Share this page!

Van Profile picture
@Wanna_VanTa
Mar 28 8 tweets 3 min read Twitter logo Read on Twitter
Today, we've released #APT43 🇰🇵. As part of this release, I wanted to highlight some of the background research that went into this. No blue checkmark, so I have to do a normal thread 😅mandiant.com/resources/blog…
Many groups are defined in reports as prolific. What does that really mean? #APT43 started as #UNC1130. we're now in the 4000s+ for UNCs. They've been around the block. Not only that, but the rate at which they spin up infrastructure is impressive.
Through our approach of Continuous Visibility on targets, we have nearly 200 signals deployed for this group alone, with a vast majority aiming to identify suspected infrastructure. We are looking at potential new domains nearly everyday.
Yes this is all normal sounding threat research, but the systematic collection and analysis is especially important for groups that have less prominent hands-on ops, and is what led to some of the more fun finds.
In the report, we detail the deep rapport building between #APT43 and victims. I've seen a number of org victim notifications in my time, but notifying an individual to ignore an email that has just hit their inbox minutes ago sparks joy.
I highly recommend listening to the podcast where @j3nnyt0wn is interviewed, a common #APT43 target and a persona they have attempted to masquerade as. mandiant.com/resources/podc…
Most notably, #APT43 buys hash rental and cloud mining services to provide hash power, effectively allowing them to use stolen crypto to mine clean crypto🧼 It's not often that you get this type of visibility on this aspect of a cyber operation.
As part of this research, we've also looked deeper into North Korea-adjacent activity that shows their ardent desire to continue to evolve towards the blockchain. I'm excited to see how CTI will evolve to systematically track this.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Van

Van Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Wanna_VanTa

Van Profile picture
Dec 5, 2022
This morning, NBC released a scorching article on #APT41’s campaign to steal Covid relief funds from U.S. State Governments, based on a @SecretService investigation. 🧵
nbcnews.com/tech/security/…
.@rufusmbrown and I spoke on this very topic @labscon_io (video coming we’re told), as a continuation of research we published in March of 2022 on a persistent #APT41 campaign to gain access into U.S. State Government networks.
mandiant.com/resources/blog…
Our initial research uncovered new 0-days, malware variants, updates to their tried-and-true toolset, and more, all to gain access to state government networks. So much net new, but one question we persistently (heh) lost sleep over was WHY? What were they after?
Read 16 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(