Transcript for "Iran Threat Briefing | An Analyst's View": Hello, everyone, and welcome. Thank you for joining us today for our third Iran crisis threat briefing. My name is Kathleen Kuczma, and I run our technical marketing program. That's where I translate real world scenarios into actionable use cases of how to use recorded feature intelligence in the overall daily type of work that you all are doing from a investigation and response perspective. Previously, I was a sales engineer while still at Recorded Future, but I started my career in the US government within the Department of Defense working as an intelligence analyst. Now if you've been here for the prior two sessions, welcome back. If this is your first time joining us, I'll give you a quick lay of the land of what we've done before. So we had two prior threat briefings. I have the recordings for both of those in that doc section on the right hand side of your screen. We had our first threat briefing on March 3, and this was a panel discussion between myself and three members of our threat research team, the Insect Group, where we talked about the geopolitical and cyber implications as well as what we were seeing on the influence operations side. And then on March 9 or last week, we had a similar situation report update across those three areas. And then there was a conversation between Recorded Future's cofounder, doctor Christopher Alberg, and former MI six director, sir Alex Younger. So, again, if you missed either of those and want to go back, are linked in the recordings in the docs section on the right. So today's session is a little bit more is a little different, especially based on the title and the description. Hopefully, those of you joining are really excited to dive a little bit deeper into some of the cyber aspects. And the reason this is possible is because I have two new guests for our briefing today. I have Carden Moore and Alexis Duffey, who are both part of our cyber intelligence engineering team. This team works directly with our customers on more advanced technical engagements and automations. So Carden is gonna take us into a deeper look at some of the Iran APT groups, really digging into the malware pieces that they're using, which you all will be able to follow along with. And then I'll hand it over to Alexis Duffey who will cover more of the hacktivist landscape, but really focusing on the Hondala hack team. So between the three of us, we're gonna get a situation update on the most up to date aspects of the geopolitical, cyber, and influence operations since our last briefing, and then you'll have some hands on experience with both Carden and Alexis. Now while we will be using the Recorded Future platform, I'll be posting a ton of free resources throughout that you can follow along. So whether you are a current Recorded Future customer or not, you should find value in this session. First, a few housekeeping items that always stay the same. We will have a recording of the session available once it ends. All registrants will receive an email with that recording, and there will also be a link in case you didn't sign up originally to access that recording. We are scheduled for a full sixty minutes, we will be taking questions. I'll be looking at the q and a throughout, but we'll also have a dedicated session after each of the different speakers' slots. So with that, let's briefly recap some of the major developments across those three key areas, really orienting since September. One of the biggest items that really broke yesterday and really the last few days, but was actually confirmed, was that Iran did confirm that Israel did kill, or assassinate Ali Larajani. He was the Supreme National Security Council leader and really the de facto leader, especially with Khomeini's assassination on February 28. As well, it was confirmed by Iran on state media that the head of the besiege or Iran's paramilitary force, Golombreza Soleimani, was also assassinated. These do mark the two pretty biggest high profile assassinations of Iranian leadership since supreme leader Khomeini on the twenty eighth. If you're not familiar with who Lerajani was, he was a senior Iranian politician, a military officer, and he really, as I mentioned, was considered the de facto leader after the assassination of Khomeini. And then Soleimani, he was appointed the chief of the besieged by Khomeini in July 2019. And the besieged really has played a pretty significant role in suppressing anti government protests, including some of the large protests starting in 2019, but also more recently. And because of all of that involvement, he was under sanctions by The US and the EU as well. Now it's important to mention that the Instage Group right now doesn't assess that these other assassinations are likely gonna lead to a near term collapse of the regime. You know, this is something that a lot of analysts are trying to speculate on. You know, The US and Israel last week too did said they do not think we're necessarily close to that happening. Another piece not mentioned on this slide was that, you know, Mohammad Khomeini was named the supreme leader. We did talk about that last week, but he had not yet spoken publicly. So since then, he did have a televised recording of his speech on state media. We've not seen him in public, though, you know, since that announcement. So other big areas or things that happened from the geopolitical side was the US military targeting Card Island. This is where Iran has a lot of oil facilities. You know, president Trump does say that did not actually target some of those specifically, but, you know, could be on the table depending on, again, escalations continuing to rise. And then another big update, especially where the Strait Of Hormuz, which really is essentially closed, but there were a few Pakistani as well as Indian cargo ships who were allowed to pass through. So, again, in the coming weeks, they'll still be really important to gauge and look at what's happening with the Strait Of Hormuz. On the influence operations side, really since the beginning of operation Epic Fury, we've been seeing some ION 82 activity or VIP employment, some of these Telegram bots who are offering basically financial compensation to anyone who's willing to conduct any physical threat activities targeting The US or Israeli interests on behalf of Iran. This activity has been observed in different channels across The US and Australia, New Zealand, a lot of other countries. You know, originally, some of these influence operation groups really have been active since, you know, the October seventh attacks. But, really, this is more of a pivot to focusing on, you know, The US type of targeting. So we'll continue to track that. Again, the goal too is obviously instill fear, but that is what we're seeing, especially