As an intelligence analyst, it’s paramount to stay on top of what’s happening in the world around you. To inform our own research and develop skills, we typically keep on top of the news cycle by reading from multiple news sources, of course, mostly covering the world of cyber threats.  Some of the more interesting pieces we’ve read this month are highlighted below. 

Tom – Cyber Threat Intelligence Study Plan

Cyber threat intelligence (CTI) is a multifaceted and emerging field, with many companies and individuals having varying ideas on how it should be implemented. But like many things, there is a right and a wrong way to do it. So what makes a good CTI analyst? What is the right way to do CTI? Andy Piazza answers those questions in his blog titled “Cyber Threat Intelligence Study plan”, aimed at those looking to enter this fascinating field.

CTI aims to determine the capabilities and intentions of threat actors. This aim requires skill sets from information security and intelligence studies, both of which are very broad fields themselves. CTI teams often have dedicated roles for differing types of intelligence including but not limited to: all source analysts, threat analysts, threat hunters, malware analysts, linguists, and data analysts. All these roles are unique, but they all have a common purpose of critically evaluating sources of information and producing actionable intelligence reports as an output.

When evaluating threat reports, CTI analysts must think critically. Consideration must be made for the report’s accuracy, the research methods used to write it, and the reputation of its source. At the forefront of the analyst’s mind should be its relevance to stakeholders. Does the report “hit close to home” in terms of the stakeholders’ infrastructure? Are they at risk? Can they detect the activity should they themselves be targeted? The analyst must also consider any gaps in coverage the report presents (i.e. what does the report not tell the reader), as well as if it contains any logical fallacies, all while being mindful of their own cognitive biases.

The end goal of evaluating threat reports is the delivery of actionable intelligence to stakeholders. This must be presented in a clear and concise manner with all information presented being relevant and accurate. Knowledge of stakeholders’ priorities and interests is vital in achieving the fine balance between presenting too little information, leading to threats being missed, and too much information, leading to “cry wolf” syndrome. Debate has a role to play in the production and dissemination of intelligence, as it facilitates the identification of biases and fallacies.

Read more about it here.

Chris – Industroyer Reloaded

The Russia-Ukraine War has seen significant amounts of malicious activity within cyberspace, with attacks targeting both sides of the conflict from a diverse range of groups. Hacktivists actors, nation-stateassociated threat groups and even cybercriminals have all had a part to play in the conflict so far. We’ve released a considerable amount of material related to this war, which can be found at the following link

As we approach the end of the second month of the conflict, the tempo and volume of offensive cyber activity against Ukraine may have taken by surprise even the most seasoned analysts. While there has been significant activity from Russia-aligned actors against Ukraine, the general consensus prior to the conflict appeared to be that the use of destructive malware would be deployed in a far greater number than it has been observed so far. The use of destructive malware so far has been targeted against several Ukrainian government organizations, but at a much more reduced tempo than perhaps anticipated during the lead-up to the conflict. 

ESET has produced a fantastic blog detailing the use of the ‘Industroyer’ malware (aka Crash Override), which you might have heard about. Industroyer was previously used to target industrial control systems, including in attacks against the Ukrainian energy sector in 2016; this resulted in a power cut across Kiev for several hours. Industroyer has previously been named by researchers as the biggest threat to ICS since Stuxnet, so you know it’s a serious threat. 

The recent deployment of Industroyet was also deployed against a Ukrainian energy provider, with the malware customized for targeting high-voltage electrical substations; this activity has been, perhaps unsurprisingly,  attributed to the Russian “Sandworm” advanced persistent threat (APT) group. Sandworm is an APT that has been associated with the Russian Military Unit 74455 of the Main Intelligence Directorate (GRU). Their responsibilities during the war with Ukraine have been considerable; the group has also been associated with targeting WatchGuard firewall appliances and ASUS routers using the Cyclops Blink botnet

It is currently unclear how Sandworm gained initial access or moved into the IT network of the electrical station. The destructive actions were scheduled for 2022-04-08; however, analysis of artifacts suggests that the attack had been planned for at least two weeks. The motivation of the attack appears to have been aimed at decommissioning several infrastructural elements related to the electrical station; the attack was likely part of a wider effort to cause disruption to Ukrainian forces, and in doing so, provide an advantage to Russia’s military efforts.

It’s likely that the use of destructive malware will increase as the war continues; Russian forces have withdrawn from the Northern regions of Ukraine and are consolidating for a new campaign in the east. Given past observations, it’s realistically possible that Industroyer will make another, unwelcome, appearance during the later stages of this conflict.

Read more about Industroyer here

Riam – Clearing the Water

With last month’s headlines still dominated by the Russia-Ukraine War, it comes as no surprise that other advanced persistent threats (APTs) in the Middle East, Asia, and beyond are taking advantage of the turmoil to fly under the radar. Looking beyond the headlines is therefore a cybersecurity team’s responsibility. Cisco Talos Intelligence’s blog post, “Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups” is an excellent technical analysis of APT activity as well as a reminder to stay vigilant in today’s noisy environment. 

In their article, authors Asheer Malhotra, Vitor Ventura, and Arnaud Zobec unravel the complicated knot of MuddyWater’s techniques, tactics, and procedures (TTPs). First identified in early 2017, MuddyWater is a cyber espionage group that was directly linked to Iranian intelligence in February 2022 by the US government. The group targets government and corporate entities around the world, usually to conduct espionage, steal intellectual property, or carry out ransomware attacks.

Talos’s research shows that these differing modus operandi and geographic targets aren’t just coincidence – they’re the purposeful result of MuddyWater’s organizational structure. According to Talos, MuddyWater isn’t one behemoth group: it’s an amalgamation of smaller, independently operating teams, each one targeting specific geographic regions using specific TTPs. The decentralized group structure is adaptive, active, and effective, allowing MuddyWater to trial TTPs and gauge their success before deploying them across groups and regions. This makes MuddyWater a difficult beast to tackle. Instead of fighting Goliath, it’s combatting Hydra armed with firewalls and incident response plans.

If Marvel’s Hydra’s motto is “Cut off one head and two more shall take its place”, then the same should be true for cybersecurity teams: disable one protection, and two more will be in place to counter an attacker. Incident response teams need to make realistic threat assessments, and companies should be prepared to make use of tools and techniques to proactively counter threats.

Talos’s research offers us important lessons: Keep abreast of the threat landscape, don’t let major events hide other dangers, and know thy enemy. When cyber threat actors adapt and learn, so must we to counter them.

Read more about it here.

Closing thoughts

Lets be honest, we’re all incredibly busy these days and it is sometimes difficult to find time to identify and read long articles. This is why our intelligence service is so useful, with our team of dedicated analysts on hand to identify the threats and key details you need to know about. Why not take a demo of Search Light (now ReliaQuest GreyMatter Digital Risk Protection), to learn more about your use cases and how intelligence might make a difference for you.