Welcome this week’s Dune 2-inspired post - if you haven’t seen it yet, go see it in IMAX.

My name is Ari Ben Am, and I’m the founder of Telemetry Data Labs - a Telegram search engine and analytics platform available at Telemetryapp.io.

I also do training, consulting and research so if you have any specific needs - feel free to reach out on LinkedIn or via ari@telemetryapp.io.

This week will be bit shorter than usual, so let’s get started.

For those not yet sick of analysis of i-Soon, check out Harfang Lab’s deep dive available here. I’ll save you the key findings and a few notes:

A bunch of fascinating specific elements, like email dump exploitation and other systems are discussed, but for us, we’ll briefly touch on what’s most relevant, the IO section:

Unsurprisingly and as is the case with the vast majority of alleged social media influence platforms, the “Twitter Public Opinion Guidance and Control System” is oversold.

What’s most interesting though, is the ability to work in a targeted fashion. Instead of monitoring all of Twitter, the platforms enables monitoring of specific accounts, sending phishing emails to compromise them, and then grouping them to post in a coordinated fashion.

Additionally and also less surprising, much of their efforts are oriented towards the Chinese domestic market as well.

Harfang’s conclusion are also what many are thinking publicly, and I think that it’s most probable that a foreign government compromised i-Soon and leaked their data.

Doppelganger New Game Plus

Continuing the trend of APT/APM overlap, Clearsky and Sentinel One have published their research on Doppelganger, in this case tying it to APT 28. Read their report here.

It’s nice to see emphasis on the under-reported Israeli portion of Doppelganger, which I’ve discussed here in past posts.

Clearsky also shows how VirusTotal can be used to threat hunt, in this case tying APT 28 to the Doppelganger campaign. They start off with a file uploaded by the Ukrainian CERT on January 24th:

They then extracted three unique strings from the file:

These then led to four new files; two of which were tied to APT 28, and two of which appeared as source code for the Doppelganger domain, rbk(.)media.

This is great work in of itself so far, and shows the importance of technical skillsets in IO work. To be honest, I need to get around to learning malware and file analysis in-depth sometime, as the potential is great .

Where it gets even more interesting is when a Google Analytics ID is identified:

Clearsky also builds on the past work done by Recorded Future, providing updated IoCs and infrastructure:

Overall - this is a great report to read for those who want to see how campaigns adapt over time, as well as how to better implement technical tooling into their IO workflows.

It also shows that more and more signs of APT/APM overlap are coming out - we now have at least two from China: APT 41’s potential ties to IO as shown by ASPI, and now the i-Soon leak, this connection to APT 28, and known ties between Iranian APTs and APMs.

It’ll be fun to see how this field develops in the coming few years and what else comes out.

In other things worth taking a look at:

• If we’re already on an infrastructure mapping kick, check out Intel Ops’ latest writeup on detection rules and Censys to identify phishing campaigns available here.

• Google TAG published their quarterly report on IO takedowns for Q4 2023 the other day, available here. Not much commentary on my end, just wish that they’d publish in-depth reporting and analysis and not just bulleted lists of takedowns.

Conjunction of the Spheres

Twitter user x0rz pointed out an interesting dynamic in the ongoing Lockbit/FBI blood feud:

While we obviously can’t confirm that the FSB or any other Russian agency is in fact responsible for this specific decision, it’s certainly a reasonable assumption to make and an interesting one upon which to extrapolate regarding ransomware activity and state affiliation.

This throws me back to the days when the Shadow Brokers tried to veer hard into IO by claiming that they were in fact American military/intelligence officers after having leaked NSA hacking tools.

We often think of financially-motivated cybercrime as being separate from other forms of threat actor activity, but in practice, they’re all sides of the same die in authoritarian countries. Threat actors often engage in geopolitically-motivated, financially-motivated and other forms of cyber activity, and as we increasingly see - influence activity.

That’s it for this week!