 As introduction said there, we're going to try and give a little discussion on the mixed and blurred lines that we're starting to see with APT groups and probably the more notorious crime work groups. So who am I? My name is Warren Mercer. I'm security researcher, Cisco Talos, spoken at NorthSect a few times, had the great pleasure of speaking at a great conference. Some of my key skills, not blaming Canada because it's never you guys, not holding any of my Bitcoin and selling it all too early, and then more professionally, APT undergathered. Some things like Olympic destroyer, not petty, want to cry, worked in most of those cases and incidents. I'm based out in Northern Ireland and I'm going to pass you over to Victor here. Victor is going to lead you through the first half of the presentation and then we'll swap around. Who are you, Victor? Thank you, Warren. I am Victor. I work at Cisco Talos. I really enjoy NorthSect. I have never been to Canada. I'm hoping that next year will be the year, finally. I love malware, all kinds of malware. There's some things that really annoy me like insecure instant messaging, which is all around. And yeah, for this talk, I will be talking a little bit about APTs and the mixing that we are seeing. I'm located in Portugal. Next slide. So we'll start by talking a little bit about state-sponsored and state-related. We want to introduce a couple of new concepts to make these blurred lines go a little less blurry and more easy to understand. Then we'll talk about the second tier examples and we'll listen to what's the first tier and what's the second tier during the presentation. And finally, why does this matter? There's no use of introducing new concepts if you don't really explain why this is important and what's the disadvantage of it. So first, let's make one thing absolutely clear. Not all state-sponsored actors are APTs and not all APTs are state-sponsored. And this is really important because we often see a lot of confusion that APTs and state-sponsored are all the same. Well, in the end, that's not the fact and we need to make this absolutely clear. And because of this, we decided to introduce the new concept, which is state-related. So basically what we mean is that, well, there's really no point in talking about state-sponsored if at the same time we are trying to say that not all actors are really evolved and some of them might not even be directly sponsored. So as such, it's important to make this distinction. It's important to actually change the wording and we go from state-sponsored to state-related. They are related to state but not necessarily sponsored in a direct way. So let's give a new slide. I don't know if you can see the slides and I cannot see them. Okay, hearing it, sorry about that. So let's not talk about how can we distinguish them. So first, state-sponsored was a model where everything was put in the same bag. You would have all kinds of different actors all in the state-sponsored bag. And well, some of them might not be that sophisticated. Some of them might not be directly linked or supported by a state. So we decided it's time to split this apart. And with the state-related model, what we want to define is a different approach where we say there's different tiers of actors. You will have actors which are first tier and those would be the ones that most of us already know. And then you will have the ones which are not directly under some government organization wing. And these are the ones that although they are aligned with the state, they might not be directly sponsored by it. I will go into details a little bit further. So let's go for the next one. I think that it's pretty easy when we think about these kinds of distinctions. But let's now look into the details to make it absolutely clear. So first tiers, they would be normally identified as APTs. This one would be. And we are talking about the ones that APTs 28, 29, all the ones that have been directly associated to a specific state organization. And especially the ones that have been done, where this association has been done by intelligence agencies. So these would be our first tier. And these are usually APTs, yes. They are really advanced. They have a really focused targeting. They will have a complete, they will completely burn down their infrastructure once they are exposed. These would be the regular APTs. But then we have the second tier APTs. So the second tier APTs or states related, they are usually identified as APTs, but one might have doubts. And the point here is that their methodologies are not consistent with the first tier. They are methodologies that are much more consistent with crimeware activities and groups than specific APTs. And when we say about their methodology, we are talking about the victimology, we are talking about their infrastructure, we are talking about all kinds of TTPs that would identify them. And unless if you take out the motivation part, you could easily mistake them by crimeware and crimeware, big crimeware organizations. And hence, this is why we want to make this distinction. So now this is where the lines get blurred, of course. So and because we really hate blurred lines, let's put them side by side and try to figure out what are the differences. So on one side we have the crimeware, on the other side we have the second tier. We're not going to talk a lot about the first tier because those are pretty well defined. And yeah, it seems like this is almost the same, right? Let's try to really, really spot the difference. I will give you a couple of seconds if you are alive because we are not, but just go to the next slide. And here we go. There's one pretty much one difference. That difference is the motivation. So for crimeware organizations, you will have a direct financial motivation. For the second tier state-related ones, well, you pretty much don't. You cannot find a clear, direct financial motivation because their motivations are usually aligned with the state which they are related to. Now, what we will show a little bit to you in the next examples is that some of these groups who have been working exclusively with the state motivations may be changing that. And we can see that because their victimology is also changing. So if they are changing their victimology, maybe