This is more likely work of an intelligence agency, not an APT. APT is contractor service organized or reporting to the intelligence agencies of a nation-state or an OCG and does not have the same level of bureaucracy with payload delivery. The selective targeting gives it away.
https://twitter.com/passthehashbrwn/status/1740367435264627128
I do not consider GCHQ or NSA TAO as APT in the traditional sense, they are vastly superior threat when compared to contractor hired by say the FSB to steal western secrets through drive-by downloads. There is cross-over but one is a wide industry threat, the other very specific.
As an industry doing simulated breaches, cyber-enabled intellectual property theft or financially motivated crimes, our strategies and assessment programs are designed to simulate and detect adversary behavior from threat's that you are most likely to face in your industry.
The red-tape and bureaucracy involved in IC operations for selective targeting was disclosed by the Washington Post when interviewing former TAO members who stated that they needed management approval and multiple people to even consider firing one of their arsenals at a target.
Our industry should be aware of the threats posed by intelligence agencies, which is why I refer to them as FRIENDLYFIRE, because they do have chains of command and SHOULD undergo oversight to the public through government - although the US and UK have shown disregard for this.
Overwhelmingly for the vast majority of businesses, regardless of the sector they are in, 99.9% of your adversaries do not have $10million USD+ exploit toolchains to burn on gathering your corporate trade secrets. Contextualizing risk is important, Kaspersky has risk most don't.
If we are to consider IC work as APT, rather than an elite tier of the vast majority of attackers who are contracted by an IC - then we should radically alter the message we send for defense because very few people could ever hope to defend against that level of sophistication.
I got this really neat image I saved from somewhere (Checkpoint?) which outlines the process which most APT groups adhere to, when the state is hacking, it is not state-sponsored, and bureaucracy and red-tape of the state becomes visible in the attack as seen in Triangulation. 
If you don't believe me that the operating strategies deployed are different, simply take a look at known NSA TAO tradecraft on the MITRE ATT&CK framework vs. APT28 as an example. You will see that the NSA is precise, methodical, surgical in the attacks and the target selection.
Majority of APT groups simply do not give a fuck, and if you get caught as collateral damage in crosshairs of an attack - oh well! more data to steal. They are data-driven, aggressive and seek persistence - not mission orientated like IC is. State hackers are not state-sponsored.
If we are to consider the elite hacker tier of IC as part of the APT class of attackers, we must subset them similarly to how we deal with organized crime groups (OCG) who are financially driven. IC are mission driven however they also have cross-over with other TA's motivations.
When you are doing APT simulations, ask yourself this question, is driving to your clients house and installing property bugs and hijacking their cars infotainment system whilst bugging their basebands part of your simulation scope? Because it's within the IC remit of access.
It's a frightening & extremely dangerous suite of capabilities that you would hope never misused by any state for anything other than security of their homeland from domestic & foreign threats - however tyranny can rise and I believe cyber militias should be formed by the people.
The idea of a cyber militia is that the people should organize, train, be well-regulated and develop multi-million dollar suites of capabilities that they keep firmly aimed at the government as a God given 2nd amendment constitutional protected right.
This way in the event of tyrannical regime's rising to power such as the third reich, people are able to fight back and resist against adversary who otherwise out-resources them. When Biden said "you need more than AR-15 to take on the US government" he didn't account for cyber.
You are free to disagree with my viewpoints on this matter, however it is my firm belief that computer keyboards can change the world much more quickly than any bullets ever could and with such capabilities that information on the powerful, elite and corrupt can come to light.
Ask yourself, if a group of private citizens had cyber capabilities that let them tap phone calls of world leaders - would it concern you? Most are ok when their IC does it, few are comfortable with idea that one day government might not have their best interests at heart.
We the people have the right to know what goes on behind the closed doors of the rich and powerful, especially when they are making decisions and creating agendas that shape the society in which we live. IC backed hackers are serving the state, not the people.
APT28 is a bad comparison above as I meant to use a non-mission driven adversary that isn't a direct extension of the chains of command that form a countries military industrial complex. They were just fresh in my mind from something else.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