on some of the Telegram chats with those groups. From some of the other groups Sean had referenced last week, storm twenty thirty five, These are some groups who are really trying to amplify and over commit is probably not the right word, but really trying to amplify, any possible success against the US military, whether it's, you know, completely lying about the number of casualties. These groups are continuing to still operate and do very similar types of engagements. Another big item is the CUD stays. That has happened every day since the late nineteen sixties. This is where a few different regime leaders made public appearances, including Larajani, the speaker of the parliament, Galabad, as well as the Iranian president, Pasehkin, you know, trying to frame their turnout to to talk about their popular legitimacy and also the resilience of the regime. And then lastly, on the cyber operations side, one of the biggest updates was the confirmed targeting and attack by Haendala hack team against a US medical device manufacturer. This really did mark one of the first shifts from targeting Israeli companies, by this group into The US, at least related to, you know, these escalations. So this is something that Alexis is going to go a little bit more in detail on here later. Some other notable activity on the cyber side is seeing some prepositioning that the incident group is tracking for Green Hotel, Iran Nexus Actor, scanning Israeli government, defense, and health and academic infrastructure, specifically using a custom malware called WesRat. And some of the CVEs that WesRat has been specifically targeting, I've listed all five of those here. I'll also include them in the chat. But these are all impacting different technologies for, web servers, smarter mail, and Windows updates, as well as Cisco routers. And then lastly, which we'll go into a little bit more detail on or card and we'll hear soon is on Muddy Water or who Record a Feature refers to as Green Golf. It's a few new botnet activities for cyber espionage that have come up in the past week or so that we are going to dive into a little bit more. So with that context set, I'm gonna hand over the virtual microphone to Carden Moore to walk through these Iranian threat actors, including Green Golf in more detail. So Carden, over to you. Excellent. Thank you, Kathleen. As Kathleen mentioned, my name is Carden Moore. I'm a principal cyber intelligence engineer. On the professional services side, I've been with Recorded Future for four years, and previous to that was a army intelligence officer for the state of Montana. So I'm happy to be here today. And, really, what we wanna take a look at today is an analyst view of the current situation, and and we want to frame this up really in a way to focus on intelligence requirements that are coming out of the the conflict. So the first really way that we wanna look at this is through operational tempo, groups that we should be monitoring, and then, of course, IOCs associated with those groups as well. So the first real question that we have is that there was a decentralization of the cyber posture following the operation at the query degradation of the c two infrastructure specific to these a p t thirty four and then Moses staff command and control infrastructure. So this is a situation that we're continuing to monitor. As that's been degradated, we would assess that when the c two infrastructure is able to come back online, we would see these around the NAPT groups, specifically Moses staff and APT thirty four be able to, reconduct their cyber operations as well act as that c two infrastructure, for other Iranian APTs. As of right now, it is a decentralized, kind of c two structure that we have here. So this is something that we're definitely going to look at. And and briefly after I go to these PIRs, we'll look at how I'm actually monitoring for these in the Recorded Future platform. And as Kathleen mentioned too, as looking at groups that we're consistently monitoring for, for me personally as an analyst, I'm monitoring groups that would be fitting my profile as far as a target. So what groups excuse me. What targets are being targeted by these groups? Do I fit that profile? Is there one specific either hacktivist or Iranian APT that is more active in my industry or in my geographic location. And based upon those assessments, then I would be further tracking those groups more than than maybe others. In this case, as we'll see, I'm really focused on maybe the operational tempo. So my focus is on which groups are the most active and which should garner most of my attention. And, again, briefly, I'll I'll show how we can see that in the recorded future platform. And and then, of course, during any of these conflicts too, we want to be on the lookout for IOCs that we should be using for correlations and detections, and how do I actually amass these, keep them into a list, and make sure I'm staying up to date on the most emerging TTPs. We know when it comes to the pyramid of pain that those dynamic IOCs and hashes and domains and then those types of IOCs are dynamic in nature. They can change with the infrastructure, but it's still important that we're using those for detections and correlations as we kind of build our defense in-depth. Right? So that is also something that I'm gonna be looking specifically at to answer some of the intelligence requirements that we have or, like, how how you know, if the question were to come down to me, how are we making sure that we're maintaining the defensive posture while this conflict is is continuing? So in order to answer some of these, I got some of the the groups that are actually on here in the Iranian APT, which will be a list that I create within the platform as well as Hacktivist, which is also a custom list that I've created in the platform. But that being said, I'm going to pivot quickly and show how this actually looks and how I am I am monitoring for this. So at this point, you should be able to see my screen. To answer the first PIR, which is essentially when will the c two infrastructure post conflict be at a state that we can assess Iranian APT groups would be active again. I'm looking at malicious traffic analysis with a source origination of Iran. You can see that as up here. And then I'm looking at the reporting that I have below for armed conflicts that are involving Iran. And the reason that I'm doing this is just show the stark contrast, and we're collecting telemetry and network traffic with the source origination, from, the IPs, associated with Iran. And then on the day of the conflict, as we've assessed and which has been reported of the blackout, that malicious traffic analysis is completely dropped off. So what I'm monitoring for is activity associated with this to pick up, which would then signal possible readiness of that c two infrastructure, and maybe it would signal Orion APT groups, modes of staff, and APT 34, which would then be, again, conducting operations. So certainly something that we're gonna continue to track as an intelligence requirement. Addition additionally, I mentioned which groups that we're we're tracking, so I just created a a very simple feed where I'm looking at the Iranian activist groups and Iran APTs. I put them into a custom list, and I've essentially had created a feed. I'm looking at in sync reporting that are on here based upon the groups that I wanna track the most. But, of course, you can exacerbate this to any kind of sourcing that you have, and I can open this up to other security vendor reporting as well. But this is something that I would do and create an alert. So I wanna see when these finished intelligence reports are coming in related to these these groups. And over to the left, it's easy for me to see malware that's actually being used. So if I wanna pull a new and emerging malware that's coming from this type of activity, I can pull this right here. And then in addition, because I really wanna focus my attention on these groups that are the most active during this conflict, I can see that right here based upon the mentions of these different groups. So in this case, Green Golf and and the Hondo HAC team are the the highest kind of active operational based upon my feed. And as a result of that, I'm gonna focus my attention onto onto GreenGulf as an example as we move forward. Another intelligence requirement I have is collating IOCs. Luckily, Recorded Future makes this very simple by using a threat list, so I can go directly into a threat list. I can pull IOCs. You can see these March 17 updates on here are actually directly related to the the sender botnet that's on there, so I have the most up to date IOCs associated with that activity. I can use this in a couple of different ways by doing exports directly from the platform, but also because, you know, I care about automation. I can access via the the list API as well and kinda set up the automation that way. But this is a collated list, but I could also go individually into each of these groups that I find to be most pertinent, set a time frame in my brain. I only wanna use the last three months maybe of the infrastructure associated and then do that that collection there for IOCs. Because, again, if we're talking about the pyramid of pain and kind of blocking those dynamic IOCs or preventing your detection, that's the place that we wanna start. So I'm building that defense and that posture. And then I mentioned previously when looking at that feed that green golf is one of the more active APT groups post conflict. So what I wanna do as an analyst is then to to build a threat actor profile. I wanna know as much as I can about this threat actor and start building beyond just IOCs, maybe get further in-depth. The way I can do that is just by looking at reporting from GreenVolve. So I'll be using the intelligence cards to do this in the notes specifically, and and we've just recently published an excellent report on the actual infrastructure that's used. So from this reporting, you know, whether it be InSync or any other security vendor, I'm gonna be pulling these IOCs. I'm gonna understand the TTPs associated with it. I gonna be pulling any kind of, like, specific attack vectors that we've seen this group use in the past, and I'm gonna be really focusing on that in order to build a threat actor profile, which ultimately, will kind of look like this. Right? So, again, if we follow along the the priority intelligence requirements, I've basically gone from groups that I've deemed the most pertinent to those groups that are the most active, Green Golf being the most active around the NAPT post conflict. And so now I'm gonna dive really into a deeper analysis of this specific group. We do know that they are currently running concurrent intrusion campaigns. We have overlaps. Recorded Future calls this group Green Golf, but they, of course, and Muddy Water and have many other names associated with it, but ultimately associated with the Ministry of Intelligence and Security for Iran. Up above in in my this first block here on recent TTP is what I've really tried to do is limit my analysis scope. So any TTPs that you're seeing up here besides the phishing, spear phishing, business email compromise, and tailored social engineering alerts that we've seen consistent with this group. But when we're talking malware and historical targets, that's really focused on the last four months. So these malware variants that you see here are of those that have been used only since the very end of last year and then to the beginning of this year as well. So that's, my scope of what I would really wanna focus on is the most recent infrastructure associated with this group as well as the most recent malware that's being used with this group. And then in addition to that, and and really most importantly, I wanna focus on the operations post onset of the conflict. That's what you see in these two linked reports that we have here. So we do have GreenGulf deploying this Sundra botnet using ether hide hiding. This is a a way that you can actually track this very well as there's two key infrastructure that's actually a part of this. So I have that linked here as an IOC, but as we know, some of this infrastructure is dynamic in nature. It can change as well as kind of your roles for for malware. You know, depending on the hash, there's variations that are there too, but a great place to look for in detection is this hiding method. Because of the nature of how this is actually deployed, there is connections that have to be made to Ethereum smart contracts. So really within infected machines, there has to be a connection to Ethereum ERC and and contract infrastructure. So, really, there's no reason for any of your enterprise to be consistent reaching out to this Ethereum infrastructure. This is a great way to do detection and mitigation strategies for this most recent campaign from Green Golf. So that's a deeper analysis on that, but I really wanna focus on you you know, you could go into every single one of these campaigns or really do a deeper analysis, which is kinda what I wanna show on on this next activity, this green golf targeting US and Israeli organizations and using this backdoor, indoor, and fake set. So as an analyst, what I would be doing is is taking this reporting and doing a a much deeper dive. So I would start with the the finished intelligence that we have, the actual report that came out, looking at the targets and looking at the the new malware variants. In this case, we have two new malware variants, this Dendor and this FakeSet malware that were used in these campaigns. It's an excellent report that really details the IOCs associated as well as as detailed the actual kill chain that's on here, but I wanna focus on this in in a different way too be besides just collecting the the IOCs, really looking at how do we analyze this malware a lot further. So I'm gonna look at just a sample of Dendor that we've been able to collect. From here, I'm looking at the intelligence card, and I can see right away the sandbox report overview that we have detonated the sample. So I can see this in in the sandbox. I can actually pivot to here and see details of the sandbox report directly here. But I know that it is also linked into Recorded Future triage, so that's where I'm going to pivot to see a more holistic view of the sandbox report. And and now I will look at the processes associated with this malware from the detonation. And if you're looking at the Finnish intelligence report and kinda doing this side by side, you'll see it mirrored exactly that's that's everything that was detailed there as far as the execution of the original payload. And then you can see that w script is actually used here, the CXC, to drop this fiber controller, which at that point, Viper controller then uses PowerShell and no profile, no interactive hidden and execution policy bypass mode in order to drop this Tango utility p s one. And at this point, you see the kind of three interesting things here post that. So Tango utility then begins to use curl request to reach out to this this demo land. Definitely use operational security when pivoting from anything within the sandbox of this report. But because we've we've looked at this before, I can I can pivot over and and show a few things? So we're looking at latest release here. We're also looking at kind of this release with this version system in here. So, really, what it's reaching out to is to this this tool, this demo tool that is a living off the land tool, something that many organizations are are using in order to decode JavaScript. It's reaching out to the version to see the most latest release as you can see here, and it's grabbing that. And then it's actually using this download to be able to piece together from the version and put it into a URL that then it's going to use TAR to to actually download. So it's essentially, it's if you don't have Deno already on your machine, it's reaching out and it's downloading the most recent version to then execute what is the next portion of the payload, which is this base 64 encoded JavaScript. So this is Deno XE. Now that it is on the machine, it's actually, you know, decoding and running this this JavaScript, which if we look at this a little bit deeper and go to CyberShaft, and we wanna view from base 64 here to do a decode. And what this is doing here is, basically, it's it's taking unique identifiers of your machine. So usernames and users, it's creating these unique kind of fields and using these unique fields to put together user IDs and config IDs, things of that nature. In in addition to that, it's also checking kind of, like, a port to mutex infrastructure to see if there is a Dendore already running or this is already running on machine. If it notices that by binding to some of these, it'll actually terminate. So it's a it's a way to prevent concurrent running operations on here. And and then it kinda does this whole process of making sure it's still running, collecting certain things from the host, putting together these unique IDs, and then encoding it into the next stage of the payload, which you can see actually right here. So if I take this next stage of the payload, which is actually being used and copy this, and then I'll do another decode of this here. And what you see here now is the next encoded base 64 that's actually passed to Ditto to execute. So we can see the algorithm is the two fifty six hash. It's using a JavaScript web token. We have a campaign ID associated for it. We have a config ID associated with it, some user notes. We do see the the c two URL that's being used to to encode this. What's really interesting here based upon this sample too is we have a campaign name associated with this with this, which for me kind of triggers my memory a little bit, so I wanna investigate this further. And upon further investigation, you can see that Smokus Stealer is a malware variant that was used and seen early in in January. I'm doing a little bit more digging for sake of time. You know, I won't dive too deep into it, but there is a ton of overlap here as far as creating a mute Mutex unique m d five hash, how it actually collects some details on this, the embedded JSON web token, which is exactly what I just showed as well. So we're seeing a lot of overlap from the malware analysis to the Smokus overlap Smokus malware stealer as well. So this further analysis for me has really opened what this malware is actually doing. Right? But now I wanna get to the point where I'm I'm actually detecting. So before I actually detect, I do I do just quickly wanna show that that next phase that I decoded was exactly what's happening here, and it's executing that basically for decode that I showed. If I quickly just show this, at the time of this report, this was actually infrastructure was not running, but I think that when we pulled this, it actually was. Yeah. So we were able to detonate the next stage of this, which is actually the the follow on payload. So what Insight Group doing is doing right now is we've been able to pull this off of the sandbox, and we're doing a more detailed analysis of this malware, which, you know, is as as long as the correct operational security measures are met, that is what anybody can do with the sandbox doing this investigation stream all the way down to to the follow on payroll. And so, really, I've got a really good understanding of how this malware operates now at this point, but what I really wanna do is set up detection here. So what I'm going to look at in the short term is maybe some new IOCs. So I'm looking at malware intelligence and using this DINO as my pivot point that I have on here. I'm seeing 46 hashes that are matched. Every DIN door sample that we currently have is is on here, which is excellent, which confirms exactly that I'm on the the correct path as far as isolating these this malware and infrastructure. And from here, if I just wanna look at URLs, I can see the original URLs from that Smokus campaign, this con, this other serial may not. But then if I continue to look, I'll see other associated infrastructure to this malware based upon samples that have been detonated. New IPs that are doing the exact same thing, looking for help, making sure they're out new IPs that we have here, new IPs here. So I'm collecting even more beyond just the original infrastructure that I've that I've found to include. This looks like Weblink would be a new URL associated with the same malware here as well. So I'm feeling pretty confident about this pivot point for for Deno, amassing more IOCs associated with that. So then, really, the last thing that I would wanna do here is look at how do we actually set up detection to make sure that I'm protected from this. And what I did was I just took my sample tags for Dendor. So I took all my hash hashes of Dendor that we have detonated within the sandbox, and then I just did auto sigma, which confirmed my already suspicions of the place that I really need to focus on are these these DINO. So in this case, what this sigma rule would be doing is looking at curl attempts to download the most latest DINO release, exactly what we looked at in that process. And then the same here, TAR executing DINO from the place that that most recent release was actually put into place. The signal rule would be taking that, and then just the curl to go and grab the most latest release. So this is an excellent starting point for detections that I could use based upon the malware analysis from this very specific campaign. And and, again, that was a deep dive into one of these operations, but this is kind of the analyst that I approach that I would take as we see more of these emerging campaigns from the activity associated with the conflict. That was great. Thanks so much, Harlan, for going through DeepDoc. Being able to see when the campaign name was changing is really fascinating from, you know, when they were testing it out. So as I mentioned in the chat, I put in a few different resources related to what Carden was walking through. One of the samples I provided was actually slightly different than what Carden provided, but all the same, family. And then also provided a link to the Cyberchef tool on GitHub, which is, you know, freely available that you can use to do that base 64 decoding and coding to find some of those details. There was one question, Carden, I would love your thoughts on is is a little bit more specific to the Recorded Future platform, but also, I think overall is really useful. So, you know, as we started off talking about that dramatic drop off of, Iranian linked malicious traffic. I'm curious on any thoughts of, you know, guidance of narrowing queries to return infrastructure that is very recent and actually still active. I have a few thoughts, but I'd love to hear your thoughts on, you know, how to narrow it down to just those, like, you know, current 90 risk score and above. Oh, yeah. Yeah. Certainly. I think that the same pattern that can be used for the Orion APT groups and the hacktivist groups, if you're already in the process of of kind of amassing or collating IOCs associated with this, and you have a very specific, infrastructure that you wanna monitor for, I would be creating custom lists. So in in the example that I showed, I would be taking green golf and known infrastructure, maybe historical or even the most recent, putting those into a custom list and then doing a monitoring for that beyond maybe just our malicious traffic, but also looking at malware threat analysis or in generally too. Sometimes I just open it very wide, start very general, and then hone in on the traffic that I I want that is the most important associated with that. It's important to know too that, like, you know, when a risk, especially when it comes to an IOC, is usually something that's kind of after the fact, right, that we associate a risk when it kinda shows the risky behavior. So, really, what I was monitoring for in that malicious traffic is any traffic that's coming out because then that would really signal the operation tempo of some of these groups starting to come back into activity. Absolutely. Yeah. And one other piece too for especially narrowing down activity is to use again, if you are current Recorded Future customer or even if you aren't, the browser extension will provide you an overview of is that indicator currently being used in a malicious way. So with the Recorded Future risk score. So also filtering on maybe any indicators of compromise related to a run that have a risk score of, let's say, you know, 90 and above or have you know, 65 and above, that can really help you narrow down to, like, at this moment, we're seeing that infrastructure being used. But as you all know, practitioner wise, infrastructure does change rapidly. And even if we're doing historic look back, having seen maybe any related activity, even if that IP address isn't used anymore but was associated with GreenGulf, it's just as useful from, like, a, you know, incident response perspective. Great. With that, I'm going to turn things over to Alexis to walk through, where is the slides? Oh, we have to bring back the slides. That's on me. Bring on Alexis to talk about thank you so much, Carden, for that overview. Talk more about Handala hack team and going into some really great use cases and examples. So, Alexis, over to you. Awesome. Thanks, Kathleen. So as mentioned earlier, my name is Alexis Duffey. Pardon me. And I am a senior cyber intelligence engineer at Recorded Future on the same team. As Carden, previously, I've worked as an information security officer for a tech company in the Michigan area, which is where I'm based. And prior to that, I did a nice stint as an intelligence analyst with the DOD over at Fort Meade for a little while. So, as both Kathleen and Carden alluded to, I'm gonna look at one of the other most active and arguably impactful threat actor groups right now, which is Handala hack team, an Iran aligned hacked fist group, who, as you can see on these slides, has likely been assessed to be in operation since about the 2023 and has recently been in the news for their claims of a particularly high profile and destructive cyber attack against U. S.-based medical device manufacturer as well as claims cyber attacks against Israeli payment solutions company. So we've talked about how we're framing our presentation today from this analyst viewpoint. And I would it's safe to say that when a seemingly conflict related destructive attack like Handala occurs, most security teams, most cyber threat intelligence teams are immediately gonna get those RFIs of what does this mean for our organization, how are we impacted, what should we be doing about it. So in general, as Carden mentioned, when evaluating any kind of risk or what does this mean for us to your organization from a threat actor group or a malware variant, you should always be keeping your profile in mind. So what is your vertical? Vertical? What is your industry? What is your geographic footprint? What is your tech stack? And who are your suppliers? This is also a really important piece to keep in mind. Because even if you may not fit the target profile, a critical supplier might, which should absolutely play a part in your overall assessment when you're trying to answer some of these what does this mean for us questions. So keeping that in mind, one of the first things as I'm getting this horrified, we'll say, is I'm gonna be researching everything I can about the groups. So some of this is gonna be a little bit of overlap with what Carden showed, but, again, we're focusing a bit more on the hacktivist side. So I'm gonna be researching everything I can, and I'm going to take over a little bit with my own screen here. Excellent. And assuming everyone can see that. So researching everything that I can about this group reading profiles. Obviously, I'm gonna be starting with insect, but, you know, I'm I'm gonna be also be looking at the primary sources that they have potentially pulled from. I will say researchers have previously connected Haendala hack team to Iranian threat clusters, mostly void Mana Corp, potentially banished kitten, which does suggest a link to Iranian state sponsored activity. But this attribution cannot be corroborated by incident group at this point, though it's very likely that they play a cut role as a cutout or deniable proxy for these Iranian offensive cyberations. But as it stands, I'm be focusing just on Handel al Haqq team, not so much Void Manakor. So reading through all of this, I'm also going to go straight to the source primary source, which in this case is possible. So I'm gonna go see what the group itself is saying, either via their social media or, in this case, their blog. And I wanted to point this out. I'm going to be using the sandbox to go read this because, you might need to use a different geographic VPN in order to access the site. I was not able to access it unless I actually changed my GeoVPN to not be US based. That may just be a me thing. But I'm gonna go in and take a look at what the group itself is saying because, obviously, primary sourcing is is ideal if we can get it. So I see, right, that they are continuing to make claims of compromise here primarily against the more in line with the hack and leak MO, modus operandi, than this destructive attack that we've seen and primarily against Israeli targets. So, yeah, interestingly, they have started to the most one of the more recent claims appears to be against a popular Iranian citizen journalist that they decry as a traitor and mercenary. So just interesting. And that brings up a a good point. So as I'm doing this research, Hamdulah and many hacktivist fronts in general, often the intent is focused on disruptive attacks, so leaks, DDoS, defacement, doxing, and destructive attacks, so wiper encryption, rather than on the espionage piece like some of the APTs that we might see. It's also very important to note that these groups can exaggerate or even fabricate access claims in order to maximize media amplification. So it can sometimes be difficult to confirm an attack or attribution if there is no independently verifiable evidence or victim corroboration. So working with what we've got here, you know, one of the questions is how am I impacted by this? So I went ahead and and took a look and said, okay. Well, who based on our reporting, who have they targeted in, you know, the last two years so I can start to get an idea about my potential risk, a tendency to, as you can see, target government, target services, target IT and software, critical infrastructure, makes the list, which you can see I expanded this out to look at hacktivist groups in general. Pretty good overlap. That is generally what we are seeing from a lot of these groups. And then reading through some of the additional reporting here and going to some of the additional sourcing that is referenced by Incident Group, for example, this is a fantastic report that is fairly recent from the Incident Group that talks about some of the specific IOCs, TTPs, patterns, we'll say, for, what we've seen in the past from Hondala's group malware activities. So I can also just go, as I said, straight to some of the sources that were mentioned in here. So they've had a few notable wiper attacks, and again, primarily against Israeli targets in the past. And several of their most notable ones have abused this fake update attack vector. So specifically in 2023, they took advantage of a, the discovery of vulnerability in, F5 BIG IP network devices to send phishing emails, urging Israeli organizations to download and install an update to fix the vulnerability, which would instead attempt to wipe all the data. They used a similar campaign exploiting the CrowdStrike update, issue and subsequent downtime during the 2024, crafting these phishing emails that, again, purported to fix this issue but would instead deliver a wiper payload. And so as I'm researching some of these, you know, and I'm apologies for the scroll here, but I wanna show. I I have the browser extension on, so I can go ahead and see that, you know, anytime on here where I'm seeing some of these potential IOCs or if if there have been, again, apologies for the scroll on this. But right. So I actually have the browser extension, as Kathleen mentioned, which you can get a free version just to kinda get an idea of, like, has is this something I'm already aware of? You know, if I wanna go pivot into my platform, Recorded Future, and take a deeper look here, I can do that. So I in this case, I have gone ahead and looked at, you know, pulling up some of these hashes that we've seen. You know, I can see that we definitely have seen some of these. We've reported on them. They are actually on the IOCs collated from from insect group, which is great to see. So and then I would like to, if possible, actually be able to, much like Carden did, go in and look at the samples themselves to see if I can potentially both verify some of the patterns that are being, you know, analyzed and reported on and see if I might be able to use those myself to find other possible additional samples and related detections. So in this particular instance here, I'm seeing this is pulled from that CrowdStrike attempt fake CrowdStrike updater attempt here. And so I can pivot into malware intelligence here, and I can open it up. And I can actually go in and look through. And, again, this is actually available on the recorded future triage, so I believe Kathleen will be dropping a link to that. But you can actually go through and see some of the some of the processes that are described in the, article that I was previously looking at so I can verify that, oh, this is interesting. I can see this. If I wanted to, and, again, with the proper operational security and guardrails in mind, I could actually download the sample to do additional analysis, you know, if I have a dedicated reverse engineering team or anything or a detection engineering team. But I can sort of get an idea of what some of these patterns look like, verify that that this is, you know, something that we're we've seen them use in the past. For some of these, I can actually see that a different sample looking apologies here. It's actually named Hondala, which is which is very interesting. So I'm looking at some of these patterns here, and I'm not gonna go into, like, the deep, deep dive like Carden did. But I'm you know, as an analyst, I'm like, okay. Well, what else could I do with this? Right? So I'm seeing this pattern, and maybe, you know, this came from additional reporting as well about their potential use of rhod monteas. So if I want to go look at that particular hash, again, I'm seeing a similar pattern here where we've got batch files. We've got these looks again to see if we've got antivirus activity happening on the machine. I've got this interesting potential obfuscation technique here and then the use of a dot PIF file. So that's kind of interesting. So using that and this sample, again, this Radamantes piece is actually also available through Triage, and this is the one where it's actually called Handala, not EXE, so kind of an interesting confirmation there. But what I can do at that point is instead of just saying, oh, let me go from these specific IOCs, I can try to use the patterns themselves and potentially surface additional other, samples that I might be able to use. And so some of these might end up being, oh, this is a technically, it hasn't been tagged as as anything beside beyond an executable, but and it's a little bit older. But if I open it up, I can see a similar sort of pattern here. Right? These batch files, this looking for antivirus activity, this kind of interesting potential obfuscation technique, and then the dot PIF file. And in this case, specifically, I also see this use of the regasm dot executable, you know, in a temp folder which is kind of interesting as well and actually does match to some of the reporting that we've seen as as another additional way to identify some of their historical, malware attacks. So, right, we can see right here. So this is you know, now I have some starting points. And, you know, I am not a detection engineer, but what I could do is start to look through some of these others samples that I've identified. And if I feel like I've got a good enough size here, I can go ahead and I can try to, much like Carden showed, generate my own detection rules based on what I'm seeing here as another potential way to surface some of these indicators that may not have been reported on that may be related to the group. So it's a good start to try and identify additional IOCs that may be related may be related with this group as I'm starting to research and and build out my assessment. So some folks may be asking, you know, why am I why am I focusing on their past, their historical attacks? And the answer is, frankly, it's a large part of what we have to go on right now, because the current research indicates that the most recent alleged destructive attack was actually not done via a custom wiper or payload, but instead used compromised credentials and the abuse of existing legitimate business software to conduct the wipe. So that does not, unfortunately, give us much in the way of specific IOCs to go off, but it does help cement some of the TTPs that we've seen associated with this group. So this abuse of legitimate software and tools, Rejasim and AutoIT, which is another piece that we've seen them use in previous wiper attacks, these are legitimate software, but they are abused, in a way to to make them malicious. So we're also seeing initial access from them or have seen a pattern via phishing, right? We talked about the F5 and the CrowdStrike and potential credential harvesting. So this, unfortunately, just highlights a difficult issue that most organizations do face today, which is identifying and remediating compromised credentials because why hack in when you can simply log in? And it is, unfortunately, a a big problem. So quickly gonna go over some of the mitigations if I was writing my assessment on this that I would be giving to to my leadership. Right? So use the technical details that you have. We talked about how you could use some malware samples to potentially go and identify other patterns. You can write your own detection rules, pulling in the IOCs list like Carden mentioned, from intelligence for other intelligence providers, us, your own research, etcetera. So do use those technical indicators as much as you can, ideally in an automated way. Right? So, hopefully, you're having some of this pushed directly into your security tooling, for either reactive posture or proactive hunts in the future. And then, again, the phishing attempts for Handala are are huge, and it's a pattern that we've seen previously. So maintaining heightened awareness of these potentially very sophisticated phishing campaigns, possibly exploiting newsworthy tech events that we have seen in the past. And this is especially if your organization fits the target profile. Identifying or remediating the credentials as quickly as possible, monitoring for anomalous user behavior, and as well as ensuring that you've tightened controls on your public facing infrastructure as much as possible. Right? So, rate and session limiting, lockouts, making sure that you have resilience in case of DDoS attempts. And finally, touching a little bit on this piece of vendor and just business continuity. So having an updated and robust business continuity plan, being aware of your critical vendors and suppliers. Unfortunately, there's been quite a few massive geopolitical events in the past five years. So hopefully, you do have a third party inventory and a review of some of the implications if they go dark, but not in no time like the present. I'm going to quickly touch on that. Having said all of that, you know, some some other things that as an analyst, I'm maintaining awareness of. It's important to note that just because there is a war happening in The Middle East, that doesn't mean, unfortunately, that the rest of the world has taken a break. So in fact, for both Russia and China, we are seeing indications that there are attempts to either use the current situation to promote certain narratives, so that's what we're seeing in the case of Operation Overload and ION eighty one, or potentially take advantage of the conflict to, in fact, further their own aims. So we've seen cases of Red Delta potentially targeting Qatar for intelligence collection. And existing operations are continuing. We're continuing to see APT twenty eight conduct attacks against the Ukrainian military. And in fact, there was a very interesting blog post, I believe, posted just yesterday by Levi Gundert and Jonathan Luff on intelligence to risk here, which I believe