Leveraging

OSINT to track
cyber threat
actors
SANS OSINT Summit
February 2021
Who is speaking?

Curtis Hanson
• Cyber Threat Intelligence Analyst at PwC.

• Previous work includes enhanced due diligence investigations and KYC checks.

• Area of focus is Middle East and Africa, tracking mostly Iran-based threat actors.

Contact Info
curtis.hanson@pwc.com
@cybershtuff

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 2
Today’s discussion

1. A look at using Twitter trends to attribute and timeline events.

2. Finding information not previously reported by the FBI.

3. Validating an anonymous source before it goes public.

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 3
1 An
obstacle
is
inspiration
Who is Lab Dookhtegan?

Background
• Who: Lab Dookhtegan – an unknown entity.
• When: 26 March 2019.
• What: Leaks highly sensitive information on an
Iran-based threat actor called OilRig (e.g.,
technical details, victims, personnel).
• Where: Online via Telegram (initially Twitter but
account was shutdown quickly).
• Why: An intent to deny, disrupt, degrade the
Iranian government – hallmarks of an information
operation.

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 5
Information on the periphery

Using Twitter trends for

attribution and timelining
• Social media accounts deleted
after being exposed, so limited
validation of authenticity (i.e., post
mortem social media analysis).
• Twitter trends are based on the
following:
– Location
– Likes
– Retweets
– Following #Norway, #Oslo, #trondheim, #MUFC, #Liverpool, #Oslo
– Followers #DJRG19, #ESNball, #debatten

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 6
Second day of the
countering online
disinformation
symposium in Oslo.
#DJRG19

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 7
Quick recap

Techniques Tools and Sources Applications

• Analyse the • Twitter trends data. • Timeline events.
background. • Seven days for current • Geolocate.
• Twitter trends and trends. • Assess motivations and
hashtags. • Historical data is intentions.
available.

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 8
2 Leave
no
stone
unturned
FBI Most Wanted

Behzad Mesri
• Indicted twice (2017 & 2019).
• Stole GoT and attempted extortion.
• Targeted US intelligence personnel.
• Allegedly working for the IRGC.
• Typical details provided by the FBI:
– Alias (Skote Vahshat)
– Date of Birth (24 Aug 1988)
– Nationality (Iranian)

Which cyber activity does Mr. Mesri

most closely align with?

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 10
Cross referencing information

Indictment and Sanctions

• 2019 indictment lists Mr. Mesri
registered a company on 23
December 2014.
• However, the company is only known
to the US government at the time.
• Until OFAC sanctions the company
and lists it as NET PEYGARD
SMAVAT.
• NET PEYGARD SMAVAT is a
transliteration from Farsi, so easy to
use Farsi keyboard to switch back to
native language.

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 11
A goldmine of information

Incorporation Records
• Translate NET PEYGARD SMAVAT
to Farsi and look up in Iran’s
corporate registry records.
• Company record lists Mr. Mesri as
CEO, along with three other board
appointments.
• Mr. Mesri’s National ID number is
also listed.

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 12
Missing from both the FBI & OFAC

Behzad Mesri
National
Identification
2909905624

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 13
Trust but verify

Dates and Calendars

• Activity per the indictment aligns very closely with a
known cyber campaign between April – May 2014.
• 10/02/1393 is listed on the incorporation records,
but DOJ says December 23, 2014.
• Iran uses the Persian calendar, while the West uses
the Gregorian calendar.
• US uses date format (MM/DD/YY).
• Iran uses the international date format (DD/MM/YY).
• This leads to a mistake and NET PEYGARD
SMAVAT is actually registered in April 2014.

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 14
Quick recap

Techniques Tools and Sources Applications

• Cross reference • Indictments. • National ID numbers of
information. • Sanctions entities.
• Trust but verify. announcements. • Identify corporate
• Use incorporation • Corporate registration appointments.
records. records in Iran. • Dates of incorporation.
• Link analysis tool
(Maltego).

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 15
3 Hiding
in
plain
sight
A simple news article

What’s in the article?

