{"id":968,"date":"2020-12-02T12:27:03","date_gmt":"2020-12-02T11:27:03","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=968"},"modified":"2020-12-04T11:37:30","modified_gmt":"2020-12-04T10:37:30","slug":"exploiting-apt-data-for-fun-and-no-profit","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/exploiting-apt-data-for-fun-and-no-profit\/","title":{"rendered":"Exploiting APT data for fun and (no) profit"},"content":{"rendered":"\n

Acquisition and processing<\/strong><\/h3>\n\n\n\n

When attending to talks about APT -or when giving them- sometimes you hear sentences like \u201cmost threat actors are focused on information theft\u201d or \u201cRussia is one of the most active actors in APT landscape\u201d. But, where do all those sentences come from? We have spent a whole night exploiting APT data for fun and (no) profit, in order to provide you with some curiosities, facts, data\u2026 you can use from now in your APT talks!! \ud83d\ude42<\/p>\n\n\n\n

Since 2019 the folks at ThaiCERT publish the free PDF book “Threat Group Cards: A Threat Actor Encyclopedia\u201d and they have an online portal (https:\/\/apt.thaicert.or.th\/cgi-bin\/aptgroups.cgi<\/a>) with all the information regarding APT groups acquired from public sources. In this portal, apart from browsing threat groups and their tools, they present some statistics about threat groups activities (source countries, target countries and sectors, most used tools\u2026). Most of these threat groups are considered APT (at the time of this writing, 250 out of 329, with last database change done 20 October 2020). But what happens when you need specific statistics or correlations? You can download a JSON file and exploit it yourself:<\/p>\n\n\n\n

$ curl -o out.json https:\/\/apt.thaicert.or.th\/cgi-bin\/getmisp.cgi?o=g \n<\/pre><\/p>\n\n\n\n
But JSON is a modern thing and is hard to handle with awk, one of the Tools from the Gods (https:\/\/www.securityartwork.es\/2018\/04\/12\/the-tools-of-gods\/<\/a>); so we also download JSON.sh to convert it to a pipeable format:<\/p>\n\n\n\n
$ curl -o JSON.sh https:\/\/raw.githubusercontent.com\/dominictarr\/JSON.sh\/master\/JSON.sh
 \n% Total    % Received % Xferd  Average Speed   Time    Time     Time Current  Dload  Upload   Total   Spent    Left  Speed
\n100  4809  100  4809    0     0  15512      0 --:--:-- --:--:-- --:--:-- 15512
\n$ chmod +x JSON.sh
\n$
\n<\/pre><\/p>\n\n\n\n
Now, we parse the JSON file with JSON.sh:<\/p>\n\n\n\n
$ cat out.json |.\/JSON.sh -l > work.txt\n<\/pre><\/p>\n\n\n\n
Et voil\u00e0, we have a file to feel comfortable with. But to feel more comfortable, we split the file into many files, one for each threat actor identified by ThaiCERT (in our main file, by the \u201cvalues\u201d key):<\/p>\n\n\n\n
$ n=`awk -F, 'index($1,\"values\")>0 {print $2}' work.txt |grep -v value| sort -n|uniq|tail -1` export n
\n$ for i in $(seq 1 $n);do grep \"values\\\",$i,\" work.txt >$i.txt;done
\n$
\n<\/pre><\/p>\n\n\n\n
Please, don\u2019t blame about the efficiency of this one-liner; it will be executed only once. While you are reading this line, now we have one single text file for each threat actor:<\/p>\n\n\n\n
$ ls [0-9]*.txt |wc -l
\n327
\n$
\n<\/pre><\/p>\n\n\n\n
Each of the text files is composed by entries of the form \u201c[key] value\u201d; just an example:<\/p>\n\n\n\n
$ cat 98.txt
\n[\"values\",98,\"value\"]   \"DustSquad, Golden Falcon\"
\n[\"values\",98,\"description\"]     \"(Kaspersky) For the last two years we have been monitoring a Russian-language cyberespionage 
\nactor that focuses on Central Asian users and diplomatic entities. We named the actor DustSquad and have provided private 
\nintelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. In this 
\nblogpost we cover a malicious program for Windows called Octopus that mostly targets diplomatic entities.\\n\\nThe name 
\nwas originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2 servers. We also 
\nstarted monitoring the malware and, using Kaspersky Attribution Engine based on similarity algorithms, discovered that 
\nOctopus is related to DustSquad, something we reported in April 2018. In our telemetry we tracked this campaign back to 
\n2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking), plus Afghanistan.\"
\n[\"values\",98,\"meta\",\"synonyms\",0]       \"DustSquad\"
\n[\"values\",98,\"meta\",\"synonyms\",1]       \"Golden Falcon\"
\n[\"values\",98,\"meta\",\"synonyms\",2]       \"APT-C-34\"
\n[\"values\",98,\"meta\",\"synonyms\",3]       \"Nomadic Octopus\"
\n[\"values\",98,\"meta\",\"attribution-confidence\"]   \"50\"
\n[\"values\",98,\"meta\",\"country\"]  \"RU\"
\n[\"values\",98,\"meta\",\"motivation\",0]     \"Information theft and espionage\"
\n[\"values\",98,\"meta\",\"date\"]     \"2014\"
\n[\"values\",98,\"meta\",\"cfr-target-category\",0]    \"Defense\"
\n[\"values\",98,\"meta\",\"cfr-target-category\",1]    \"Government\"
\n[\"values\",98,\"meta\",\"cfr-target-category\",2]    \"Media\"
\n[\"values\",98,\"meta\",\"cfr-suspected-victims\",0]  \"Afghanistan\"
\n[\"values\",98,\"meta\",\"cfr-suspected-victims\",1]  \"Kazakhstan\"
\n[\"values\",98,\"meta\",\"refs\",0]   \"https:\/\/apt.thaicert.or.th\/cgi-bin\/showcard.cgi?u=982ea477-0c28-490e-87d6-3f43da257cae\"
\n[\"values\",98,\"meta\",\"refs\",1]   \"https:\/\/securelist.com\/octopus-infested-seas-of-central-asia\/88200\/\"
\n[\"values\",98,\"meta\",\"refs\",2]   \"https:\/\/www.zdnet.com\/article\/extensive-hacking-operation-discovered-in-kazakhstan\/\"
\n[\"values\",98,\"related\",0,\"dest-uuid\"]   \"e74394ee-e4ab-4642-aca4-fa84d0dcabbf\"
\n[\"values\",98,\"related\",0,\"tags\",0]      \"estimative-language:likelihood-probability=\\\"almost-certain\\\"\"
\n[\"values\",98,\"related\",0,\"type\"]        \"uses\"
\n[\"values\",98,\"related\",1,\"dest-uuid\"]   \"3d3bf55f-402e-4122-a52b-196aed8e6507\"
\n[\"values\",98,\"related\",1,\"tags\",0]      \"estimative-language:likelihood-probability=\\\"almost-certain\\\"\"
\n[\"values\",98,\"related\",1,\"type\"]        \"uses\"
\n[\"values\",98,\"related\",2,\"dest-uuid\"]   \"7ff6da6a-d13a-42db-91ac-ac6c3915f3d0\"
\n[\"values\",98,\"related\",2,\"tags\",0]      \"estimative-language:likelihood-probability=\\\"almost-certain\\\"\"
\n[\"values\",98,\"related\",2,\"type\"]        \"uses\"
\n[\"values\",98,\"uuid\"]    \u201c982ea477-0c28-490e-87d6-3f43da257cae\u201d
\n$
\n<\/pre><\/p>\n\n\n\n
Now everything is ready to start parsing the files and getting results. Let\u2019s go!<\/p>\n\n\n\n
Analysis: silly and simple questions<\/strong><\/h3>\n\n\n
<\/p>\n
Once we have processed the gathered information we can start our analysis trying to ask the silly and simple questions that many times we wonder. Let\u2019s go.\u00a0<\/p>\n
Which are the groups with more synonyms?<\/em><\/strong><\/p>\n
The silliest question I always wonder is why we use so many names for the same actor. Which one is the group with more names? Let\u2019s see:<\/p>\n
$ for i in [0-9]*.txt; do c=`grep synonyms\\\", $i|grep -vi operation|wc -l `; echo $c $i;done |sort -n|tail -1\n18 233.txt\n$<\/pre>\n
The result is \u201c233.txt\u201d, which corresponds to APT 28, with 18 synonyms; the second one in the ranking, with 16 names, is Turla. Casually, both of them are from Russia (we\u2019ll see later some curiosities about Russia).<\/p>\n
Apart from that, a personal opinion: 18 names for the same group! Definitely, once again, we need a standard for threat actor names. This can be your first sentence when giving a talk about APT: where is an ISO committee when it\u2019s needed?<\/p>\n
Which groups are from my country?<\/em><\/strong><\/p>\n
Well, outside well known actors\u2026 how many groups are from my country? Spanish ISO 3166-1 country code is ES, so let\u2019s look for Spanish threat actors with a simple command, as well as threat actors from other relevant countries<\/p>\n
$ grep \\\"country\\\" [0-9]*.txt|grep -w ES\n$ grep \\\"country\\\" [0-9]*.txt|grep -w DE\n$ grep \\\"country\\\" *.txt|grep -w IL\n183.txt:[\"values\",183,\"meta\",\"country\"]\t\u201cUS,IL\"\n$\n<\/pre>\n
