# Threat Intel Reads – January 2019

**[threatintel.eu/2019/02/02/threat-intel-reads-january-2019](https://threatintel.eu/2019/02/02/threat-intel-reads-january-2019/)**

andreas.sfakianakis February 2, 2019

January was an interesting moth for CTI practitioners! I took some time and collected
the major articles and presentations that I read and watched during January 2019.

I hope you enjoy it.

1. Robert M. Lee – Attribution is not Transitive – Tribune Publishing Cyber Attack as

a Case Study – http://www.robertmlee.org/attribution-is-not-transitive-tribunepublishing-cyber-attack-as-a-case-study/
2. Politico – Suspect’s Twitter messages played role in NSA hacking-tools leak probe

[– https://www.politico.com/story/2018/12/31/nsa-hacking-case-twitter-1077013](https://www.politico.com/story/2018/12/31/nsa-hacking-case-twitter-1077013)
3. Maarten Goet – Windows Defender ATP: harnessing the collective intelligence of

the InfoSec community for threat hunting –
https://medium.com/@maarten.goet/windows-defender-atp-harnessing-thecollective-intelligence-of-the-infosec-community-for-threat-1758ec987db8
4. z3roTrust – The APT Chronicles_December 2018 edition –

https://medium.com/@z3roTrust/the-apt-chronicles-december-2018-editione3e5125ffcd2
5. BBC – German politicians targeted in mass data attack –

[https://www.bbc.com/news/world-europe-46757009](https://www.bbc.com/news/world-europe-46757009)
6. ZDNet – NSA to release a free reverse engineering tool –

[https://www.zdnet.com/article/nsa-to-release-a-free-reverse-engineering-tool/](https://www.zdnet.com/article/nsa-to-release-a-free-reverse-engineering-tool/)
7. Florian Roth – My Take on the Massive Data Leak Affecting German Politicians

and Public Figures – https://medium.com/@cyb3rops/my-take-on-the-massivedata-leak-affecting-german-politicians-and-public-figures-e7ca8d2b2513
8. Threatpost – First-Ever UEFI Rootkit Tied to Sednit APT –

[https://threatpost.com/uefi-rootkit-sednit/140420/](https://threatpost.com/uefi-rootkit-sednit/140420/)
9. FI-ISAC – TaHiTI – Threat Hunting Methodology

– https://www.betaalvereniging.nl/wp-content/uploads/DEF-TaHiTI-ThreatHunting-Methodology.pdf
[– https://www.mbsecure.nl/blog/2018/12/tahiti-threat-hunting-methodology](https://www.mbsecure.nl/blog/2018/12/tahiti-threat-hunting-methodology)
10. The Register – Cops: German suspect, 20, ‘confessed’ to mass hack of local

politicians
https://www.theregister.co.uk/2019/01/08/german_20_yr_old_confess_mass_hac
k_angriff/
11. Lenny Zeltser – A Short Cybersecurity Writing Course Just for You –

[https://zeltser.com/cybersecurity-writing-course/](https://zeltser.com/cybersecurity-writing-course/)
12. Reuters – Exclusive: New documents link Huawei to suspected front companies

in Iran, Syria – https://www.reuters.com/article/us-huawei-iran[exclusive/exclusive-new-documents-link-huawei-to-suspected-front-companies-](https://www.reuters.com/article/us-huawei-iran-exclusive/exclusive-new-documents-link-huawei-to-suspected-front-companies-in-iran-syria-idUSKCN1P21MH)
in-iran-syria-idUSKCN1P21MH


-----

14. Politico – Exclusive: How a Russian firm helped catch an alleged NSA data thief –

https://www.politico.com/story/2019/01/09/russia-kaspersky-lab-nsacybersecurity-1089131
15. FireEye – Global DNS Hijacking Campaign: DNS Record Manipulation at Scale –

https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijackingcampaign-dns-record-manipulation-at-scale.html
16. WSJ – America’s Electric Grid Has a Vulnerable Back Door—and Russia Walked

Through It – https://www.wsj.com/articles/americas-electric-grid-has-avulnerable-back-doorand-russia-walked-through-it-11547137112
17. SG Government – PUBLIC REPORT OF THE COMMITTEE OF INQUIRY INTO THE

