Hi, my name is Michael and I am an APT.

I gotta come clean with you, it’s finally time for this confession. In fact I believe I am more than one APT, I am actually part of multiple APT’s. International even, across the globe and across multiple scenes- from Scattered Spider to the CON, from the ShinyHunters to Muddled Libra, from Evil Corp to Indrik Spider, all me, probably I am also part of Techno Bears (APT69), nyan_pwn, PYSA, SiegedSec and Nonbinary Catgirls for a better Future Association.

The fact that you think I am joking, but you have also no idea which ones of these are “real” Cyber Groups, is why you should continue on reading; and also cause I am totally not joking.

I am actually counted as part of multiple APTs and the reason for this is that the whole attribution and APT thing is fucked beyond repair. Not really sure I can tell you exactly how bad it is and still finish this blogpost with my sanity intact; so, I will just ramble of about 30% of the real madness behind this whole business.

To be clear, of course there are APTs and of course it is possible and important to try and figure out what goes on, this not about that, but rather how a financially driven industry, with not the best track record for professionalism or truth might not be the way to go here.

This is just a drop in the bucket and some thoughts along with it, so go collect your beat prescription 1,2,3 and then let’s dive in.

“… Bounty hunting is a complicated profession.” – The Client

Look, Cyber Attribution is hard. Complicated forensics, incomplete, untrustworthy artifacts, unclear timelines etc. It is hard and sometimes strait up not possible to reconstruct what happened during a Hack or who did it. Almost always there are only pieces of information and some of them are even conflicting. So, when it is possible, with an incredible amount of luck, sometimes with outside knowledge like coming from the intelligence community and huge amounts of work, to establish a clear and data-driven picture of a cyber incident and even point to a group who likely did it, and then even to be able to say something about this group, it is simply incredible. Those very few cases are special and must be cherished, because this does not happen often.

This is why most of what you probably know and a lot of what is out there right now, is either made up stories, or just a real bad attribution.

There are those we do not participate in made up stories and those who refuse to say what the data does not allow, even if it is expected of them, cause everyone demands a story. Those who say: “As a professional, I have to tell you, we cannot clearly establish what happened here.”

There are real professionals still left for cyber attribution, even if most of those do not work for the threat intel part of the industry anymore, they do something else or switched back to science again. Similar to AI, where the industry is so full of bullshit that the good people have largely left.

But to be clear: These few uncompromising people, which stand firm on the hill of professionalism (and will die on it) are explicitly exempt from all ramblings of this post. In fact, I airlift them out of here right now. Watch me!

A jedi is shot with a blaster and falls to his doom

Tell me a story daddy

Whenever a Hack happens or a notorious cyber group is active, we demand an explanation, and we expect there is always one. A clear story, a logical narrative and it be better entertaining. The bigger the impact is, the bigger the story must be. So, what happens in these cases is that a security researcher gets called, let’s say by the media and then asked: What can you tell about said hack and group, who are they and what’s the story.

And you might say, well I have no real data on this, could be a teenager, could be fake, could be an established criminal group or could be something different, we don’t know, have to wait for forensics and even then, we might never know. The professionals in these cases often simply have no story, cause there is no data.

Everybody hates that! We need a story. So, they call the next guy (almost always from a security firm or vendor) and he says: Yeah that’s actually done by Fancy Unicorn, this is a group from [State] and we monitor them exclusively for years with our security product and know all about them, this fits their previous attacks and techniques, we believe they are also behind the previous hacks and are connected to Marvel Panda. Right now, they consist of about ten guys who are approximately 21-year-olds from the Rostov region.

Of course everybody goes for that story, and next time someone calls me again they then ask me what I know about Marvel Panda, and then I have to look up the dude who made that name up, but at this point reality is already distorted, and no one talks about forensics or data anymore, but only about Marvel Panda.

And once the narrative is out there it never goes back.

