Thursday 3 October 11:00 - 11:30, Green room
Brian Bartholomew (Kaspersky)
SandCat is a threat actor in the Central Asia region that has largely gone unnoticed, dating back to 2008. Kaspersky has recently been able to identify which nation is behind this group, even down to military unit numbers and names of individuals. While Kaspersky has written about the name ‘SandCat’ previously, we have not publicly attributed it to anyone until now.
This presentation will walk the audience through how we were able to discover this actor, clues that led us to attribution, exploits and malware used by this actor, operational failures (including some screenshots of the actual operator’s development systems), and why it is important to track all threat actors and not just the ones that make the big news cycles. In the case of SandCat, we were able to identify four zero-days in Microsoft Windows within four months by monitoring this actor alone.
This actor is interesting for a number of reasons: they have been operating at some level of capacity for over 10 years; they seem to have an infinite budget to purchase exploits and toolkits from a multitude of suppliers; more recently they have begun to develop their own malware in-house; and they have repeatedly targeted journalists and human rights activists in the region.
Brian Bartholomew is a US-based principal researcher with Kaspersky's Global Research and Analysis Team (GReAT). He has previously spoken at Virus Bulletin, CanSec West, SANS, SAS, as well as many closed-door private conferences. He was a co-author of 'Wave your false flags! Deception tactics muddying attribution in targeted attacks', published as part of the VB2016 conference proceedings. His career includes working for the US Department of State (2001-2009), overseas on a contract with another government (2009-2012), iSight Partners (2012-2015), and now with Kaspersky (2015-present).
Andrew Brandt (Sophos)
Ivan Kwiatkowski (Kaspersky)
Bobby Filar (Endgame)