TA456's Multipronged Approach to Intelligence Gathering

Presented at THOTCON 0xB (2021) Rescheduled, Oct. 8, 2021, 12:30 p.m. (25 minutes).

The Iranian aligned APT TA456 (Tortoiseshell) used a two-pronged approach to intelligence gathering for their cyber operations targeting aerospace defense contractors throughout 2021. One method observed in threat campaigns demonstrated extensive time and effort to develop social media personas to build relationships with their targets. These personas used well-known psychology principles to gain the users' trust so they could eventually deploy customized malware, dubbed LEMPO, to conduct further reconnaissance on the target's host machine and exfiltrate sensitive information. In other campaigns, TA456 conducted reconnaissance by masquerading as news organizations while using customized links and tracking pixels. These phishing emails attempted to blend in with spam while using actor-controlled infrastructure to gather intelligence. While looking at TA456's operations and differences in intelligence gathering methodologies, we'll discuss adversary emulation possibilities, identify detection opportunities, and further explain our attribution for one of the most determined Iranian aligned APTs we track.


Presenters:

  • Joshua Miller
    Joshua is a Senior Threat Researcher for Proofpoint where he tracks targeted threats, with a focus on Iranian aligned threats. Former internal CTI for a health care company & FBI Intelligence

Similar Presentations: