Who is SandCat: an unveiling of a lesser-known threat actor

Thursday 3 October 11:00 - 11:30, Green room

Brian Bartholomew (Kaspersky)

SandCat is a threat actor in the Central Asia region that has largely gone unnoticed, dating back to 2008. Kaspersky has recently been able to identify which nation is behind this group, even down to military unit numbers and names of individuals. While Kaspersky has written about the name ‘SandCat’ previously, we have not publicly attributed it to anyone until now.

This presentation will walk the audience through how we were able to discover this actor, clues that led us to attribution, exploits and malware used by this actor, operational failures (including some screenshots of the actual operator’s development systems), and why it is important to track all threat actors and not just the ones that make the big news cycles. In the case of SandCat, we were able to identify four zero-days in Microsoft Windows within four months by monitoring this actor alone.

This actor is interesting for a number of reasons: they have been operating at some level of capacity for over 10 years; they seem to have an infinite budget to purchase exploits and toolkits from a multitude of suppliers; more recently they have begun to develop their own malware in-house; and they have repeatedly targeted journalists and human rights activists in the region.

 Related links



Brian Bartholomew

Brian Bartholomew is a US-based principal researcher with Kaspersky's Global Research and Analysis Team (GReAT). He has previously spoken at Virus Bulletin, CanSec West, SANS, SAS, as well as many closed-door private conferences. He was a co-author of 'Wave your false flags! Deception tactics muddying attribution in targeted attacks', published as part of the VB2016 conference proceedings. His career includes working for the US Department of State (2001-2009), overseas on a contract with another government (2009-2012), iSight Partners (2012-2015), and now with Kaspersky (2015-present).

Back to VB2019 Programme page

Other VB2019 papers

For reserve paper

Reserve speaker (TBA)

HELO, is that you? New challenges tracking Winnti activity

Stefano Ortolani (Lastline)
Jason Zhang (Lastline)

Simjacker - the next frontier in mobile espionage

Cathal Mc Daid (AdaptiveMobile Security)

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.