Threat Intel Reads – January 2019


andreas.sfakianakis February 2, 2019

Threat Intel Reads – January 2019
threatintel.eu/2019/02/02/threat-intel-reads-january-2019

January was an interesting moth for CTI practitioners! I took some time and collected
the major articles and presentations that I read and watched during January 2019.

I hope you enjoy it.

1. Robert M. Lee – Attribution is not Transitive – Tribune Publishing Cyber Attack as
a Case Study – http://www.robertmlee.org/attribution-is-not-transitive-tribune-
publishing-cyber-attack-as-a-case-study/

2. Politico – Suspect’s Twitter messages played role in NSA hacking-tools leak probe
– https://www.politico.com/story/2018/12/31/nsa-hacking-case-twitter-1077013

3. Maarten Goet – Windows Defender ATP: harnessing the collective intelligence of
the InfoSec community for threat hunting –
https://medium.com/@maarten.goet/windows-defender-atp-harnessing-the-
collective-intelligence-of-the-infosec-community-for-threat-1758ec987db8

4. z3roTrust – The APT Chronicles_December 2018 edition –
https://medium.com/@z3roTrust/the-apt-chronicles-december-2018-edition-
e3e5125ffcd2

5. BBC – German politicians targeted in mass data attack –
https://www.bbc.com/news/world-europe-46757009

6. ZDNet – NSA to release a free reverse engineering tool –
https://www.zdnet.com/article/nsa-to-release-a-free-reverse-engineering-tool/

7. Florian Roth – My Take on the Massive Data Leak Affecting German Politicians
and Public Figures – https://medium.com/@cyb3rops/my-take-on-the-massive-
data-leak-affecting-german-politicians-and-public-figures-e7ca8d2b2513

8. Threatpost – First-Ever UEFI Rootkit Tied to Sednit APT –
https://threatpost.com/uefi-rootkit-sednit/140420/

9. FI-ISAC – TaHiTI – Threat Hunting Methodology
– https://www.betaalvereniging.nl/wp-content/uploads/DEF-TaHiTI-Threat-
Hunting-Methodology.pdf
– https://www.mbsecure.nl/blog/2018/12/tahiti-threat-hunting-methodology

10. The Register – Cops: German suspect, 20, ‘confessed’ to mass hack of local
politicians 
https://www.theregister.co.uk/2019/01/08/german_20_yr_old_confess_mass_hac
k_angriff/

11. Lenny Zeltser – A Short Cybersecurity Writing Course Just for You –
https://zeltser.com/cybersecurity-writing-course/

12. Reuters – Exclusive: New documents link Huawei to suspected front companies
in Iran, Syria – https://www.reuters.com/article/us-huawei-iran-
exclusive/exclusive-new-documents-link-huawei-to-suspected-front-companies-
in-iran-syria-idUSKCN1P21MH

13. Julia Reda – In January, the EU starts running Bug Bounties on Free and Open
1/5

https://threatintel.eu/2019/02/02/threat-intel-reads-january-2019/
http://www.robertmlee.org/attribution-is-not-transitive-tribune-publishing-cyber-attack-as-a-case-study/
https://www.politico.com/story/2018/12/31/nsa-hacking-case-twitter-1077013
https://medium.com/@maarten.goet/windows-defender-atp-harnessing-the-collective-intelligence-of-the-infosec-community-for-threat-1758ec987db8
https://medium.com/@z3roTrust/the-apt-chronicles-december-2018-edition-e3e5125ffcd2
https://www.bbc.com/news/world-europe-46757009
https://www.zdnet.com/article/nsa-to-release-a-free-reverse-engineering-tool/
https://medium.com/@cyb3rops/my-take-on-the-massive-data-leak-affecting-german-politicians-and-public-figures-e7ca8d2b2513
https://threatpost.com/uefi-rootkit-sednit/140420/
https://www.betaalvereniging.nl/wp-content/uploads/DEF-TaHiTI-Threat-Hunting-Methodology.pdf
https://www.mbsecure.nl/blog/2018/12/tahiti-threat-hunting-methodology
https://www.theregister.co.uk/2019/01/08/german_20_yr_old_confess_mass_hack_angriff/
https://zeltser.com/cybersecurity-writing-course/
https://www.reuters.com/article/us-huawei-iran-exclusive/exclusive-new-documents-link-huawei-to-suspected-front-companies-in-iran-syria-idUSKCN1P21MH


Source Software – https://juliareda.eu/2018/12/eu-fossa-bug-bounties/
14. Politico – Exclusive: How a Russian firm helped catch an alleged NSA data thief –

https://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsa-
cybersecurity-1089131

15. FireEye – Global DNS Hijacking Campaign: DNS Record Manipulation at Scale –
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-
campaign-dns-record-manipulation-at-scale.html

16. WSJ – America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked
Through It – https://www.wsj.com/articles/americas-electric-grid-has-a-
vulnerable-back-doorand-russia-walked-through-it-11547137112

17. SG Government – PUBLIC REPORT OF THE COMMITTEE OF INQUIRY INTO THE
CYBER ATTACK ON SINGAPORE HEALTH SERVICES PRIVATE LIMITED’S PATIENT
DATABASE ON OR AROUND 27 JUNE 2018 –
https://www.mci.gov.sg/~/media/mcicorp/doc/report%20of%20the%20coi%20int
o%20the%20cyber%20attack%20on%20singhealth%2010%20jan%202019.pdf?
la=en

18. Cyberwarcon – Are US Cyber Deterrence Operations Suppressing or Inciting
Attacks? – https://www.youtube.com/watch?v=cp0rjgEpWEw

19. Hackmageddon – 2018: A Year of Cyber Attacks –
https://www.hackmageddon.com/2019/01/15/2018-a-year-of-cyber-attacks/

20. bit_of_hex – ATT&CKing the Singapore Health Data Breach –
https://bitofhex.com/2019/01/13/attack-and-singapore-breach/

21. CERT-OPMD – DNSPIONAGE – Focus on internal actions – https://blog-
cert.opmd.fr/dnspionage-focus-on-internal-actions/

22. Crowdstrike – Big Game Hunting with Ryuk: Another Lucrative Targeted
Ransomware – https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-
another-lucrative-targeted-ransomware/

23. New York Times – Poland Arrests 2, Including Huawei Employee, Accused of
Spying for China – https://www.nytimes.com/2019/01/11/world/europe/poland-
china-huawei-spy.html

24. The Register – Cyber-insurance shock: Zurich refuses to foot NotPetya
ransomware clean-up bill – and claims it’s ‘an act of war’ –
https://www.theregister.co.uk/2019/01/11/notpetya_insurance_claim/

25. Cyberscoop – How sloppy OPSEC gave researchers an inside look at the exploit
industry – https://www.cyberscoop.com/mobile-zero-days-lookout-shmoocon-
2019-android-barracuda-ios-stonefish/

26. Recorded Future – The History of Ashiyane: Iran’s First Security Forum –
https://www.recordedfuture.com/ashiyane-forum-history/

27. US DoJ – Two Ukrainian Nationals Indicted in Computer Hacking and Securities
Fraud Scheme Targeting U.S. Securities and Exchange Commission –
https://www.justice.gov/opa/pr/two-ukrainian-nationals-indicted-computer-
hacking-and-securities-fraud-scheme-targeting-us

28. EU ATT&CK community – third workshop – 9-10 May 2019 – https://www.attack-
community.org/2019-01-15-Third-Workshop-At-Eurocontrol-Brussels/

29. Nextron Systems – 50 Shades of YARA – https://www.nextron-
systems.com/2019/01/02/50-shades-of-yara/

2/5

https://juliareda.eu/2018/12/eu-fossa-bug-bounties/
https://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsa-cybersecurity-1089131
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112
https://www.mci.gov.sg/~/media/mcicorp/doc/report of the coi into the cyber attack on singhealth 10 jan 2019.pdf?la=en
https://www.youtube.com/watch?v=cp0rjgEpWEw
https://www.hackmageddon.com/2019/01/15/2018-a-year-of-cyber-attacks/
https://bitofhex.com/2019/01/13/attack-and-singapore-breach/
https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.nytimes.com/2019/01/11/world/europe/poland-china-huawei-spy.html
https://www.theregister.co.uk/2019/01/11/notpetya_insurance_claim/
https://www.cyberscoop.com/mobile-zero-days-lookout-shmoocon-2019-android-barracuda-ios-stonefish/
https://www.recordedfuture.com/ashiyane-forum-history/
https://www.justice.gov/opa/pr/two-ukrainian-nationals-indicted-computer-hacking-and-securities-fraud-scheme-targeting-us
https://www.attack-community.org/2019-01-15-Third-Workshop-At-Eurocontrol-Brussels/
https://www.nextron-systems.com/2019/01/02/50-shades-of-yara/


30. Alex Jäger – Autotimeliner to CyberChef to Timesketch –
https://www.alexanderjaeger.de/autotimeliner-to-cyberchef-to-timesketch/

31. Cyberscoop – Trisis investigator says Saudi plant outage could have been
prevented – https://www.cyberscoop.com/trisis-investigator-saudi-aramco-
schneider-electric-s4x19/

32. ENISA – Analysis of the European R&D priorities in cybersecurity –
https://www.enisa.europa.eu/publications/analysis-of-the-european-r-d-
priorities-in-cybersecurity

33. Flashpoint – Why Executive-Protection Teams Need Finished Intelligence –
https://www.flashpoint-intel.com/blog/why-executive-protection-teams-need-
finished-intelligence/

34. WEF – The Global Risks Report 2019 – https://www.weforum.org/reports/the-
global-risks-report-2019/

35. Christian Haschek – The curious case of the Raspberry Pi in the network closet –
https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html

36. CERT.PL  – MWDB – our way to share information about malicious software –
https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-about-
malicious-software/

37. ENISA – Supporting the Fight Against Cybercrime: ENISA report on CSIRTs and
Law Enforcement Cooperation – https://www.enisa.europa.eu/news/enisa-
news/supporting-the-fight-against-cybercrime-enisa-report-on-csirts-and-law-
enforcement-cooperation

38. Bleeping Computer – DarkHydrus APT Uses Google Drive to Send Commands to
RogueRobin Trojan-
https://www.bleepingcomputer.com/news/security/darkhydrus-apt-uses-google-
drive-to-send-commands-to-roguerobin-trojan/

39. MITRE’s ATT&CK – Part 1: Would a Detection by Any Other Name Detect as Well? –
https://medium.com/mitre-attack/would-a-detection-by-any-other-name-detect-
as-well-part-1-1577eba255bc

40. Lenny Zeltser – How can a single report appeal to both executives and
technologists? – https://www.linkedin.com/pulse/how-can-single-report-appeal-
both-executives-lenny-zeltser/

41. Measured Response – Threat Modeling – https://measuredresponse.org/threat-
modeling

42. Cyberscoop – DHS releases emergency order to prevent DNS hijacking –
https://www.cyberscoop.com/dhs-dns-directive-government-shutdown/

43. DHS – Emergency Directive 19-01 – https://cyber.dhs.gov/ed/19-01/
44. Microsoft – Contextualizing Attacker Activity within Sessions in Exchange Online –

https://blogs.technet.microsoft.com/exchange/2019/01/04/contextualizing-
attacker-activity-within-sessions-in-exchange-online/

45. ZDNet – Zerodium will now pay $2 million for Apple iOS remote jailbreaks –
https://www.zdnet.com/article/zerodium-will-now-pay-2-million-for-apple-ios-
remote-jailbreaks/

46. WSJ – Inside Google’s Team Fighting to Keep Your Data Safe From Hackers –
https://www.wsj.com/articles/inside-googles-team-battling-hackers-11548264655

47. TrustedSec – Learn the basics of post-exploitation from advanced infosec

3/5

https://www.alexanderjaeger.de/autotimeliner-to-cyberchef-to-timesketch/
https://www.cyberscoop.com/trisis-investigator-saudi-aramco-schneider-electric-s4x19/
https://www.enisa.europa.eu/publications/analysis-of-the-european-r-d-priorities-in-cybersecurity
https://www.flashpoint-intel.com/blog/why-executive-protection-teams-need-finished-intelligence/
https://www.weforum.org/reports/the-global-risks-report-2019/
https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html
https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-about-malicious-software/
https://www.enisa.europa.eu/news/enisa-news/supporting-the-fight-against-cybercrime-enisa-report-on-csirts-and-law-enforcement-cooperation
https://www.bleepingcomputer.com/news/security/darkhydrus-apt-uses-google-drive-to-send-commands-to-roguerobin-trojan/
https://medium.com/mitre-attack/would-a-detection-by-any-other-name-detect-as-well-part-1-1577eba255bc
https://www.linkedin.com/pulse/how-can-single-report-appeal-both-executives-lenny-zeltser/
https://measuredresponse.org/threat-modeling
https://www.cyberscoop.com/dhs-dns-directive-government-shutdown/
https://cyber.dhs.gov/ed/19-01/
https://blogs.technet.microsoft.com/exchange/2019/01/04/contextualizing-attacker-activity-within-sessions-in-exchange-online/
https://www.zdnet.com/article/zerodium-will-now-pay-2-million-for-apple-ios-remote-jailbreaks/
https://www.wsj.com/articles/inside-googles-team-battling-hackers-11548264655


professionals – https://www.trustedsec.com/2018/12/webinar-series-post-
exploitation/

48. Lenny Zeltser – Write a Strong Executive Summary for Your Security Assessment
Report – https://zeltser.com/executive-summary-for-security-assessment-report-
tips/

49. Lukasz Olejnik – The French doctrine of offensive cyber operations –
https://blog.lukaszolejnik.com/the-french-doctrine-of-offensive-cyber-operations/

50. 360 – Global Advanced Persistent Threat (APT) 2018 Summary Report –
https://www.freebuf.com/articles/paper/193553.html

51. Dark Reading – Triton/Trisis Attack Was More Widespread Than Publicly Known –
https://www.darkreading.com/attacks-breaches/triton-trisis-attack-was-more-
widespread-than-publicly-known/d/d-id/1333661

52. The Intercept – Intellipedia BIOS Threats –
https://theintercept.com/document/2019/01/24/intellipedia-bios-threats/

53. NCSC-UK – ALERT: DNS hijacking activity – https://www.ncsc.gov.uk/alerts/alert-
dns-hijacking-activity

54. MITRE’s ATT&CK – Part 2: Would a Detection by Any Other Name Detect as Well? –
https://medium.com/mitre-attack/would-a-detection-by-any-other-name-detect-
as-well-part-2-2b2cf9180e21

55. Daily Beast – This Time It’s Russia’s Emails Getting Leaked –
https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked

56. Kaspersky – GreyEnergy’s overlap with Zebrocy –
https://securelist.com/greyenergys-overlap-with-zebrocy/89506/

57. Cyberwarcon – Barely whispering – https://www.youtube.com/watch?
v=h8pTjIMxsag

58. The Citizen Lab – Statement from Citizen Lab Director on attempted operations
against researchers – https://citizenlab.ca/2019/01/statement-from-citizen-lab-
director-on-attempted-operations-against-researchers/

59. Steve Micallef – OSINT and the new perimeter –
https://medium.com/@micallst/osint-and-the-new-perimeter-20d19361e18

60. Rappler – Russian disinformation system influences PH social media –
https://www.rappler.com//newsbreak/investigative/221470-russian-
disinformation-system-influences-philippine-social-media

61. ENISA – ENISA Threat Landscape Report 2018 –
https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018

62. Huawei indictment –
https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rIz2tT7h2.Fs/v0

63. Virus Bulletin – Threat intelligence teams should consider recruiting journalists –
https://www.virusbulletin.com/blog/2019/01/threat-intelligence-teams-should-
consider-recruiting-journalists/

64. DNI – Threat Assessment of the US Intelligence Community –
https://www.dni.gov/index.php/newsroom/congressional-testimonies/item/1947-
statement-for-the-record-worldwide-threat-assessment-of-the-us-intelligence-
community

65. EclecticIQ – On the Importance of Standard Operating Procedures in Threat
Intelligence – https://blog.eclecticiq.com/on-the-importance-of-standard-

