have some meaningful engagement regarding Apple’s larger security dilemma. #Thread
Everyone knows I’m a huge Apple fanboy. Until the cheese grater Mac Pro came out, I more or less had one of every apple product in my house (with some wiggle room). While I may gripe about missing function keys, there’s no system I’d rather use than MacOS and iOS.
I’ve also, at diverse points in my career, had the privilege to report ongoing APT campaigns directly to Apple alongside colleagues (h/t @craiu) and was treated kindly by folks invested in securing the Apple ecosystem within the means available to them.
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @juanandres_gs has new unrolls!

Check out other threads from @juanandres_gs!

Read all threads by @juanandres_gs

:(