NorthSec 2021

Blurred lines - The mixing of APTs with Crimeware groups
2021-05-21, 10:50–11:20, Main stream

State-sponsored actors and APT groups are not necessarily the same. A state-sponsored actor can be defined as an APT that is supported in some way by a state. This does not automatically make all APTs state-sponsored. APT actors that provide hacking-as-a-service are not necessarily a state-sponsored actor because they can’t be tied to a specific state — they will work for whoever pays the most. But this doesn’t mean that they shouldn’t be considered an APT. These lines get even blurrier when an actor has the characteristics and behaviour we observe in Gamaredon and Prometium groups. These groups whose main interest has been espionage, without any indications of being interested in using crimeware techniques to monetize their activity. Which should put them outside the crimeware gang definitions, however their behavior certainly resembles a crimeware gang rather than an APT.


Our presentation shows there is a space for the second-tier APT classification, one where the actor provides breach services to a larger actor, almost mimicking what happens in the crimeware scene, where some groups just gather credentials which they then sell to other crimeware groups. There are other groups that may offer hacking-as-a-service, but rather than working for the highest bidder, they serve a specific country or group, perhaps to align with their own intentions. At the same time, these groups will do whatever is best to maximize their gains. The advantage in this case is that they benefit from the “protection” of the APT for which they provide the services. Finally, this second-tier category should also include the APTs that lack the sophistication of others and often have their operations exposed due to bad opsec or amateuristic mistakes.
We believe that challenging the status quo on Gamaredon and others that could fit the previous definition, is beneficial as a whole. It will help organizations better understand the threats that they must focus their resources on. The fact remains Gamaredon remains a notoriously prolific group operating without any constraints on a globally impacting level.


Workshops only: Would you like to stream the workshop to an additional (passive) audience? – no Have you given this talk/workshop before? If yes, please provide details and/or slides/video.

No

Warren Mercer joined Talos coming from a network security background, having previously worked for other vendors and the financial sector. Focusing on security research and threat intelligence, Warren finds himself in the deep, dark and dirty areas of the Internet and enjoys the thrill of the chase when it comes to tracking down new malware and the bad guys! Warren has spent time in various roles throughout his career, ranging from NOC engineer to leading teams of other passionate security engineers. Warren enjoys keeping up to speed with all the latest security trends, gadgets and gizmos; anything that makes his life easier in work helps!

This speaker also appears in:

Vitor Ventura is a Cisco Talos security researcher. Has a researcher, he investigated and published various articles on emerging threats. Most of the days Vitor is hunting for threats, investigating, them reversing code but also looking for the geopolitical and/or economic context that better suits them. Vitor has been a speaker in conferences, like NorthSec, Virus Bulletin, Recon Brussels, Defcon Crypto Village and BSides Lisbon and oPorto among others. Prior to that he was IBM X-Force IRIS European manager where he was lead responder on several high profile organizations affected by the WannaCry and NotPetya infections, helping to determine the extent of the damage and to define the recovery path. Before that he did penetration testing at IBM X-Force Red, where Vitor lead flagship projects like Connected Car assessments and Oil and Gas ICS security assessments, custom mobile devices among other IoT security projects. Vitor holds multiple security related certifications like GREM (GIAC Reverse Engineer Malware), CISM (Certified Information Security Manager).

This speaker also appears in: