This is more likely work of an intelligence agency, not an APT. APT is contractor service organized or reporting to the intelligence agencies of a nation-state or an OCG and does not have the same level of bureaucracy with payload delivery. The selective targeting gives it away.
I do not consider GCHQ or NSA TAO as APT in the traditional sense, they are vastly superior threat when compared to contractor hired by say the FSB to steal western secrets through drive-by downloads. There is cross-over but one is a wide industry threat, the other very specific.
As an industry doing simulated breaches, cyber-enabled intellectual property theft or financially motivated crimes, our strategies and assessment programs are designed to simulate and detect adversary behavior from threat's that you are most likely to face in your industry.
The red-tape and bureaucracy involved in IC operations for selective targeting was disclosed by the Washington Post when interviewing former TAO members who stated that they needed management approval and multiple people to even consider firing one of their arsenals at a target.
Our industry should be aware of the threats posed by intelligence agencies, which is why I refer to them as FRIENDLYFIRE, because they do have chains of command and SHOULD undergo oversight to the public through government - although the US and UK have shown disregard for this.
Overwhelmingly for the vast majority of businesses, regardless of the sector they are in, 99.9% of your adversaries do not have $10million USD+ exploit toolchains to burn on gathering your corporate trade secrets. Contextualizing risk is important, Kaspersky has risk most don't.
If we are to consider IC work as APT, rather than an elite tier of the vast majority of attackers who are contracted by an IC - then we should radically alter the message we send for defense because very few people could ever hope to defend against that level of sophistication.
I got this really neat image I saved from somewhere (Checkpoint?) which outlines the process which most APT groups adhere to, when the state is hacking, it is not state-sponsored, and bureaucracy and red-tape of the state becomes visible in the attack as seen in Triangulation.
If you don't believe me that the operating strategies deployed are different, simply take a look at known NSA TAO tradecraft on the MITRE ATT&CK framework vs. APT28 as an example. You will see that the NSA is precise, methodical, surgical in the attacks and the target selection.
Majority of APT groups simply do not give a fuck, and if you get caught as collateral damage in crosshairs of an attack - oh well! more data to steal. They are data-driven, aggressive and seek persistence - not mission orientated like IC is. State hackers are not state-sponsored.
If we are to consider the elite hacker tier of IC as part of the APT class of attackers, we must subset them similarly to how we deal with organized crime groups (OCG) who are financially driven. IC are mission driven however they also have cross-over with other TA's motivations.
When you are doing APT simulations, ask yourself this question, is driving to your clients house and installing property bugs and hijacking their cars infotainment system whilst bugging their basebands part of your simulation scope? Because it's within the IC remit of access.
It's a frightening & extremely dangerous suite of capabilities that you would hope never misused by any state for anything other than security of their homeland from domestic & foreign threats - however tyranny can rise and I believe cyber militias should be formed by the people.
The idea of a cyber militia is that the people should organize, train, be well-regulated and develop multi-million dollar suites of capabilities that they keep firmly aimed at the government as a God given 2nd amendment constitutional protected right.
This way in the event of tyrannical regime's rising to power such as the third reich, people are able to fight back and resist against adversary who otherwise out-resources them. When Biden said "you need more than AR-15 to take on the US government" he didn't account for cyber.
You are free to disagree with my viewpoints on this matter, however it is my firm belief that computer keyboards can change the world much more quickly than any bullets ever could and with such capabilities that information on the powerful, elite and corrupt can come to light.
Ask yourself, if a group of private citizens had cyber capabilities that let them tap phone calls of world leaders - would it concern you? Most are ok when their IC does it, few are comfortable with idea that one day government might not have their best interests at heart.
We the people have the right to know what goes on behind the closed doors of the rich and powerful, especially when they are making decisions and creating agendas that shape the society in which we live. IC backed hackers are serving the state, not the people.
APT28 is a bad comparison above as I meant to use a non-mission driven adversary that isn't a direct extension of the chains of command that form a countries military industrial complex. They were just fresh in my mind from something else.
Here is an example of the CIA's Marble Framework being used in a simple project to obfuscate and de-obfuscate strings. I used AI to re-create missing library and components needed to use the framework in Visual Studio projects, usually handled inside CIA with "EDG Project Wizard"
This shows the complete workflow that an analyst would use when creating malware at the CIA using Marble for string obfuscation. An attacker could essentially now follow leaked wiki instructions to obfuscate their strings in runtimes they create. More: wikileaks.org/ciav7p1/cms/pa…
The leaked framework supports 106 obfuscation methods known as "marbles", with some being generic C based and others C++ based, it introduces three data-types CARBLE, WARBLE and BARBLE for char, wchar and byte respectively. It can be controlled by header defines.
The "EU Digital Green Certificates (DGC)" which was implemented to curb freedom of movement unless individuals gave over medical decisions to their government, against all of our human rights - is leaking the Health Authority of Bulgaria's private keys since 2021. #NoGreenPass
The above private key could be used to authenticate to the "on-boarding gateway" and falsify health records as authentic & valid from Bulgaria, additionally as it allowed authentication it could've been used to exploit Log4Shell (post-authentication) which was patched last year.
How did I get the private key you wonder? It was trivial, I reconstructed it from their Github history when private key elliptic curve variables were committed in error, then deleted. By recovering these variables from the project git history, I was able to regenerate the key.
👀 French police stopped a woman driving a car in someone else's name on suspicion of drug use and discovered a wireless hacking device in the trunk. Professional looking build too.
It's so beautiful, power modules on top, fans for cooling, what look like modular radio blocks, amp, filter, SDR radio and the icing on the cake is the "decoy" antenna system made to look like a hotspot. Whatever they are hacking with this, someone spent money to build it.
The antenna system is either that decoy hotspot or the hotspot is used to control it from another device as it has power and another cable running into it. Either way I'm jelly, someone got busted spying in the field and is now left out in the cold.
Iranian CIA source webpage that assets were instructed to use we keep hearing about as faulty? They were sent to iraniangoals[dot]com and instructed to enter password to message CIA handlers.. in a search box called "password"😂