Who is SandCat: an unveiling of a lesser-known threat actor

Presented at VB2019, Oct. 3, 2019, 11 a.m. (30 minutes)

SandCat is a threat actor in the Central Asia region that has largely gone unnoticed, dating back to 2008. Kaspersky has recently been able to identify which nation is behind this group, even down to military unit numbers and names of individuals. While Kaspersky has written about the name ‘SandCat' previously, we have not publicly attributed it to anyone until now. This presentation will walk the audience through how we were able to discover this actor, clues that led us to attribution, exploits and malware used by this actor, operational failures (including some screenshots of the actual operator's development systems), and why it is important to track all threat actors and not just the ones that make the big news cycles. In the case of SandCat, we were able to identify four zero-days in Microsoft Windows within four months by monitoring this actor alone. This actor is interesting for a number of reasons: they have been operating at some level of capacity for over 10 years; they seem to have an infinite budget to purchase exploits and toolkits from a multitude of suppliers; more recently they have begun to develop their own malware in-house; and they have repeatedly targeted journalists and human rights activists in the region. ### Related links * [Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC](https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec) (*Motherboard*) * [Meet Candiru - The Mysterious Mercenaries Hacking Apple And Microsoft PCs For Profit](https://www.forbes.com/sites/thomasbrewster/2019/10/03/meet-candiru-the-super-stealth-cyber-mercenaries-hacking-apple-and-microsoft-pcs-for-profit/#6ed26e9c5a39) (*Forbes*) * [Uzbek spies attacked dissidents with off-the-shelf hacking tools](https://www.reuters.com/article/us-uzbekistan-cyber/uzbek-spies-attacked-dissidents-with-off-the-shelf-hacking-tools-idUSKBN1WI0YL) (*Reuters*) * [How Uzbekistan's security service (allegedly) began developing its own malware](https://www.cyberscoop.com/uzbekistan-sandcat-kaspersky/) (*Cyberscoop*) * [Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV ](https://arstechnica.com/information-technology/2019/10/kaspersky-finds-uzbekistan-hacking-opbecause-they-used-kaspersky-av/)(*Ars Technica*) * [Zero-day in Windows Kernel Transaction Manager (CVE-2018-8611)](https://securelist.com/zero-day-in-windows-kernel-transaction-manager-cve-2018-8611/89253/) (*Kaspersky Securelist*) * [The fourth horseman: CVE-2019-0797 vulnerability](https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/) (*Kaspersky Securelist*)

Presenters:

• Brian Bartholomew - Kaspersky
  Brian Bartholomew Brian Bartholomew is a US-based principal researcher with Kaspersky's Global Research and Analysis Team (GReAT). He has previously spoken at Virus Bulletin, CanSec West, SANS, SAS, as well as many closed-door private conferences. He was a co-author of 'Wave your false flags! Deception tactics muddying attribution in targeted attacks', published as part of the VB2016 conference proceedings. His career includes working for the US Department of State (2001-2009), overseas on a contract with another government (2009-2012), iSight Partners (2012-2015), and now with Kaspersky (2015-present).

Links:

• https://www.virusbulletin.com/conference/vb2019/abstracts/who-sandcat-unveiling-lesser-known-threat-actor

Similar Presentations:

• DEF CON 31 (2023) / Legend of Zelda: Use After Free (TASBot glitches the future into OoT)
• DEF CON 31 (2023) / The Art of Compromising C2 Servers: A Web Application Vulnerabilities Perspective
• DEF CON 29 (2021) / The Agricultural Data Arms Race: Exploiting a Tractor Load of Vulnerabilities In The Global Food Supply Chain.