CYBER ATTACK ON SINGAPORE HEALTH SERVICES PRIVATE LIMITED’S PATIENT
DATABASE ON OR AROUND 27 JUNE 2018 –
https://www.mci.gov.sg/~/media/mcicorp/doc/report%20of%20the%20coi%20int
[o%20the%20cyber%20attack%20on%20singhealth%2010%20jan%202019.pdf?](https://www.mci.gov.sg/~/media/mcicorp/doc/report of the coi into the cyber attack on singhealth 10 jan 2019.pdf?la=en)
la=en
18. Cyberwarcon – Are US Cyber Deterrence Operations Suppressing or Inciting

[Attacks? – https://www.youtube.com/watch?v=cp0rjgEpWEw](https://www.youtube.com/watch?v=cp0rjgEpWEw)
19. Hackmageddon – 2018: A Year of Cyber Attacks –

[https://www.hackmageddon.com/2019/01/15/2018-a-year-of-cyber-attacks/](https://www.hackmageddon.com/2019/01/15/2018-a-year-of-cyber-attacks/)
20. bit_of_hex – ATT&CKing the Singapore Health Data Breach –

[https://bitofhex.com/2019/01/13/attack-and-singapore-breach/](https://bitofhex.com/2019/01/13/attack-and-singapore-breach/)
21. CERT-OPMD – DNSPIONAGE – Focus on internal actions – https://blog
cert.opmd.fr/dnspionage-focus-on-internal-actions/
22. Crowdstrike – Big Game Hunting with Ryuk: Another Lucrative Targeted

Ransomware – https://www.crowdstrike.com/blog/big-game-hunting-with-ryukanother-lucrative-targeted-ransomware/
23. New York Times – Poland Arrests 2, Including Huawei Employee, Accused of

Spying for China – https://www.nytimes.com/2019/01/11/world/europe/polandchina-huawei-spy.html
24. The Register – Cyber-insurance shock: Zurich refuses to foot NotPetya

ransomware clean-up bill – and claims it’s ‘an act of war’ –
[https://www.theregister.co.uk/2019/01/11/notpetya_insurance_claim/](https://www.theregister.co.uk/2019/01/11/notpetya_insurance_claim/)
25. Cyberscoop – How sloppy OPSEC gave researchers an inside look at the exploit

industry – https://www.cyberscoop.com/mobile-zero-days-lookout-shmoocon2019-android-barracuda-ios-stonefish/
26. Recorded Future – The History of Ashiyane: Iran’s First Security Forum –

[https://www.recordedfuture.com/ashiyane-forum-history/](https://www.recordedfuture.com/ashiyane-forum-history/)
27. US DoJ – Two Ukrainian Nationals Indicted in Computer Hacking and Securities

Fraud Scheme Targeting U.S. Securities and Exchange Commission –
https://www.justice.gov/opa/pr/two-ukrainian-nationals-indicted-computerhacking-and-securities-fraud-scheme-targeting-us
28. EU ATT&CK community – third workshop – 9-10 May 2019 – https://www.attack
community.org/2019-01-15-Third-Workshop-At-Eurocontrol-Brussels/
29. Nextron Systems – 50 Shades of YARA – https://www.nextron

-----

[https://www.alexanderjaeger.de/autotimeliner-to-cyberchef-to-timesketch/](https://www.alexanderjaeger.de/autotimeliner-to-cyberchef-to-timesketch/)
31. Cyberscoop – Trisis investigator says Saudi plant outage could have been

prevented – https://www.cyberscoop.com/trisis-investigator-saudi-aramcoschneider-electric-s4x19/
32. ENISA – Analysis of the European R&D priorities in cybersecurity –

https://www.enisa.europa.eu/publications/analysis-of-the-european-r-dpriorities-in-cybersecurity
33. Flashpoint – Why Executive-Protection Teams Need Finished Intelligence –

https://www.flashpoint-intel.com/blog/why-executive-protection-teams-needfinished-intelligence/
34. WEF – The Global Risks Report 2019 – https://www.weforum.org/reports/the
global-risks-report-2019/
35. Christian Haschek – The curious case of the Raspberry Pi in the network closet –