Press F to Cyber Attribute

Okay so how does our guy from the story, the one working for the security vendors threat intel actually “monitor” the Fancy Unicorn APT? Well, that’s pretty easy - and keep in mind I am not joking and not making this up - they just join the group channel. Thats it, that’s monitoring. So Fancy Unicorn has a telegram group or discord channel, and they invite people or post the link on a darknet forum and you just join. Thats it.

So that means the vendor guy joins, some criminals join, me and other security researchers join. This is the game and completely normal. A thinking reader at this point might ask: Hold on, so how did they actually know how many people are part of the group? Like how come the vendor guy knows there are ten people part of Fancy Unicorn?

The thought so clear but yet so stupid is already in your head, but you think it can’t be - but yes, it is. They just count the members in the group.

So, this is why I am not making this up when I tell you, that I am counted as a member of several APTs.

In reality it goes like this: There is a Scattered Spider group, this group is “monitored” - meaning Crowdstrike, Mandiant, Palo Alto and all of those are in there and they are all counting each other and me towards the Members of Scattered Spider. Pure Insanity.

Twice in my life, a threat intel provider has shown me a group they monitor, in order to explain to me how they know how many members are part of this APT and in those cases they and me were members of this fucking group!

A jedi is shot with a blaster and falls to his doom

A lot of other “estimates” come from members and accounts in Leakforums, which is same but different, who is security researcher and who is another vendor account and how do you account for that, well you just don’t. But I said I give you 30% so I stop with this topic, even tho I have maaaany more examples of these kinds of “attribution” insanity.

Get your SEO numbers up

So, you will find a lot of blogposts about APTs, and you will immediately see that those all have a products to sell. Threat intel, endpoint protection you name it.

Let me state the obvious here cause it is needed to fully understand. The most driving factor for content about APTs and Cyber Groups is not to provide information to society but to sell a product, to generate fear, to place higher in search rankings. That is also one reason why you will find that the same APTs have different names depending on the vendor, cause it is not about clear and transparent attribution, but about portfolio, USP, placement and narrative.

It’s about Search Engine Optimization and Sales, it is not about science. This is also why every vendor has a constant stream of new and emerging threat landscape, about never seen next level techniques and AI powered advanced underground mafias - some legit, most pure fiction.

Another point in order to understand how we got here in this bloated world of a million made up names and daily new cybergangs is to understand what it means for an individual threat intel person if they start their career. For the vendor it is clear, product sales, but for the “analysts”?

Threat Intel Analyst is often a starting position in order to get into Cyber Security, the requirements are very low if any. You don’t need hacking/pentesting red teaming experience or coding, you just monitor telegram groups and maybe look over a few logs, which are given to you by the staff of your vendor from a (potential) hack of one of their customers. They can be a starting point to get into cyber security and are seen as such by some.

These are not fun jobs and almost all other cyber security jobs also pay better, which is funnily enough why actual good threat intel people mostly don’t work in threat intel.

Anyway, you want more pay and make a name for yourself. You always have an incentive to find a new group. No one wants to read a blogpost about that we can not tell what happened, everyone likes a good story about a new emerging cyber underground player. A lot of blogposts about amazingly complex and nuanced cyber actors are written by people who have maybe 6 months of work experience in the field. It’s not their fault, it’s just how the incentives work.

So, what we end up with then is an incentive not to inform, or to scientifically carefully check data and biases in existing narratives, but rather a machine that produces stories with no or little evidence in order to sell more products or generate more fame. This machine is huge and uses basically any information, be it technical or just rumors to make a story that people click.

All my friends are APTs

With the understanding of the security vendors role in this and also what their goal is in these group narratives and with some real bad attribution practices in mind, let’s take a short look at something else.

I work as a red teamer, so people like me make simulated hacker attacks for companies which contracted us in order to be prepared and test themselves against real life hacking attacks. This means we use the same techniques as threat actors and do our tests in a real life environment of a company. Companies are usually customers at security vendors, Crowstrike, Palo Alto, Microsoft and the like.

