Professional Documents
Culture Documents
Leveraging OSINT To Track Cyber Threat Actors, Curtis Hanson
Leveraging OSINT To Track Cyber Threat Actors, Curtis Hanson
Leveraging OSINT To Track Cyber Threat Actors, Curtis Hanson
OSINT to track
cyber threat
actors
SANS OSINT Summit
February 2021
Who is speaking?
Curtis Hanson
• Cyber Threat Intelligence Analyst at PwC.
• Previous work includes enhanced due diligence investigations and KYC checks.
• Area of focus is Middle East and Africa, tracking mostly Iran-based threat actors.
Contact Info
curtis.hanson@pwc.com
@cybershtuff
Background
• Who: Lab Dookhtegan – an unknown entity.
• When: 26 March 2019.
• What: Leaks highly sensitive information on an
Iran-based threat actor called OilRig (e.g.,
technical details, victims, personnel).
• Where: Online via Telegram (initially Twitter but
account was shutdown quickly).
• Why: An intent to deny, disrupt, degrade the
Iranian government – hallmarks of an information
operation.
Behzad Mesri
• Indicted twice (2017 & 2019).
• Stole GoT and attempted extortion.
• Targeted US intelligence personnel.
• Allegedly working for the IRGC.
• Typical details provided by the FBI:
– Alias (Skote Vahshat)
– Date of Birth (24 Aug 1988)
– Nationality (Iranian)
Incorporation Records
• Translate NET PEYGARD SMAVAT
to Farsi and look up in Iran’s
corporate registry records.
• Company record lists Mr. Mesri as
CEO, along with three other board
appointments.
• Mr. Mesri’s National ID number is
also listed.
Behzad Mesri
National
Identification
2909905624
An obstacle is inspiration
• Background: https://www.wired.com/story/iran-hackers-oilrig-read-my-lips/
• Lab Dookhtegan Telegram Channel: https://t.me/lab_dookhtegan
• Twitter Trends and how they are determined: https://help.twitter.com/en/using-twitter/twitter-trending-faqs
• Twitter Trends Data: https://www.trendsmap.com/, https://www.tweetbinder.com/blog/twitter-advanced-search/, https://getdaytrends.com/
pwc.com