Beware whatever is happening with this bizarre op. Reporters from @business@motherboard and @TheRecord_Media received emails impersonating me and pointing to an 'Anonymous Liberland' / 'Pwn-Bar Hack Team' onion site. 🧵
You can read the email here. It's actually pretty funny.
Seriously debating changing my email signature to "Glory to Ukraine and Fuck Putin" at this point.
Looking at the site, the logistics of the op aren't very well thought out (assuming the intent is to push this Tetraedr leak) as the main leak is 150GB and the 'sample' is 955mbs, only downloadable via Tor. So see you in 10 days?
Also, seeing as they added a hash, let me clarify that *no* they didn't find this on VT. The sample is not available there. So again... beware whatever the hell is happening here.
Also, sincere thanks to the @cpartisans as they were also dragged into this op and knew better.
Day2, hopefully briefer and less hectic. Our friends at Symantec have published a great blog with way more detail about the attack chain and additional IOCs, including a decoy ransomware–
The 'ransomware' (4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382) is written in Go and C and has some interesting quirks and taunting–
Despite a ton of standard Go functions (as is usually the case), all we really want to focus on are the main and Cgo functions.
@1njection I agree with your general sentiment but in the interest of pedantry—
-Regin is your main 4 Eyes APT
-Equation group is (sort of) your missing eye
-Lamberts/‘Longhorn’ == CIA
And then there’s a few presumably western outliers that haven’t been attributed (ex: ProjectSauron)
@1njection To your larger point, you’ll notice that there’s very little follow up on any of these. There’s a complex calculus in the EDR/AV industry on whether to report on ‘friendly’ ops. I understand if they choose not to publish reports but imo intentionally not *detecting* is fraud.
Ok friends, you know it's a wonderful day when you get woken up by @Bing_Chris on madness in Iran. If you haven't seen what's going on, another trollish attack played out today with gas stations in Iran not being able to dispense gas #64411
Screens on the gas pump PoS systems say 'cyberattack, 64411' in Farsi. For avid readers, this should be a throwback to the Iranian railway systems attack in July where the attackers also directed calls to 64411, the Office of Iran's Supreme Leader, Ali Khamenei' #MeteorExpress
We were able to reconstruct the attack chain used in the Iranian railway system, a combination of well-written crafty batch scripts + an externally configurable wiper called 'Meteor'. That led us to calling this group MeteorExpress. s1.ai/meteor
Tbh, when I tweeted out the story about VPNs getting consolidated under a shady company with a reputation for malware/adware distribution, I didn't expect that it would get that big of a response. Since folks are interested, I wanted to discuss my biggest issue w this... #Thread
Sure, shady monetization schemes w ads are the bulk of the business model but it doesn't take into account the targeted espionage concern. Ad networks are fantastically positioned to profile internet users to an impressive level of granularity but they're limited–
For a determined adversary with control or influence over an ad network, you might have access to selectively injecting iframes or malicious ads in the hopes of hitting that one precious target. But a VPN introduces a much smoother avenue of attack.
It's awesome to see analysis of Lamberts and Equation Group tools. They're some of the most noteworthy findings in the short history of Cyber Threat Intelligence and we're doing a disservice by collectively ignoring their existence. Great work @runasand and @patrickwardle!
If you missed it, I'm sure the video will be up in the near future. In the meantime, here's Runa's blog on Green Lambert OS X objective-see.com/blog/blog_0x68…
For additional (non-MacOS) background, here's an overview of the color-coded constellation of the Lambert's toolkit up to a point– securelist.com/unraveling-the…