The Panda Inside Me
Welcome to Memetic Warfare.
First things first. This week I attended CYBERWARCON and had an incredible time. I’d highly recommend it to anyone interested in IO or cyber to any degree, it has a unique angle and the talks were excellent - I don’t think that there’s any conference globally that comes close with its focus on IO. I’ll share a link to my talk on YouTube in a future post when it’s available.
Let’s move on to the next announcement.
The cat is out of the bag, and I’m happy to announce Telemetry’s integration into usersearch.ai! Check it out today to search easily across multiple data sources, including Telemetry’s massive Telegram database.
Let’s now get into it.
Correctiv frequently puts out incredible reporting, and in contrast to many other journalists, actually gets things done! They really show this off in their latest article, available here, on how they, Qurium and others successfully took action with the relevant authorities that degraded Doppelganger’s infrastructure.
Just see the below section:
Infrastructure as well as actual software is being hit - moving up the pyramid of pain. It’s one thing to switch out a VPS, but it’s more of a pain to get your hands on the right software, or god forbid, develop it.
The article focuses primarily on their new findings and actions, in this case targeting Doppelganger cloaking services. If you’re really interested in cloaking services, check out Qurium’s accompanying article where they dive deep into the cloaking services.
They’re kind enough to include an infographic:
And here’s where it gets actually incredibly interesting. Correctiv looked into the stage 2 and 3 domains as part of the cloaking service, found that it was run by a Ukrainian guy who then promptly actioned their account, making Doppelganger links ineffective on Twitter:
The next notable section is the finding of links to the Russian Ministry of Defense, as shown by access records of Doppelganger servers showing connections from an IP address belonging to Voentekelom, a Russian governmental ISP working under the Ministry of Defense.
There’s one claim that isn’t as clearcut, and IMO not necessarily related. Chances are they don’t share an internet connection, and it’s much more likely that someone from the Russian MoD accessed, which in of itself is arguably indicative:
The final point is what really matters:
Let’s move on to the next piece we’ll cover: Crowdstrike’s report on “Liminal Panda”, maybe my favorite panda TA name yet. At first I thought that this may be Salt Typhoon, but it turns out to be distinct. The report is to the point, and most importantly has IoCs for further investigation and pivoting.
Check out their attribution:
Beyond IoCs for threat hunting and pivoting, it’s always great to read threat reports for additional context on things like hosting providers. It’d be hard to independently notice that, say, Vultr, is commonly exploited by China-affiliated/adjacent actors, but now we know that.
If I have some time post CyberWarCon I may look into some of the indicators, but regardless - there should be a fair amount to look at going forward.
The next piece covers hacktivist activity. Cyberknow, a great Twitter account for tracking hacktivist (and hacktivist IO activity), recently posted something that caught my attention:
Readers may recall Hunt3r Kill3rs as being a group that I looked at with my colleague and friend Max Lesser at the FDD, and published on at the Cipher Brief as part of the IDFLeaks operation. Funnily enough, I only very recently discovered that Microsoft had ONE infographic where they put out an attribution to the IDFLeaks operation to the Iranian MOIS (see figure 4 here).
Microsoft, you put out amazing work - please post the occasional list of groups and their attribution, or alternatively the occasional deep dive into groups! I only came across this by reading old reports, and it isn’t mentioned in any text anywhere so it isn’t searchable.
Back to the point at hand. Hunt3r Kill3rs is probably an Iranian false flag operation active in Russian. They almost exclusively target Israel, and they were one of the key amplifiers of IDF Leaks.
Cyberknow20 pointed out that they very recently posted seemingly convincing snippets of classified US government documents from mid-2024, so pretty recent. I don’t know enough about US government documents to prove their authenticity, so if anyone does - please let me know.
Hunt3r Kill3rs claimed that they did this due to continued US support for Ukraine and “giving weapons to Ukraine”, which will “expand this war”. I assume they’re referring to the recent US decision to allow Ukraine to use ATACMs to target deeper inside of Russia, which is a convenient excuse to potentially pivot to the US.
This has since turned into a broader coalition of a few well-known hacktivist groups such as Keymous, Moroccan Dragons and more targeting a few countries for their support of Israel:
Hacktivist coalitions come and go and they aren’t the sort of thing I usually cover here, but the dynamic of a probable nation-state false flag group leading/getting involved in other coalition work is worth looking into more.
The main story though, IMO, is the leak of the apparently authentic CIA documents. Iranian actors recently acquired sensitive USG documents, allegedly (and yet unproven to be) from an insider source at the CIA arrested in Cambodia. If they got another tranche of recent, sensitive documents, then a more serious inquiry into whatever is going on is needed.
That’s it for this week! Check out Telemetryapp.io and see you next week.