Advanced Persistent Threat (APT) groups invest in developing their arsenal of exploits and malware to stay below the radar of their victims' security controls and persist on the target machines for as long as possible.
We were curious if the same efforts are invested in the operation security of these campaigns. We started a journey researching active campaigns from the Middle East to the Far East including the Palestinian Authority, Turkey, and Iran, Russia, China, and North Korea. These campaigns were both state-sponsored, surveillance-targeted attacks and large-scale financially-motivated attacks. We looked at almost every technology used and every step taken throughout the attack chain: Windows (Go-lang/.Net/Delphi) and Android malware; both on Windows and Linux-based C2 servers.
We found a multitude of unbelievable critical mistakes which open a unique window to understand new advanced TTPs used by attackers, for example: “bypassing iCloud two-factor authentication’’ and large-scale crypto wallet and NFT stealing methods. In many cases, we were able to join the attackers’ internal groups and view their chats, emails, and even bank accounts and crypto wallets. We understood their business models and were surprised to see the scale of sensitive data sharing, such as entire citizen databases, passports, SSN, etc. In some cases, we were able to take down the entire campaign.
We will present our latest breakthroughs from our seven-year mind-game against the sophisticated Infy threat actor who successfully ran a 15-year active campaign using the most secured opSec attack chain we've encountered.
We will explain how they improved their opSec over the years and how we recently managed to monitor their activity in real-time.
This session will be held by Tomer Bar. Tomer is a hands-on security researcher with 20 years of unique experience as a manager in cyber security. In the past, he ran research groups for the Israeli government and then led the endpoint malware research for Palo Alto Networks. Currently, he leads SafeBreach Labs as the director of security research.
His main interests are Windows vulnerability research, reverse engineering, and APT research. He is well known international speaker and have spoken on many international conferences including BlackHat, Defcon, ReCon and Sector to mentioned some few.
If you want learn what APT actually is, then you should not miss this session!