It is totally normal that some endpoint protection or anti-virus solution catches a script or malware from us during our legal simulated engagements. Now in such cases, what happens is that these vendors upload the suspicious script from our test to their sandbox or cloud lab. This is the default; security vendors check and upload data from their customers nonstop.

Sidenote: the difference between these vendors and let’s say a ransomware gang is, that you pay a ransomware gang after the hack to not leak you’re data, while you pay the security vendor before, after and while he leaks your data and you have even agreed to this via a contract. Sidenote_end

So, after they analyze the malware or script, it can happen that they like it. Cause it is new, or it does something cool. Then they will write a blogpost about it, which will say something like: Analysts at [Vendorname] have observed multiple intrusions across a variety of industries involving [Vendorname] firewall devices. Evidence suggests that threat actors exploited the recently disclosed vulnerabilities CVE-… to gain initial access."

A jedi is shot with a blaster and falls to his doom

No hold on, you might think, this was no threat actor but a legal test from the redteam or some pentesters. Yeah, I know, but they don’t and frankly they couldn’t care less. The moment something interesting lands in their hands, it is converted to content by the machine. You could even tell them, and they would not care.

So, what I am telling you here is that, when you read a blogpost about a new technique, about a thing under exploitation and so on, there is a non-zero chance, it was a redteam and there were zero threat actors involved.

This is why me and my friends are APTs, there are blogposts about the things we do legally, which end up as content and fanfiction by security vendors, and what makes this even more funny is that it is completely normal for us to have NDAs, so even if we would do the leg work and show that a specific blogpost from a vendor about a specific “emerging new technique” was just us during our daily work, we would get legal problems. So, for our own sanity we ignore or laugh about it and in the end are all APTs.

A jedi is shot with a blaster and falls to his doom

I work with Aleksey in the Darklands

There is something else here worth briefly thinking about. It’s another layer to all of this, but I just want to put the thought out there. What do you really gain with all the APTs?

The general idea is, money making aside, that by having all these different groups and their connections, all the Names and APTs, this gives some kind of amazing inside into the underground cyber scene. But does it?

Imagine I ask someone what he does, and he tells me, he works for Schwarz Digits Contents and has connections with the PHO G, had some projects related to Prezero aka formerly Sky Plastic plus the Suez Group. What does that actually get us vs. he tells us: Yo, I do IT for Lidl.

I’m again not saying it is never relevant to know or investigate these things and connections (the ones that are real and have data attached to it at least), but I think the question should be asked what is relevant to the conversation.

So now imagine I ask an actual threat actor, a criminal hacker, someone this whole thing is supposedly about. What would he say? A guy who hasn’t slept in two days, who spends his days looking at code, is afraid to get busted, had a fight with his girlfriend, is drugged out of his mind, hacks some companies in the US for money, is listening to hardstyle and just watched two hours of hentai porn. He lives in the darklands.

He would say: “I work for Aleksey”. Thats it. Good luck trying to explain to him that according to this APT Matrix you found online he is in fact Lazy Panda because he is in this one telegram group.

In his world, there are groups - same as in the world of the Lidl IT dude, and they may play a role for him or not, he might not even know that they exist. If the idea however is, to provide us with a better understanding of what he is actually about, I’m not entirely convinced they help as much as people think they do.

Every problem from above - the incentives, attribution and strait up bullshit aside, I believe there is merit in accepting that limited information of a hidden and chaotic world cannot provide a clear story and deliver distinguished groups, roles and actors. The Darklands often just don’t hold the necessary information.

All of this was actually just an elaborate setup to basically link that Darkland Scene, which I like cause the soundtrack is tha bomb, so make sure to have sound on.

You see getting you hocked on a blogpost to link Darklands at the end, is a new emerging threat actor technique, first seen on the rootcat blog (monitored by me) and in order to protect you and your company from this devious new APT, located in southern Brazil and mostly consisting of 2 or 4 red pandas with mullets, we have developed a new scanning solution that can ….