[https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html](https://blog.haschek.at/2018/the-curious-case-of-the-RasPi-in-our-network.html)
36. CERT.PL – MWDB – our way to share information about malicious software –

https://www.cert.pl/en/news/single/mwdb-our-way-to-share-information-aboutmalicious-software/
37. ENISA – Supporting the Fight Against Cybercrime: ENISA report on CSIRTs and

Law Enforcement Cooperation – https://www.enisa.europa.eu/news/enisa[news/supporting-the-fight-against-cybercrime-enisa-report-on-csirts-and-law-](https://www.enisa.europa.eu/news/enisa-news/supporting-the-fight-against-cybercrime-enisa-report-on-csirts-and-law-enforcement-cooperation)
enforcement-cooperation
38. Bleeping Computer – DarkHydrus APT Uses Google Drive to Send Commands to

RogueRobin Trojanhttps://www.bleepingcomputer.com/news/security/darkhydrus-apt-uses-googledrive-to-send-commands-to-roguerobin-trojan/
39. MITRE’s ATT&CK – Part 1: Would a Detection by Any Other Name Detect as Well? –

https://medium.com/mitre-attack/would-a-detection-by-any-other-name-detectas-well-part-1-1577eba255bc
40. Lenny Zeltser – How can a single report appeal to both executives and

technologists? – https://www.linkedin.com/pulse/how-can-single-report-appealboth-executives-lenny-zeltser/
41. Measured Response – Threat Modeling – https://measuredresponse.org/threat
modeling
42. Cyberscoop – DHS releases emergency order to prevent DNS hijacking –

[https://www.cyberscoop.com/dhs-dns-directive-government-shutdown/](https://www.cyberscoop.com/dhs-dns-directive-government-shutdown/)
[43. DHS – Emergency Directive 19-01 – https://cyber.dhs.gov/ed/19-01/](https://cyber.dhs.gov/ed/19-01/)
44. Microsoft – Contextualizing Attacker Activity within Sessions in Exchange Online –

https://blogs.technet.microsoft.com/exchange/2019/01/04/contextualizingattacker-activity-within-sessions-in-exchange-online/
45. ZDNet – Zerodium will now pay $2 million for Apple iOS remote jailbreaks –

https://www.zdnet.com/article/zerodium-will-now-pay-2-million-for-apple-iosremote-jailbreaks/
46. WSJ – Inside Google’s Team Fighting to Keep Your Data Safe From Hackers –

[https://www.wsj.com/articles/inside-googles-team-battling-hackers-11548264655](https://www.wsj.com/articles/inside-googles-team-battling-hackers-11548264655)


-----

exploitation/
48. Lenny Zeltser – Write a Strong Executive Summary for Your Security Assessment

Report – https://zeltser.com/executive-summary-for-security-assessment-reporttips/
49. Lukasz Olejnik – The French doctrine of offensive cyber operations –

[https://blog.lukaszolejnik.com/the-french-doctrine-of-offensive-cyber-operations/](https://blog.lukaszolejnik.com/the-french-doctrine-of-offensive-cyber-operations/)
50. 360 – Global Advanced Persistent Threat (APT) 2018 Summary Report –

[https://www.freebuf.com/articles/paper/193553.html](https://www.freebuf.com/articles/paper/193553.html)
51. Dark Reading – Triton/Trisis Attack Was More Widespread Than Publicly Known –

https://www.darkreading.com/attacks-breaches/triton-trisis-attack-was-morewidespread-than-publicly-known/d/d-id/1333661
52. The Intercept – Intellipedia BIOS Threats –

[https://theintercept.com/document/2019/01/24/intellipedia-bios-threats/](https://theintercept.com/document/2019/01/24/intellipedia-bios-threats/)
53. NCSC-UK – ALERT: DNS hijacking activity – https://www.ncsc.gov.uk/alerts/alert
dns-hijacking-activity
54. MITRE’s ATT&CK – Part 2: Would a Detection by Any Other Name Detect as Well? –

https://medium.com/mitre-attack/would-a-detection-by-any-other-name-detectas-well-part-2-2b2cf9180e21
55. Daily Beast – This Time It’s Russia’s Emails Getting Leaked –

[https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked](https://www.thedailybeast.com/this-time-its-russias-emails-getting-leaked)
56. Kaspersky – GreyEnergy’s overlap with Zebrocy –

[https://securelist.com/greyenergys-overlap-with-zebrocy/89506/](https://securelist.com/greyenergys-overlap-with-zebrocy/89506/)
57. Cyberwarcon – Barely whispering – https://www.youtube.com/watch?

v=h8pTjIMxsag
58. The Citizen Lab – Statement from Citizen Lab Director on attempted operations

against researchers – https://citizenlab.ca/2019/01/statement-from-citizen-labdirector-on-attempted-operations-against-researchers/
59. Steve Micallef – OSINT and the new perimeter –

[https://medium.com/@micallst/osint-and-the-new-perimeter-20d19361e18](https://medium.com/@micallst/osint-and-the-new-perimeter-20d19361e18)
60. Rappler – Russian disinformation system influences PH social media –

https://www.rappler.com//newsbreak/investigative/221470-russiandisinformation-system-influences-philippine-social-media
61. ENISA – ENISA Threat Landscape Report 2018 –

[https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018](https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018)
62. Huawei indictment –

[https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rIz2tT7h2.Fs/v0](https://assets.bwbx.io/documents/users/iqjWHBFdfxIU/rIz2tT7h2.Fs/v0)
63. Virus Bulletin – Threat intelligence teams should consider recruiting journalists –

https://www.virusbulletin.com/blog/2019/01/threat-intelligence-teams-shouldconsider-recruiting-journalists/
64. DNI – Threat Assessment of the US Intelligence Community –

https://www.dni.gov/index.php/newsroom/congressional-testimonies/item/1947[statement-for-the-record-worldwide-threat-assessment-of-the-us-intelligence-](https://www.dni.gov/index.php/newsroom/congressional-testimonies/item/1947-statement-for-the-record-worldwide-threat-assessment-of-the-us-intelligence-community)
community
65. EclecticIQ – On the Importance of Standard Operating Procedures in Threat


-----

66. ENISA – ENISA publishes training course material on network forensics for

cybersecurity specialists – https://www.enisa.europa.eu/news/enisa-news/enisa[publishes-training-course-material-on-network-forensics-for-cybersecurity-](https://www.enisa.europa.eu/news/enisa-news/enisa-publishes-training-course-material-on-network-forensics-for-cybersecurity-specialists)
specialists
67. Reuters – The Karma Hack: UAE used cyber super-weapon to spy on iPhones of

[foes – https://www.reuters.com/investigates/special-report/usa-spying-karma/](https://www.reuters.com/investigates/special-report/usa-spying-karma/)
68. Reuters – Project Raven : Inside the UAE’s secret hacking team of American

mercenaries- https://www.reuters.com/investigates/special-report/usa-spyingraven/
69. SANS – SANS CTI Summit Presentations – https://www.sans.org/cyber-security
summit/archives/
70. Red Canary – Five Great Talks from the SANS CTI Summit –

[https://www.redcanary.com/blog/five-great-talks-from-the-sans-cti-summit/](https://www.redcanary.com/blog/five-great-talks-from-the-sans-cti-summit/)
71. Splunk – Datamodel Endpoint – https://www.splunk.com/blog/2019/01/17/
datamodel-endpoint.html
72. Dragos – Uncovering ICS Threat Activity Groups

– https://dragos.com/blog/industry-news/webinar-summary-uncovering-icsthreat-activity-groups/
[– https://www.youtube.com/watch?v=23cRqcKWpTI](https://www.youtube.com/watch?v=23cRqcKWpTI)
73. Dale Peterson – Post Game Analysis: S4 ICS Detection Challenge – https://dale
peterson.com/2019/01/31/post-game-analysis-s4-ics-detection-challenge/
74. Dirk-jan Mollema – Abusing Exchange: One API call away from Domain Admin –

[https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/)
75. FireEye – State of the Hack: NoEasyBreach REVISITED –

[https://www.pscp.tv/w/1BdGYOMvYBDxX](https://www.pscp.tv/w/1BdGYOMvYBDxX)


-----