Kathleen can drop in the chat as well, that actually showed that China nation state, China nation state network traffic has seemingly dramatically increased, over the past couple of weeks based on our network intelligence data. So this is, again, where your threat profile comes into play if you are in Europe, if you are in Southeast Asia, right, if you are in these traditional, target zones for these groups, you should still be monitoring these same threat actors. APT activities have not ceased just because of a new conflict, unfortunately. And then just a few, oh, a few catch all pieces here that I'm maintaining awareness of. I mentioned the doxing and the DDoS threats, general impact of these groups. But, again, just there may be other groups trying to take advantage of this conflict. Physical is a whole potentially other separate maybe webinar to go over. And then, you know, there are some instances potentially we're seeing more targeted, again, at this Israeli space for this trojanized application. We saw that happen. And in the past, we have seen in the particularly in the Ukraine conflict, we have seen instances of malicious activity, phishing, fraud that tried to take advantage of the conflict, for example, spoofing or imitating aid organizations. So in my mind, it wouldn't be out of the realm of possibility that that could happen again. So I may be paying attention to potentially some recently spun up domains, around, you know, what what we might be seeing there. And I think we're just about out of time here, so I think I will turn it back over to Kathleen. Great. Thanks so much, Alexis, for going into great detail. That should be really useful for everyone on the call. And as Alexis was mentioning, some of the samples she was walking through, the blog posts, all of those are in the chat. And we'll also make sure in the follow-up email that will go out to everyone on this call along with the recording that those samples are also linked. Well, maybe we won't include every single one because maybe it get caught by your spam or thinking we're trying to, send an hour to you, which is not the case, just samples. Awesome. So, yeah, let's take a few minutes before we wrap up here on some of the questions. So one of the questions that I think would be interesting to talk about, was more of the case of the targeting of Stryker. You know, wondering how much. credence you place on the fact that, you know, it was more opportunistic and if their intended target was maybe more of, the military aspect of it. Have I thoughts on that, but I'd love to hear, Carden or Alexis, your thoughts. It is a good question. And I would say, you know, putting a lot of caveats on this assessment and saying that I am not an Iranian expert here. But, again, based on what I was looking at through their traditional targeting and targeting from hacktivist groups in general, it is it is not unheard of to target potentially health care. Like, there has been an instance where Hamdala targeted, I believe, a hospital in the past. Mhmm. So it's not unheard of, but I also it's a little bit of an outlier in terms of the usual targeting. Right? I think that's that's an interesting point to make. And in terms of the opportunistic piece, you know, that is definitely because we did see or because, allegedly, this was due to compromised credentials and, again, use of legitimate software, that does potentially point to it being less of a specific target and definitely more of an opportunistic piece. But that is that is my thoughts as an analyst right now, not Insect. Awesome. Yeah. I. I would completely agree with there with the the opportunistic sometimes with these groups using the post dealer access and credentials that have been either harvested or or scraped that they can look through and find those that are the most relevant or the most destructive that they can actually use. So certainly probably a mix of opportunistic with geographical targeting as well. Completely agree. And as you mentioned too with the info stealer aspect of it, you can why hack when you can just log in? There's one question about, you know, tracking this type of activity. So the core feature does have our identity intelligence that is looking at these malware logs, and then you have the ability to automatically reset passwords in an integration with, say, Okta or Microsoft. So that's how we're personally helping customers on the InfoSteeler side. But any provider that you are using that is tracking InfoSteeler logs and you're able to filter based on your password complexity, your employees, that is obviously how you try and combat that specific threat. See other questions. We just have a few minutes. And there's a few questions about the slides. So, yes, a version of these slides will be provided after the fact as well within in some of the threat groups as well, which you'll have with the slides. I think with that info stealer piece, Kathleen, it's important to note that GreenGolf, that's their main TTP as well. You know, info stealers, spear phishing. So the what though this conflict rises, maybe operational tempo, it doesn't necessarily change the attack service and those things that we need to be monitoring for. So consistent monitoring of business email compromise, spear phishing attempts, phishing attempts, info stealing markets, compromised credentials. Like, that is initial access beyond. You know, this speaks volumes to the the ransomware landscape and and beyond as well. So it's a consistent monitoring for those just in general in defense and depth, you know, postures you very well to be protected during these times of conflict as well. Absolutely. Always tracking info sealer. Threats to your environment is useful across so many different areas. So as we officially wrap up here, and we talked a lot about public facing resources with our Iran blog, the CSV download in the chat, the briefings, that free browser extension, and sandbox. And then for those of you who are current Recorded Future customers, I do have linked in these slides the intelligence kit, our recommended actions on the conflict, and then also an analyst guide that our training team had put together. Next up in thirty seconds, I'll be demoing autonomous store operations. So maybe some of you are joining that. I'll show basically how to live hunt within your own SIEM and source solutions using Recorded Future, actually, with some of the Iranian examples. So you can sign up here. And also not a ton of time, but we're also hosting a virtual capture flag in mid April. I'll send out some of the links afterwards, but you also have the link. I promise it's not malware, this QR code. I tested it, to sign up. And with that, I just wanna say thank you so much, Alexis and Carden, for what you were able to provide us detail wise, and thank you all. Thanks.