Operation Cloud Hopper

Although long, a highly recommended read:

https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html

https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-updated.pdf

One thing I want to call out is Table 3, where PWC clearly demonstrated an interesting composite indicator of a TTP that appears to be specific to this operation. Specifically, the use of @india.com registrants and ITITCH nameservers. If you have the ability to pivot on this TTP, then you're likely to find a significant number of other similar domains.

Happy hunting, y'alls!

Comments

Post a Comment

Popular posts from this blog

Yara and Rich Headers are full of win

Rich Headers are awesome and you should read about them here: http://www.ntcore.com/files/richsign.htm I was looking at a sample recently and, being the good analyst I am, attempted to automate my DFIR processes using the tools I had handy. Step 1: Get the Rich Headers for the malicious binary. Let's use 9e6658fab423d9b3fabc3578ac5482bf4f21f6fb98949d8ef4f3cad349862b82, a known RAMNIT ransomware sample. $ laika.py 9e6658fab423d9b3fabc3578ac5482bf4f21f6fb98949d8ef4f3cad349862b82 | jq '.scan_result[].moduleMetadata | select(.META_PE) | .META_PE."Rich Header"' { "Checksum": 3183276661, "Hashes": { "SHA1": "dd0f0861bc67028b3cab0d6cdc55a29cc2822f64", "SHA256": "8fd544eee7389c64a29440555f5b968ae0632ed3b989a63402b6d43934a8973e", "MD5": "8451f317057b289c04b2c5b202c09715" }, "Rich Header Values": [ { "Count": 6, "Version": ...
Read more

[repost] Cyberespionage, and the Need for Norms

This is a quick one, but I wanted to call out a piece shared with me by a peer in the industry: http://harvardpolitics.com/covers/cyberespionage-need-norms/ A truly key point here: [C]onsider how almost every recent cybercrime is called a “cyberattack” by the media. North Korea’s hack into Sony Pictures, China’s theft of American personnel records, and Russia’s attack on Estonian online infrastructure were all dubbed "cyberattacks," despite their significant differences. The repeated use of this simplistic label has muddied dialogue surrounding this issue by obscuring the unique qualities of different cybercrimes—making it difficult to keep track of what actions warrant retaliation. This has been a pain-point of mine for a few years now, but I have yet to convince many others in my field that computer/network espionage (CNE) is explicitly NOT an attack. Also, I hate the prefix cyber. It has no meaning. For more info on this, see: http://willusingtheprefixcybermakem...
Read more

Baller On A Budget: A series on cost-effective IT/infosec practices

I want to start a series of posts on how to do CND/DFIR/CTI on a budget. I've spent the last decade of my life working in the IT world. I spent about half that time working as a part-time administrator/engineer in a small datacenter within a large corporation. I touched a lot of tech during that time frame and adopted a significant amount of it into my own homelab. But the last five years of my life have been devoted to CND/DFIR/CTI. One of the things I've experienced working in this field has been the vast differences between the large and small companies in terms of capabilities. My current job involves sharing CTI with a wide variety of companies with a wide variety of maturity in terms of CND/DFIR/CTI capabilities. A common complaint I hear from the small-/medium-sized companies is that they could never keep up with the bigger companies because they lack resources. If you fall into this bucket, then this series is for you. A few problems I hope to solve on shoestring ...
Read more