4/5

https://www.trustedsec.com/2018/12/webinar-series-post-exploitation/
https://zeltser.com/executive-summary-for-security-assessment-report-tips/
https://blog.lukaszolejnik.com/the-french-doctrine-of-offensive-cyber-operations/
https://www.freebuf.com/articles/paper/193553.html
https://www.darkreading.com/attacks-breaches/triton-trisis-attack-was-more-widespread-than-publicly-known/d/d-id/1333661
https://theintercept.com/document/2019/01/24/intellipedia-bios-threats/
https://www.ncsc.gov.uk/alerts/alert-dns-hijacking-activity
https://medium.com/mitre-attack/would-a-detection-by-any-other-name-detect-as-well-part-2-2b2cf9180e21
https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked
https://securelist.com/greyenergys-overlap-with-zebrocy/89506/
https://www.youtube.com/watch?v=h8pTjIMxsag
https://citizenlab.ca/2019/01/statement-from-citizen-lab-director-on-attempted-operations-against-researchers/
https://medium.com/@micallst/osint-and-the-new-perimeter-20d19361e18
https://www.rappler.com//newsbreak/investigative/221470-russian-disinformation-system-influences-philippine-social-media
https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018
https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rIz2tT7h2.Fs/v0
https://www.virusbulletin.com/blog/2019/01/threat-intelligence-teams-should-consider-recruiting-journalists/
https://www.dni.gov/index.php/newsroom/congressional-testimonies/item/1947-statement-for-the-record-worldwide-threat-assessment-of-the-us-intelligence-community
https://blog.eclecticiq.com/on-the-importance-of-standard-operating-procedures-in-threat-intelligence


operating-procedures-in-threat-intelligence
66. ENISA – ENISA publishes training course material on network forensics for

cybersecurity specialists – https://www.enisa.europa.eu/news/enisa-news/enisa-
publishes-training-course-material-on-network-forensics-for-cybersecurity-
specialists

67. Reuters – The Karma Hack: UAE used cyber super-weapon to spy on iPhones of
foes – https://www.reuters.com/investigates/special-report/usa-spying-karma/

68. Reuters – Project Raven : Inside the UAE’s secret hacking team of American
mercenaries- https://www.reuters.com/investigates/special-report/usa-spying-
raven/

69. SANS – SANS CTI Summit Presentations – https://www.sans.org/cyber-security-
summit/archives/

70. Red Canary – Five Great Talks from the SANS CTI Summit –
https://www.redcanary.com/blog/five-great-talks-from-the-sans-cti-summit/

71. Splunk – Datamodel Endpoint – https://www.splunk.com/blog/2019/01/17/-
datamodel-endpoint.html

72. Dragos – Uncovering ICS Threat Activity Groups
– https://dragos.com/blog/industry-news/webinar-summary-uncovering-ics-
threat-activity-groups/
– https://www.youtube.com/watch?v=23cRqcKWpTI

73. Dale Peterson – Post Game Analysis: S4 ICS Detection Challenge – https://dale-
peterson.com/2019/01/31/post-game-analysis-s4-ics-detection-challenge/

74. Dirk-jan Mollema – Abusing Exchange: One API call away from Domain Admin –
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/

75. FireEye – State of the Hack: NoEasyBreach REVISITED –
https://www.pscp.tv/w/1BdGYOMvYBDxX

5/5

https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-training-course-material-on-network-forensics-for-cybersecurity-specialists
https://www.reuters.com/investigates/special-report/usa-spying-karma/
https://www.reuters.com/investigates/special-report/usa-spying-raven/
https://www.sans.org/cyber-security-summit/archives/
https://www.redcanary.com/blog/five-great-talks-from-the-sans-cti-summit/
https://www.splunk.com/blog/2019/01/17/-datamodel-endpoint.html
https://dragos.com/blog/industry-news/webinar-summary-uncovering-ics-threat-activity-groups/
https://www.youtube.com/watch?v=23cRqcKWpTI
https://dale-peterson.com/2019/01/31/post-game-analysis-s4-ics-detection-challenge/
https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
https://www.pscp.tv/w/1BdGYOMvYBDxX

	Threat Intel Reads – January 2019