their motivations are also changing and that's what we need to look at. So I will dare you, Warren, to give us some examples. Yeah, I'm trying to, but it won't let me move the slide anymore. I guess we have a squirrel in the other side. I think we have a couple of squirrels because now I'm moving too many slides. Yeah, it's completely lagged. I don't mean I can't move slides. OK, maybe you can talk without the slides. Yeah, it's just going on. Yeah, maybe I can. So the concept that we're trying to discuss here is a new classification. Oh, you've no video. Great. That's why you can't see my slides. It's interesting. Yeah, mine has completely crashed. Let's try that again real quick. Let me see one second. You can see it again now. That's interesting. OK, we're back now. OK, sorry about that. OK, great. So you can see it now. So yes, as Victor mentioned, obviously we're trying to come with this new concept. So for us to have a thought process around a new concept, we're obviously going to try and give you some examples that we believe fit into this state-related second tier actor group that we want to define. So I'm going to talk about Gamma Reddall. So Victor and I did a published post on Gamma Reddall in February this year. And that's when it really made us start thinking about this whole change to first tier, second tier and high APTs are classified. So Gamma Reddall usually identified as an APT right back till early 2013, heavily associated as a pro-Russia APT group, very specific attack methodology in their early attacks. And that was generally attacking the Ukraine. They've been exposed in multiple articles through the years by multiple research teams. They've never once changed their MO generally, up until basically the latest trend of attacks we discovered. They've always been the same. They've always attacked fairly normal Ukrainian type targets. So why do we think they're second tier related group? We believe that Gamma Reddall's activities are more around information collection for other affiliated groups. Now this doesn't necessarily mean only state groups. This also means by country A's intelligence wing or whatever. This also means working with other groups that are affiliated with those victims. What we want to say is they're a second level state and they have related parallel activities maybe with their A team essentially or their first tier APT groups. They eventually will benefit from coverage of these groups because of the harbouring states. There'll be things like no extradition laws. There'll be no intelligence communication communities there. So they're generally quite well harboured, Gamma Reddall. Aggressive infrastructure typically we believe to be that of what a crime work gang would operate and that is large scale infrastructure. No real thought process around standing up infrastructure for small periods of time, burning it down, cleaning up their operations and moving on. These guys have domains up like the report we discovered over 600 domains linked to some of their C2 activity. That to us is not atypical with an APT group which is why we want to bring this new classification forward. So over 600 domains as I mentioned they're the first stage and second stage but then they started doing some Microsoft Word templates through the dot template files. They had really sort of basic crime or esque type approach to it like you'd see in Dridex and things like that. Simple fishing and spam type of emails. What we started to obviously look at across, they are malware corpus and some of the public corpuses. We very quickly found over a thousand variants of this first stage. That again to us is not something that an APT actor would do. They would be very concise about what they're using. They'd be very clear as to what their malware looks like. They wouldn't have a thousand variants for example. All right, they might have two, maybe three in some small instances but generally speaking it's limited use and very rarely would use. We found victims in 43 countries. Again, that to us is not that of a first tier APT actor group. A first tier state related group to us would have a very small, a very specific victimology and would have a very precise level of targeting. So this is what gamma radon start to look like when we started looking into them in February this year. Still a focus on Ukraine which is to be expected because we do believe them to be pro-Russia and very interested in Ukraine. Victims are now dispersed all around the world. There are no specific victims anymore with gamma radon. We found a bank in Africa for example, right down to some American state universities, down to European telecommunications companies, hosting providers, things that again we wouldn't relate directly with a very specific and organized APT group. It's far too shock on the proofs for us. I'm going to hopefully let Victor give you another one because obviously we want to try and build this up and explain to you why we're putting these examples forward. So thank you. The other one, it's the Promethium group. So we also did a post about the Promethium group a while back and this is usually, it's a group that is usually associated with Turkey or with Turkish interests, I should say. And while we are doing all these analysis, we figured that something was really similar with gamma radon or the other way around because we did the Promethium group and post first. Both of these groups, they started with a very concise victimology targeting specific countries where there was either a big diaspora of their victims in case of Promethium, there was a big Turkish speaking people on the countries that were targeting. But over time that changed and it changed to a more global one. So this is where we also think that there is a big difference. They are usually using tactics which you do not associate with an APT because they have huge infrastructures. They have no deterrence. If they are exposed, they will just keep using the same malware. It will just change a little the domains for the C2, but then it will go back. So they don't change, the malware is always the same. So they don't really react to exposure, not in a way that you would see on a Tier 1 APT, on a Tier 1 state-related group. But at the same time, they seemed also to expand their