Threat Intel

The Sand Clock model of cybersecurity

Sun Tzu by Fabricio Miranda

Today I want to share with you a cybersecurity model that I developed while I was conducting some trainings for different clients. I made it as a way to explain different concepts on offense and defense.

Its a direct relation between our infrastructure self-awareness and what we know about the adversaries out there. Its about preparation and strategy. Its about the cyber-war we fight every day.

The paper is 14 pages long, so I posted the download button at the bottom (Its a PDF file).

MD5:    60AA1B9A30A603642464FC15A580D701
SHA256: 2C55C8BAF39AD9824E8A47DE267DA2B082BCB2DACF0F1FE01B599580CF4E7088
Threat Intel

The APT that hunts other APT’s: “APT49”, “BlueHornet”, “AgaintsTheWest”

This amazing picture is from the genius Valentin Tkach

Around October of the past year, a new group who self-procalimed BlueHornet aka AgainstTheWest shown up at forums like the already dead RAID Forums (This was a well-known site to share information about security breaches, leaks, but also to sell drugs, personal data, etc. The owner of the site was captured at the United Kingdom the 21st of January).

More recently, at the successor of the RAID forums, a website called, this Actor shown up again with the following account:

He got banned from the site by the admins on March 18, but he created a new account the same day, which is the one we can see on the previous picture.

¿What’s the peculiarity about this group? ¿What makes them so different from the rest?

Their motivation is quite interesting if you allow me to be said. They act as Hacktivist pursuing mainly other Threat Actors’ information (but not exclusively). So far, their focus has been groups from China (Including China’s Banks), Russia, Iran and North Korea. Profs, so far, points them to be from North America or at least from the OTAN block. Though this doesn’t mean this is a state-sponsored group, quite contrary, since they submitted quizzes on their Twitter account asking people to vote for potential targets, and they are self-proclaimed hacktivists and journalists, among other things.

¿Which communication platforms they use?

So far, we have seen publications related to all their leaks on Twitter, Telegram, and the previously mentioned site They also have a Github repository called AgaintsTheWest.

¿What’s the information leaked about the other APTs and which ones?

The information published at was related to some members of the Threat Actors Known as APT3, APT28, APT38 and APT40.

We have to clarify that part of this information was already known by the Feds, but wasn’t public.

APT3: Gothic Panda

Introduction from MITRE ATT&CK

APT3 is a China-based threat group that researchers have attributed to China’s Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.

In 2017, MITRE developed an APT3 Adversary Emulation Plan.

Member Information:

APT28: Fancy Bear

Introduction from MITRE ATT&CK

APT28 is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004.

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Member Information:

APT38: Lazarus Group

Introduction from MITRE ATT&CK

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Member Information:

APT40: Leviathan aka Kryptonite Panda

Introduction from MITRE ATT&CK

Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company. Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.

Member Information:

Potential Allies

Intrusion Truth
-Belarusian Cyber Partisans
-Anonymous Taiwan

Giving closure to this

Recently, the group stated on its Telegram account that it would stop its activities, pursuing a “normal life” for all its members. Nonetheless, their account remains active and is being used at the Breached Forum.

Im, sure there’s probably a more complete inform our there. Still, I hope this information will be helpful for other Cybersec Researchers, Threat Intelligence Analysts, and SOC Analysts in the wild.

If you find this information useful or you liked it, feel free to add a comment 😉

See ya’ space cowboy…


The Who, What, Where, When, Why and How of Effective Threat Hunting

Excellent paper from Robert M. Lee and Rob Lee about what it is Threat Hunting, when you should implement it, how to make it more effective; whom should be taking care of this role, in which part of your organization should be located, among other things.

Highly recommended if you’re interested on the Intelligence methodologies and implementing this practice on your company’s maturity model.

You can find this paper at the SANS DFIR community here.