No identified groups from Spain\u2026 well, I\u2019m sure this has a technical explanation: Spanish groups are so stealth that they are difficult to discover, and their OPSEC is so strong that, in case of being discovered, attribution is impossible. For sure! But what about Germany? Where is your Project Rahab now? And what about Israel, with only a sad starring together with US? Yes, it\u2019s Stuxnet, but only a single starring\u2026 I hope you are as good as Spanish groups: nobody can discover you, and attribution is impossible \ud83d\ude42 Another sentence for your APT talks: in the group of most stealth countries we can find Germany, Israel\u2026 or Spain.<\/p>\n
Has any threat group a clear attribution?<\/em><\/strong><\/p>\n
The answer, exploiting our data, is simple: NO. All groups have a \u201c50\u201d attribution confidence.<\/p>\n
$ grep attribution-confidence [0-9]*.txt|awk '{print $2}'|grep -v ^\\\u201d50\\\"\n$<\/pre>\n
One moment\u2026 this is an error. How can FBI show folks from Russia, China or Iran in their \u201cmost wanted posters\u201d without a clear attribution? Attribution matters, and I personally think some groups (just like APT28, my favorite one) should have a higher attribution confidence value.<\/p>\n
Simple questions<\/em><\/strong><\/p>\n
Once we have answered our silliest questions, it\u2019s time to wonder just simple ones\u2026 in first place:<\/p>\n
Which are the most targeted countries? And the most targeted sectors?<\/em><\/strong><\/p>\n
Once we have answered our silliest questions, it\u2019s time to wonder just simple ones\u2026 in this first case, no analysis has to be performed, as ThaiCERT directly shows these statistics in their portal. The most targeted country is US, followed by UK. Who could imagine that? \ud83d\ude42 And the most targeted sectors are Government and Defense. Also a big surprise\u2026<\/p>\n
Which are the most active countries?<\/em><\/strong><\/p>\n
As before, no analysis has to be performed. No surprises here: China, Russia and Iran are the most active countries, in this order, followed by North Korea.<\/p>\n
Which is the most analyzed threat group?<\/em><\/strong><\/p>\n
A simple query gives you the answer:<\/p>\n
$ for i in [0-9]*.txt; do c=`grep refs\\\", $i|wc -l `; echo $c $i;done |sort -n|tail -1\n69 233.txt\n$<\/pre>\n
The result is \u201c233.txt\u201d, which corresponds to APT28, with 69 references in the database (remember, APT28 was also the group with more synonyms\u2026both facts are obviously related); the second one in the ranking, with 58 references, is Lazarus.<\/p>\n
Which are the oldest threat groups? How is the distribution of threat groups discovery\/activity among time?<\/em><\/strong><\/p>\n
This is a more interesting question than previous ones\u2026 Let\u2019s construct and print a simple associative array from our data:<\/p>\n
$ grep \\\"meta\\\",\\\"date\\\"\\] [0-9]*.txt|awk '{print $2}'|sed 's\/\\\"\/\/g'|awk '{a[$0]++}END{for(k in a){print k,a[k]}}' >years\n$<\/pre>\n
Now we plot the file to see results:<\/p>\n
<\/p>\n
gnuplot> set boxwidth 0.5\ngnuplot> plot 'years' with boxes\n<\/pre>\n
<\/p>\n
<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
<\/p>\n
We can see two clear outliers, one dated at 1919 and the other dated at 1947; the first one is UK GCHQ and the second one is US CIA, and they both show the date when those services were established. As no other group is considered in this way (for example,\u00a0 Sofacy\/APT28 \u201cdate\u201d is not set to 1942, the GRU one), we could adjust those dates to a more realistic ones; but as this is not a IEEE paper about anomaly detection, but a simple blog post, it\u2019s faster to simply remove both txt files and re-run to get our results (and set xtics to 1 in gnuplot):\u00a0<\/p>\n
<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
<\/p>\n
We can see the oldest APT group is dated on 1996; looking at our txt files, this group is Turla, which started its activities 24 years ago. Five years later, in 2001, Equation Group officially started to operate (but we all suspect this is not probably true, and they started before)<\/p>\n