victimology. So if originally they were really using these kind of tactics, but they were focused on the victimology, that doesn't happen anymore. Right now they have huge dispersion around the world, which again is more of a crimeware rather than a state-related actor. Can we switch to the next slide? So as you can see in this case, the infrastructure alone is huge, just like the one that the forum was showing on Gangoridon. And as such, we can't really put this on the same package as we put the first Tier APT. So that's why we wanted to bring this new concept. As you can see on the world map, the victimology completely changed. It was expanded all over the world again, just like it happened on Gangoridon. And with this, we believe that we cannot treat these kind of threats in the same way that you treat your Tier 1 state-related groups. So if you look at the commonalities between these two groups, well, they're pretty much the same approach. There isn't anything in here that says, these are completely different groups. They have the same aggressive approach. They really don't care about being detected. They will reuse infrastructure even if they are detected. So all of this is the opposite of a Tier 1. The difference being that these groups actually have the same or appear to have the same motivation or the same alignment on interests. But at the same time, as we see the victimology expanding, one must think if they don't have other motivations like financial ones which we have not seen yet. And this is also something of concern that will make us think on how we should end all these kind of groups. So, yeah, this looks the same. And I will now pass to Warren to finish up. Let's try to finish. I think we have only five minutes of a lot of time. I know we ran a bit over, but we'll get through this anyway. So we'll try to finish this up and this concept that we're trying to put together. Obviously, we've sort of brought out something new in our eyes that we're trying to obviously reach out to the community and see what their thought is. Ultimately, we want you to sort of look at this and think, well, why is this necessary? And why we think it is necessary is they're not all the same anymore. There isn't just APT-1 or whoever we want to call any APT groups nowadays. They're all doing very different things across the board, whether they're state-related or not state-related. This is just to try and sort of point out that the state-related groups exist. They're always going to exist. I mean, as we know, the sort of internet has provided a whole new cyber war for our playground, I think, for every country in the world. And this is always going to exist. This state-related actor is always going to exist. But we now want to say, well, some of them are better than others. They're no longer all the same. That means they can't all be treated the same. We shouldn't be reacting to them all the same way because some of them have a different approach to what they want to do. For example, an APT group trying to carry out an attack based on a firm work change is going to be very, very different to, like, the gamma-radon who are going to send you a document with a .file template. They are two very different ends of the spectrum and two that we need to think about while we discuss this kind of idea. Limited resources mean, obviously, that the people as us as defenders, well, we need to try and establish words better to focus these resources. And as I just mentioned, the likelihood of your infrastructure or your company being attacked by the top-level APT groups are getting smaller and smaller because their victimology and their targeting is getting more and more specific as they know who to look for. However, when we enter in the second stage, or sorry, the second tier state-related APT actor, that starts to broaden the horizon a little bit because they are, as I mentioned, sending things like document templates. That's not something that we generally associate with the high-ranking tier one APT groups. It's clear crime work behavior in our eyes. There is no care about deterrents. Gamma-radon have been spoken about a lot, as I mentioned, since 2013. Plenty other groups out there have had ongoing approaches and ongoing publications, and they haven't stopped Promethium, a.k.a. strong pity. They've been discussed and talked about for many years now. They just keep going. They keep continuing. So to sort of try and wrap that up, we believe that state-related actors are now believing like crime organics, and that means you as a person or as an individual have to change your threat model. You need to think about your now potential victim to what we are referring to as a second tier state-related actor. There's no specific victimology, as I mentioned. They're trying, in our eyes, to support potentially other parallel activities being carried out by this top tier, first tier state-related groups. And the crime work thing that we mentioned, in our eyes, crime work groups are sort of smash and grab. They do as many things as they can. They attack as many victims as they can. To us, this is what the likes of Gamma-radon and Promethium are doing also. And again, we believe they take all the information they collect. And there's no direct financial motivation that we've been able to link. We believe it's more of a supporting role to these first tier APT actors that we're trying to highlight, the first tier state-related actors. They're providing maybe the information or supplementary target information before they essentially send in the big guns, if you will. So you understand it now, obviously, because hopefully Vittor and I have just explained it to you. I think really, quite luckily, Vittor and I will be in the Q&A panel next about malware and the geopolitical impacts of it. So maybe we can have some questions and discussions around this, if we've none now. But I want to say thank you guys for listening. As I said, we tried to introduce a new concept. It wasn't as technical as our talks normally are, but we're trying to approach this initially with the community and say, what do you guys think this is what we think? We're not essentially saying that we're completely right, but this is what we believe. Thank you. Any questions, we would love to answer them. Thank you.