Thread 1/🚨 Uncovering the Keys to the Kingdom: A Dive into Deep-State Espionage Entangled in a Ransomware Network for Cover! 🚨

Ever thought a simple SSH key could be the link to a sprawling espionage network? After months of research, I’ve traced exposed public SSH keys that reveal connections far deeper than initially believed.

Once suspected as the work of a ransomware affiliate, these keys hint at something much more sinister possible nation-state involvement.

💥March 2023: Talos published a bombshell report on #YoroTrooper, exposing an #espionage campaign targeting EU Governing Entities in CIS countries, embassies, and the EU healthcare sector.

💥Buried in the details was an IP 46.161.40.164 with an SSH key (fingerprint_sha256: f95812cbb46f0a664a8f2200592369b105d17dfe8255054963aac4e2df53df51) that set off alarms. 🕵️‍♂️

And here’s why, this key has reappeared on over 120 servers, forming clusters with alarming patterns of activity.

💥October 26, 2023: Another #Talos report on YoroTrooper exposed another IOC tied to that same key, linking two IPs (46.161.40.164, 46.161.27.151) to espionage activity.

My analysis shows even deeper connections here it’s where we start seeing links to ransomware: the Shadow Syndicate, a ransomware affiliate potentially linked to espionage.

July 2024: A #Mandiant report flags the same IP, 46.161.27.151, connected to the notorious #BlackBasta ransomware group. But as we dig deeper, it’s clear the server may be controlled by a much bigger player.

Could this SSH key be the thread tying espionage and ransomware together? Are these ransomware affiliates merely proxies for nation-states, muddying their tracks?

🕵️‍♂️ Buckle up for what’s next—this thriller is just getting started.

#CyberEspionage #ThreatIntel #YoroTrooper #BlackBasta #ShadowSyndicate #NationStateHacking #CyberThriller Thread 2/ Keys to the Kingdom: A Deepening Threat in the #Energy Sector 🔍

💥 In March 2023, Talos highlighted the Energy sector as a specific target in an espionage campaign. Then, in August 2023, #Kaspersky reported on suspicious activity against an electric utility in Southern Africa, revealing #Cobalt Strike #beacons and a new #SystemBC payload variant, dubbed #DroxiDat. According to Kaspersky, this attack occurred in March 2023 and was likely the initial stage of a #ransomware operation.

💥Yet, there’s more to this than meets the eye. The SSH key fingerprint_sha256: f95812cbb46f0a664a8f2200592369b105d17dfe8255054963aac4e2df53df51 resurfaces here, linked to IP 179.60.146.6:22.

💥This aligns almost too well with Talos’s original indicators, connecting tactics, techniques, and procedures (TTPs) across both campaigns.

💥Notably, the attackers used bespoke, energy-themed domains, indicating a level of precision beyond typical ransomware affiliate activity.

💥The alignment with Talos’s intelligence and the calculated nature of these tactics hint at something far more sophisticated. Could this be a nation-state operation, using ransomware as a convenient cloak for their espionage efforts?

Buckle up this thriller is only getting deeper!

#EnergySector #CyberEspionage #NationState #Ransomware #ThreatIntel #CobaltStrike #SystemBC #DroxiDat #TalosIntel

Thread 1 / If you're gonna read one #CTI thread today, make it this one!! – How one IP unraveled an Access Broker's Ransomware Network! 🚨🧵

🚨 Unmasking Adversary Infrastructure – New Findings on 193.29.13.167! #ThreatIntel #Rustdoor #GateDoor

📌 My previous tweet spotlighted IP 193.29.13.167, tied to an Access Broker linked to #Rustdoor, sparking a cascade of findings across domains like datasmetric[.]com and historic indicators from maconlineoffice[.]com. Here’s how that single thread pulled open the ransomware landscape…..... 2/ 🔎 Research Shift: Switched to FOFA, and it’s been a game-changer! #Fofa identified Port 22 (SSH) open on the IP, leading to a deep dive into public key fingerprints 🔑

Here’s where it got interesting.

🧩 SSH Key Pivoting: FOFA revealed Fingerprint SHA-256: bd613b3be57f18c3bceb0aaf86a28ad8b6df7f9bccacf58044f1068d1787f8a5 (77 matches)🕵️‍♂️

Each fingerprint connected to the next, unveiling a network of related threats!

🧵Thread / 🕵️‍♂️ Ever wanted to hunt down APTs like #TheCom via DNS but can't be bothered with all the searching and clicking?

Want to get a list of interesting 'live' domains to investigate in under 60 seconds ⏰!!

No worries! Let's automate the process with a Python script that's fast and safe.

No APIs or expensive subscriptions needed — just 1.1.1.1 and some threading magic! 🧵👇

#ScatteredSpider #TheCom #VirtuoSpider #Phishkit #CTI #Hunting #Automation 1️⃣ First, we define the nameserver we're targeting. In this case, it's ns3.my-ndns[.]com. This is where Virtuospider might be lurking! 🕸️

🧵 Thread 1/ So you want to track Scattered Spider but Censys and Shodan are just too slow? Here's the cheat sheet! 🕵️‍♂️

Scattered Spider registers their domains using the nameserver ns3.my-ndns[.]com. We can passively monitor this DNS for new domains. 🕸️

Don't have DomainTools to monitor the DNS? No fear! You can use dns[.]coffee a free service that provides the data you need.

☕ Check out: dns[.]coffee/nameservers/ns3[.]my-ndns[.]com

#ScatteredSpider #TheCom #Phishkit #CTI Next Steps..... 🧵 Thread 2 / Each day, a list of new domains will appear in dns[.]coffee. Here's what we're looking for when trying to find the needle in the haystack🪡:

🔒 Domains Hosted on DigitalOcean - check in VirusTotal
🔒 Registered via NICENIC INTERNATIONAL GROUP CO - data in VirusTotal
🔒 Look for Domains spoofing OKTA or SSO