Sandra Bardón
Red team leader, pentester, researcher, lecturer and previously Blue teamer (DFIR and threat hunting). Sandra is an ITC engineer, GXPN, OSCE, OSCP, … with more than 16 years of experience in cyber security, leading different kind of projects like pentesting and exercises about Red teaming, Purple teaming, and Table-top. Always helping to many organisations like NATO CCDCOE, Spanish Joint Cyber Defence Command and currently in United Nations (UNICC). A real challenges lover!
Sessions
In the proposed talk, speakers will comprehensively analyze the relevant operations of the APT group MuddyWater, which emerged on the cybersecurity scene in 2017. This group, with an initial focus on government targets in Iraq and Saudi Arabia, has extended its operations to other countries in the Middle East, as well as Europe and the United States. Throughout 2018, a significant increase in spear phishing documents targeting government, military, telecommunications, and educational entities has been identified in Jordan, Turkey, Azerbaijan, and Pakistan. Victims have also been detected in Mali, Austria, Russia, Iran, and Bahrain, highlighting the attack on the National Cyber Security Center of Saudi Arabia in 2017 to steal credentials and data.
The authorship of MuddyWater's operations remains unknown, although its attacks appear to be geopolitically motivated, targeting high-profile personnel and organizations. The code used in their latest attacks includes features that appear designed to distract and disorient researchers, such as the use of Chinese characters and names such as Leo, PooPak, Vendetta, and Turk in the malware.
MuddyWater is responsible for many attacks and constantly develops new methods and techniques to improve them. This includes active developers improving their toolset to minimize exposure to security products and services. The recent attacks indicate a growing interest in Africa, although its main targets remain Iraq and Saudi Arabia.
In the presentation, the operations carried out by MuddyWater in 2022 and 2023 will be analyzed from the perspective of two different disciplines, offensive security and intelligence analysis, highlighting and analyzing the private tools used as the group like NIHAY, a C#-based tool to download and run; LISFONSERVICE, a C#-based RAT; POWERSTATS, a first stage backdoor based on Powershell among others. In addition to private tools, the group uses tooling also used by network teaming teams such as Koadic C3 COM Command & Control, Meterpreter, Mimikatz, scripts based on Powershell, LAZAGNE, Slaver.py, Cr.exe and Mmap.py (called "MapTools " by MuddyWaters).
Through this talk, speakers will provide a comprehensive view of MuddyWater's techniques, strategies and objectives, highlighting the perspective of offensive security and intelligence. The goal is to provide a deep understanding of how these APT groups operate and how a combined approach can be used to understand the TTPs of this group.