The number of identified groups operating since 2010 is growing fast; 2018 is the year when most groups are dated, a total of 33.\u00a0<\/p>\n
Which are the main motivations for APT groups?<\/em><\/strong><\/p>\n
Again, associative arrays are our friends:<\/p>\n
$ grep \\\"motivation\\\", [0-9]*.txt |awk -F\\\" '{print $8}'|sed 's\/\\\"\/\/g'|awk '{a[$0]++}END{for(k in a){print k,a[k]}}'\nFinancial gain 32\nInformation theft and espionage 216\nSabotage and destruction 14\nFinancial crime 50\n$ \n<\/pre>\n
No hacktivism, no surprise\u2026 As we suspected, most threat groups are focused on CNE operations, more than on CNA ones\u2026 \u00a0 We\u2019ll focus later on the last threat groups, those with destructive or manipulation capabilities\u2026<\/p>\n
Analysis: (not so) silly and simple questions<\/h3>\n
Once we have answered some silly & simple questions, it\u2019s time to wonder more complex ones, so let\u2019s imagine\u2026<\/p>\n
Are CNA threat actors increasing their activities during last years?<\/em><\/strong><\/p>\n
In the simple questions, we have concluded that sabotage and destruction motivations are not the most common among threat groups. But we are interested in these ones. Let\u2019s see them among time:<\/p>\n
for i in `grep \"Sabotage and destruction\" [0-9]*.txt|awk -F: '{print $1}'`; do grep \\\"meta\\\",\\\"date\\\"\\] $i|awk '{print $2}'|sed 's\/\\\"\/\/g';done|awk '{a[$0]++}END{for(k in a){print k,a[k]}}\u2019 >years.cna<\/pre>\n
Plotting the results, we have:<\/p>\n
gnuplot> set boxwidth 0.5\ngnuplot> set boxwidth 0.5\ngnuplot> set xtics 1\ngnuplot> set ytics 1\ngnuplot> set yrange [0:5]\ngnuplot> plot 'years.cna' with boxes <\/pre>\n
<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
<\/p>\n
Since 2012, the number of these threat actors has increased significantly: 9 out of 14 groups in the last eight years, so we can say it\u2019s a growing trend. Out of curiosity , the oldest group with CNA capabilities is dated in 2001. Can you guess its name? Yeah\u2026 Equation Group.<\/p>\n
Which are the countries with more CNA capabilities?<\/em><\/strong><\/p>\n
Let\u2019s look for the main hostile countries performing destructive or manipulation operations:<\/p>\n
$ for i in `grep \"Sabotage and destruction\" [0-9]*.txt|awk -F: '{print $1}'`; do grep \\\"meta\\\",\\\"country\\\"\\] $i|awk '{print $2}'|sed 's\/\\\"\/\/g';done|awk '{a[$0]++}END{for(k in a){print a[k],k}}'|sort -n\u00a0\n1 KP\n1 US\n1 US,IL\n2 IR\n7 RU\n$ <\/pre>\n
Russia has seven identified threat groups performing those operations; far, far away from Iran, with only two threat groups\u2026 Without any doubt, Russia is the champion in this ranking!!!<\/p>\n
And what about cyber crime? What about threat actors focused on pure economic interests?<\/em><\/strong><\/p>\n
We can perform a similar query than before to get these results:<\/p>\n
1 \"BY\"\n1 \"BY\"\n1 \"IR\"\n1 \"IT\"\n1 \"KZ\"\n1 \"PK\"\n1 \"RO\"\n1 \"SA\"\n1 \"UA\"\n2 \"US\"\n3 \"KP\"\n6 \"CN\"\n27 \"RU<\/pre>\n
Once again, the gold medal is for Russia also when talking about cybercrime groups.<\/p>\n
So Russia is the champion\u2026 can we focus on its information needs?<\/em><\/strong><\/p>\n
Sure. Let\u2019s see which sectors and countries are the ones targeted by Russian actors. In first place, look at the target sectors:<\/p>\n
$ cat russia.sh\n#!\/bin\/sh\n\nfor i in [0-9]*.txt; do\n        grep -w RU $i >\/dev\/null\n        if [ $? -eq 0 ]; then\n                grep cfr-target-category $i\n        fi\ndone |awk -F\\\" '{a[$8]++}END{ for(k in a){print a[k],\"\\x22\"k\"\\x22\"}}'|sort -n\n$ .\/russia.sh  >temp\n$<\/pre>\n
Now let\u2019s prepare our data to be plotted:<\/p>\n
$ awk '{print k++,$2,$3,$4,$1}\u2019\u00a0 temp >sectors.ru<\/a> #sorry for the quick hack\n$<\/pre>\n
gnuplot> set boxwidth 0.5\ngnuplot> set xtics rotate by 45 right\ngnuplot> unset key\ngnuplot> set style fill solid\ngnuplot> set title \"Russian target sectors\"\ngnuplot> plot \"sectors.ru\" using 1:3:xtic(2) with boxes <\/pre>\n
