Interview with the Chollima IV
Contents
Some researchers like collecting indicators of compromise; others prefer watching silently and drafting indicators of activity, analysing their adversaries' behaviours and reactions.
I'm more in the second group. A threat actor's activity can sometimes yield (or help you infer) interesting information such as their level of veterancy.
Indicators of veterancy are those that tell you "this man here, it is not his first rodeo". Look at things like staying calm under fire, kind and educated communication (especially during extortions), and overall patience. These are things that separate bunches of Discord SIM swappers from long-time criminals and APTs.
Truth be told, the only way to discover these indicators is by engaging with threat actors, and what we learnt from doing so with the Chollimas is… well, disappointing to say the least:
Nervous: They are natural liars, and very bad ones.
They get nervous when questioned (like that kid the other day tweaking live on camera).
Their lies …
I'm more in the second group. A threat actor's activity can sometimes yield (or help you infer) interesting information such as their level of veterancy.
Indicators of veterancy are those that tell you "this man here, it is not his first rodeo". Look at things like staying calm under fire, kind and educated communication (especially during extortions), and overall patience. These are things that separate bunches of Discord SIM swappers from long-time criminals and APTs.
Truth be told, the only way to discover these indicators is by engaging with threat actors, and what we learnt from doing so with the Chollimas is… well, disappointing to say the least:
Nervous: They are natural liars, and very bad ones.
They get nervous when questioned (like that kid the other day tweaking live on camera).
Their lies …
IoC
https://www.linkedin.com/in/julian-mendez-working0628/