Thread 1/🚨 Uncovering the Keys to the Kingdom: A Dive into Deep-State Espionage Entangled in a Ransomware Network for Cover! 🚨

Ever thought a simple SSH key could be the link to a sprawling espionage network? After months of research, I’ve traced exposed public SSH keys that reveal connections far deeper than initially believed.

Once suspected as the work of a ransomware affiliate, these keys hint at something much more sinister possible nation-state involvement.

💥March 2023: Talos published a bombshell report on #YoroTrooper, exposing an #espionage campaign targeting EU Governing Entities in CIS countries, embassies, and the EU healthcare sector.

💥Buried in the details was an IP 46.161.40.164 with an SSH key (fingerprint_sha256: f95812cbb46f0a664a8f2200592369b105d17dfe8255054963aac4e2df53df51) that set off alarms. 🕵️‍♂️

And here’s why, this key has reappeared on over 120 servers, forming clusters with alarming patterns of activity.

💥October 26, 2023: Another #Talos report on YoroTrooper exposed another IOC tied to that same key, linking two IPs (46.161.40.164, 46.161.27.151) to espionage activity.

My analysis shows even deeper connections here it’s where we start seeing links to ransomware: the Shadow Syndicate, a ransomware affiliate potentially linked to espionage.

July 2024: A #Mandiant report flags the same IP, 46.161.27.151, connected to the notorious #BlackBasta ransomware group. But as we dig deeper, it’s clear the server may be controlled by a much bigger player.

Could this SSH key be the thread tying espionage and ransomware together? Are these ransomware affiliates merely proxies for nation-states, muddying their tracks?

🕵️‍♂️ Buckle up for what’s next—this thriller is just getting started.

#CyberEspionage #ThreatIntel #YoroTrooper #BlackBasta #ShadowSyndicate #NationStateHacking #CyberThriller

Thread 2/ Keys to the Kingdom: A Deepening Threat in the #Energy Sector 🔍

💥 In March 2023, Talos highlighted the Energy sector as a specific target in an espionage campaign. Then, in August 2023, #Kaspersky reported on suspicious activity against an electric utility in Southern Africa, revealing #Cobalt Strike #beacons and a new #SystemBC payload variant, dubbed #DroxiDat. According to Kaspersky, this attack occurred in March 2023 and was likely the initial stage of a #ransomware operation.

💥Yet, there’s more to this than meets the eye. The SSH key fingerprint_sha256: f95812cbb46f0a664a8f2200592369b105d17dfe8255054963aac4e2df53df51 resurfaces here, linked to IP 179.60.146.6:22.

💥This aligns almost too well with Talos’s original indicators, connecting tactics, techniques, and procedures (TTPs) across both campaigns.

💥Notably, the attackers used bespoke, energy-themed domains, indicating a level of precision beyond typical ransomware affiliate activity.

💥The alignment with Talos’s intelligence and the calculated nature of these tactics hint at something far more sophisticated. Could this be a nation-state operation, using ransomware as a convenient cloak for their espionage efforts?

Buckle up this thriller is only getting deeper!

#EnergySector #CyberEspionage #NationState #Ransomware #ThreatIntel #CobaltStrike #SystemBC #DroxiDat #TalosIntel

Thread 3/ 🔍 Keys to the Kingdom: Is APT28 Using Play Ransomware as a Smokescreen? 🔍

💥By May 2024, #TrendMicro’s report, Cybercriminals and Nation-States Sharing Compromised Networks, brought to light a shared infrastructure between cybercriminals and nation-state actors.

💥But as I dig deeper, a disturbing pattern emerges: the ShadowSyndicate SSH key fingerprint_sha256: bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5, linked to multiple IPs, potentially links with APT28 activity.

💥More intriguing, one of these IPs also overlaps with #Play_ransomware indicators, hinting at a potential smokescreen operation.

Key questions are now taking shape:

🔒While Trend Micro observed that nation-states and cybercriminals might be “sharing” infrastructure, could APT28 be doing much more than that?
🔒My research suggests they might be controlling these routers outright, using them as a stealth layer for their espionage efforts.
🔒Trend Micro pointed out that #PawnStorm (#APT28) had access to a criminal-run botnet of compromised Ubiquiti EdgeRouters. But with the SSH key and IP overlaps pointing to APT28, could they be running this botnet rather than merely renting it?

Following the January 2024 disruption of this botnet by the FBI, the botnet’s rapid reassembly with new C&C infrastructure suggests a sophisticated and centralised approach, one likely orchestrated by APT28. This overlap between ransomware and nation-state TTPs hints that APT28 may be masking their operations behind a facade of criminal activity.

Could this be a glimpse into APT28’s playbook, leveraging cybercriminal groups as a smokescreen while they pursue far-reaching espionage goals?

#CyberEspionage #APT28 #PlayRansomware #PawnStorm #SystemBC #CyberThreat #NationState #ThreatIntel #RouterSecurity #TrendMicro

Thread 1 / If you're gonna read one #CTI thread today, make it this one!! – How one IP unraveled an Access Broker's Ransomware Network! 🚨🧵

🚨 Unmasking Adversary Infrastructure – New Findings on 193.29.13.167! #ThreatIntel #Rustdoor #GateDoor

📌 My previous tweet spotlighted IP 193.29.13.167, tied to an Access Broker linked to #Rustdoor, sparking a cascade of findings across domains like datasmetric[.]com and historic indicators from maconlineoffice[.]com. Here’s how that single thread pulled open the ransomware landscape….....

2/ 🔎 Research Shift: Switched to FOFA, and it’s been a game-changer! #Fofa identified Port 22 (SSH) open on the IP, leading to a deep dive into public key fingerprints 🔑

Here’s where it got interesting.

🧩 SSH Key Pivoting: FOFA revealed Fingerprint SHA-256: bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5 (77 matches)🕵️‍♂️

Each fingerprint connected to the next, unveiling a network of related threats!

3/ 🚨 Clop Infrastructure Links:

Pivoting from fingerprint_sha256:bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5

💥revealed IP 88.214.27.72 with domains:
💥he1p-me[.]com
💥goto-pay[.]com

#Clop payment infrastructure as noted by @AlvieriD on June 2024!

Another #Cl0p IP: 45.227.253.147 with the same ssh key, strengthening a Ransomware affiliate (or access broker) involved with Clop's malicious activity!

🧵 Thread 1/ So you want to track Scattered Spider but Censys and Shodan are just too slow? Here's the cheat sheet! 🕵️‍♂️

Scattered Spider registers their domains using the nameserver ns3.my-ndns[.]com. We can passively monitor this DNS for new domains. 🕸️

Don't have DomainTools to monitor the DNS? No fear! You can use dns[.]coffee a free service that provides the data you need.

☕ Check out: dns[.]coffee/nameservers/ns3[.]my-ndns[.]com

#ScatteredSpider #TheCom #Phishkit #CTI Next Steps.....

🧵 Thread 2 / Each day, a list of new domains will appear in dns[.]coffee. Here's what we're looking for when trying to find the needle in the haystack🪡:

🔒 Domains Hosted on DigitalOcean - check in VirusTotal
🔒 Registered via NICENIC INTERNATIONAL GROUP CO - data in VirusTotal
🔒 Look for Domains spoofing OKTA or SSO

🧵 Thread 3 /Don't forget you can always pivot on the SSL cert - with wildcard searches using another free tool crt[.]sh