<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
<\/p>\n
As we can see, the main targets of the Russian Federation are the financial, government, defense, energy and media\/education. The \u201cmedia\u201d sector as a target is very curious\u2026 or it is not?<\/p>\n
Now let\u2019s look at the countries; modifying our script, and looking only for countries that have been targeted by at least five groups -simply for graphical reasons-, we get the following graph:<\/p>\n
<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
<\/p>\n
The first Russian target is\u2026 itself!! Well, it may not be a surprise if we deep into Russian intelligence (remember our older posts about the Russian Cyber Intelligence Community??).\u00a0 After Russia, we can confirm the Russian geographical areas of interest: ex-USSR republics and NATO mainly. Well, not a surprise if you know anything about Russian intelligence.<\/p>\n
Which countries are entering the APT arena in the last years?<\/em><\/strong><\/p>\n
First, we generate the datafile extracting the country and year from every threat group card -and labeling them with a sequential number in order to plot-:<\/p>\n
#!\/bin\/sh\nfor i in [0-9]*.txt; do\n\tc=`grep \\\"country\\\"\\] $i|awk '{print $2}'|sed s\/\\\"\/\/g`\n\ty=`grep \\\"date\\\"\\] $i|awk '{print $2}'|sed s\/\\\"\/\/g`\n\tif [ ! -z $c ] && [ ! -z $y ]; then\n\t\techo $c $y\n\tfi\ndone | awk 'BEGIN{k=1}{if (a[$1]==\"\") {a[$1]=k++} ; {print $2\" \"a[$1]\" \"$1 }}\u2019<\/pre>\n
Now let\u2019s draw our work:<\/p>\n
<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
<\/p>\n
As we can see, during the last ten years KP (North Korea) and, specially, IR (Iran), have been particularly active, \u00a0 increasing its activities, together with the usual actors (China, Russia or US). Other countries which were active during the first five years of the decade (SY, Syria, or IN, Indonesia, for example) now seem less active -or at least, its new threat groups are not discovered-; a detail: the old groups from these countries can also be active now\u2026 it\u2019s a little detail we\u2019ll comment now.<\/p>\n
I work for a Fortune 500 company. Can I have a magic quadrant for APT groups?<\/em><\/strong><\/p>\n
Sure. Gartner does its research to position technology players within a specific market and represent them in a Magic Quadrant (https:\/\/www.gartner.com\/en\/research\/methodologies\/magic-quadrants-research<\/a>). These quadrants classify each player into four categories (leaders, visionaries, niche players and challengers) by analyzing its \u201cability to execute\u201d and its \u201ccompleteness of vision\u201d.<\/p>\n
For our quadrant, let\u2019s consider \u201cAbility to execute\u201d as the period each actor has been active, and consider \u201cCompleteness of vision\u201d as the diversity of targets. Why this criteria? We can consider (well, more or less\u2026 remember this is not an IEEE paper but a blog post!) that an ability to execute can be estimated by the years a threat actor has been active (this is, has been executing operations); this is an interesting point: data gathered from APT groups from ThaiCERT source marks only its \u201cfoundation\u201d date, not the period they have been active. It should be necessary the use of a \u201clast time seen\u201d data to estimate a real ability to execute.\u00a0<\/p>\n
On the other hand, the completeness of vision is calculated by the number of targets a threat group has, both considering countries and sectors. A simple criteria: the more targets you have, the more complete is your vision\u2026 perhaps not exact from an academic point of view, but remember what we said about the IEEE paper \ud83d\ude42\u00a0<\/p>\n
Following our criteria, we can draw the first version of our Magic Quadrant; first, we can write a simple script to get the data, extracting for each threat actor its name, country (later we\u2019ll see why we are interested in the country), number of sectors and target countries and years active:<\/p>\n