• The Daily Beast reports on 22 October
2019 of an “Iranian Hacking Group”.
• Citing a sealed US indictment and an
anonymous source familiar with the matter.
• Allegedly M.R.S.CO and Iranian Dark
Coders Team are the threat actors.
• They targeted the satellite industry between
2016 and 2017.
• An alleged victim cited in the article is
Digital Globe.

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 17
Thinking like a hacker

Spoofing the target’s domain

• Attempted different permutations of Digital
Globe
– dlgitialglobe[.]com (i → l)
– digitalglobe[.]tk (TLD change)
– digitalqlobe[.]com (g → q) – We have a
winner!

• Passive DNS records show ‘digitalqlobe’ is

registered/used around 2016-2017,
alongside other suspicious domains.

• Domain appears in a 2017 report on an

Iran-based threat actor, who has an HBO
hacker connection…sounds familiar!?

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 18
The HBO hacker connection

Simple search to further the

investigation
• Online search for “M.R.S.CO”.
• Results include a public code written
by “M.R.S.CO” and a friend, which
includes the alias Skote_Vahshat.
• Skote Vahshat is Mr. Mesri’s alias
per his FBI Most Wanted Poster
• Can now assess with greater
confidence that the original news
story is valid, while furthering the
initial reporting.

Leveraging OSINT to track cyber threat actors 11 February 2021

19
Iranian Hackers
Indicted for Stealing
Data from Aerospace
and Satellite Tracking
Companies
US Department of Justice
17 September 2020

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 20
Quick recap

Techniques Tools and Sources Applications

• Read the news. • Search engines (try • Validate an anonymous
• Think like a hacker. them all). source.
• Use simple searches to • Passive DNS records. • Expand on the initial
further the • Indictments. report.
investigation. • Produce intelligence
before widely and
publicly reported.

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 21
In closing

1. No need for fancy technical tools or capabilities to conduct

OSINT on cyber threat actors.

2. OSINT is more of a mindset than anything.

• Use an obstacle as inspiration.
• Leave no stone unturned.
• Information is hiding in plain sight.
3. There is a little cyber threat intel analyst in all of us and our
techniques are universal for all investigative professions:
• Journalists;
• Law enforcement;
• KYC/EDD, etc.

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 22
Sources, Tools, etc.
Exercise caution and use proper cyber hygiene when visiting links; some of these links may no longer be valid; and note that some sources may or may not be free.

An obstacle is inspiration
• Background: https://www.wired.com/story/iran-hackers-oilrig-read-my-lips/
• Lab Dookhtegan Telegram Channel: https://t.me/lab_dookhtegan
• Twitter Trends and how they are determined: https://help.twitter.com/en/using-twitter/twitter-trending-faqs
• Twitter Trends Data: https://www.trendsmap.com/, https://www.tweetbinder.com/blog/twitter-advanced-search/, https://getdaytrends.com/

Leave no stone unturned

• FBI Most Wanted Behzad Mesri: https://www.fbi.gov/wanted/cyber/copy_of_behzad-mesri
• Indictment: https://www.justice.gov/usao-dc/press-release/file/1131636/download
• Sanctions: https://home.treasury.gov/news/press-releases/sm611, https://sanctionssearch.ofac.treas.gov/
• Iran Corporate Registry: https://www.rrk.ir/News/ShowOldNews, https://opencorporates.com/
• Maltego (Link Analysis Tool): https://www.maltego.com/
• Persian Calendar Convertor: https://calcuworld.com/calendar-calculators/persian-calendar-converter/

Hiding in plain sight

• News Article: https://www.thedailybeast.com/iranian-hacking-group-targeted-us-satellite-companies
• Passive DNS Records: https://community.riskiq.com/, https://domainbigdata.com/
• Charming Kitten Report: https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
• WebShell: https://github.com/tennc/webshell/blob/master/php/wsb/wsb.pl
• Indictment: https://www.justice.gov/opa/pr/state-sponsored-iranian-hackers-indicted-computer-intrusions-us-satellite-companies

Leveraging OSINT to track cyber threat actors 11 February 2021

PwC 23
Thank you

pwc.com