$ cat extract.sh\nn=`ls [0-9]*.txt|wc -l`\nfor i in $(seq 1 $n);do\n        t=`grep \"$i,\\\"value\" $i.txt|awk -F\"\\t\"  '{print $2}'|sed 's\/\\\"\/\/g' `\n        name=`echo $t|awk -F, '{print $1}'`\n        country=`grep \\\"country\\\"] $i.txt|awk '{print $2}'|sed 's\/\\\"\/\/g' `\n        date=`awk 'index($1,\"date\")>0 {print $0}' $i.txt |awk '{print $2}'|sed 's\/\\\"\/\/g' `\n        y=`date +%Y`\n        ability=`expr $y - $date` \n        sectors=`grep -w cfr-target-category $i.txt|wc -l`\n        countries=`grep -w cfr-suspected-victims $i.txt|wc -l`\n        completeness=`expr $sectors + $countries` \n        echo $name:$pais:$completeness:$ability|awk -F: '{if($3>0 && length($2>0) && $4>=0){print $0}}'\ndone\n$ .\/extract.sh >data 2>\/dev\/null\n$<\/pre>\n
This script generates an output with the following format:<\/p>\n
$ head data\nAggah::31:2\nAllanite::3:3\nAPT 3:CN:17:13\nAPT 4:CN:6:13\nAPT 5:CN:5:13\nAPT 6:CN:2:9\nAPT 12:CN:9:11\nAPT 16:CN:7:5\nAPT 17:CN:21:11\nAPT 19:CN:12:7\n$<\/pre>\n
Let\u2019s format this file:<\/p>\n
$ awk -F: '{print $3\" \"$4\" \"\"\\x22\"$1\"\\x22\"}' data >quadrant\n$<\/pre>\n
And let\u2019s also make a \u201cnice\u201d magic quadrant:<\/p>\n
$ cat quadrant.plot\u00a0\nset title \"APT groups\" \nset xlabel \"Completeness of vision\"\nset ylabel \"Ability to execute\"\nset format y \"\"\nset format x \"\"\nunset key\nset parametric\nset arrow 1 from 40,0 to 40,25 nohead\nset arrow 2 from 0,12.5 to 80,12.5 nohead\nplot 'quadrant'  w labels point pt 7 offset char 1,1 \n$\n<\/pre>\n
So it\u2019s done, as we can see:<\/p>\n
<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
<\/p>\n
Definitely, not a nice Magic Quadrant suitable for our marketing team, but suitable to get interesting conclusions: Turla is a LEADER, as well as APT28 or Equation Group. Now you can say in your conference why Russia is the champion (remember also when talking about CNA): two out of its groups in the upper right side of the Magic Quadrant.\u00a0<\/p>\n
But inside Russian groups, the Champions League, how could this magic quadrant be? As you remember, we included the country code for each group in our previous script; this is useful to draw national magic quadrants. For example, the Russian one:<\/p>\n
$ awk -F: '$2==\"RU\" {print $3\" \"$4\" \"\"\\x22\"$1\"\\x22\"}' data >quadrant.russia\n$<\/pre>\n
Changing the title in our previous .plot file, and loading this new data file, we can get the Russian APT magic quadrant:<\/p>\n
<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
<\/p>\n
Please note that as Turla is a Russian group, and it was the clear leader from the previous global magic quadrant, and there are also Russian groups in the lower side, there is no need to change plot parameters; if we try the same with Chinese groups, a little adjust has to be done to get this result:<\/p>\n
<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
<\/p>\n
NetTraveler is the leader here; operating since 2004, and with 4 target sectors among 41 target countries, it\u2019s definitely a robust threat group. Resilient, as we can call them now \ud83d\ude42<\/p>\n
Can I have more sentences for my APT talks?<\/em><\/strong><\/p>\n
With a little help from AWK and gnuplot you can generate your own statistics, magic quadrants for your favorite country or any other data or correlation you may need. Apart from that, ThaiCERT maintains another JSON file with data related to the tools used by threat actors, so enjoy!!<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
Conclusions<\/strong><\/p>\n
<\/p>\n
<\/p>\n
Now you have some tips, evidence-based, for your APT talks (don\u2019t forget to use these tips together with Sun Tzu\u2019s “Art of War\u201d quotes); with some more time, you can get to more stupid or interesting conclusions about threat groups activities, interests and origins. And exploiting other datasets (MITRE ATT&CK, here we go!) We can expand those conclusions.<\/p>\n
<\/p>\n
<\/p>\n
Some key data we can conclude after this little analysis of data:<\/p>\n
<\/p>\n
<\/p>\n