Today I found myself looking at a tweet from my stream and saying just that. The tweet was posting a paper that had been written by another person on my feed who works for Kaspersky. The paper that it linked to was on how the threat intelligence companies out there needed to grow up a bit and learn that not only might they not be doing a service for their clients with their work, but also that nation states who’s malware they are actively reporting on and stopping seem to be unhappy with them.
Stunning I know….
So there I was mouthing the words “Well duh” and I thought maybe I should write something about this. Welp, here is what I have to say to this revelatory pdf…
“When you play spy games with real spies you often end up getting dead”
Should it be a surprise that malware researchers might in fact raise the ire of those nation state actors who they are thwarting or calling attention to? If you had to think about that one and you are a threat researcher you might want to re-consider your career choice. Espionage has truly moved into the digital age and yes, you guys are the new front lines so plan accordingly. You dear researcher are now a target in the ongoing war that is being waged by the nation states of the world and some of them would not think twice about whacking you creatively and folding your dead body up in a gym bag.
Other issues in the paper and a subsequent article in an online news outlet begs the question on where all this threat intelligence is going. Are the private corporations now becoming organs of the state by doing this kind of work? Are these orgs only reporting on APT activities primarily (I can think of more than a few names off the top of my head CROWDSTRIKE/MANDIFIREYE that pretty much just trade on that shit) doing anyone a service in really preventing if not more to the point, educating companies that they serve on the threats and how to detect and deter them?
In a word… No.
While APT actors are all the sexy and they make the news cycle the marketers friend, so far in my estimation many of these TI companies aren’t doing dick for the companies out there that hire them. Sure they have feeds and they have really really cool code names but really, at the end of the day just how much of that applies to the average corp? Not much really. So yes, there is too much a focus on APT and now these companies and researchers are beginning to realize that they are targets up to and including perhaps attacks both physical and other to discredit if not hurt them.
Welcome to the ‘Great Game’ kids! Remember though, you ain’t James Bond and no, that is not Pussy Galore in your bed.
Meanwhile might I point you all in the direction of 大鸦 / The Raven who recently was reported to have had a sudden case of death. He had no autopsy because he was hastily cremated and some mystery surrounds why he died and how. Why you ask is this important? Well, let me tell you a story about a guy who poked his dick in the eye of not only China but the DPRK and jihadi’s since the late 90’s. Vlad was a known quantity and I used to use his site back in the day too. Now he is just gone. A report came out in a certain portal of his demise and leaked information that Vlad had in fact been the guy who helped finger the 4 PLA players that the US put on their most wanted list.
Are you seeing my drift here?
The story on the street is that Raven met up with an unnatural death because he had been a player. Frankly my bet would be on DPRK for a whacking because Un is just that crazy but given that there is no news out there on this and the only report comes from a portal, I am going to lend this some more credence even with the source which I don’t like.
Oh and Vlad.. If you are about lemme know and let’s get that cleared up… Cuz I would rip the source a new one *wink wink nudge nudge*
Anyway kids all of you today who are in this line of business (threat intelligence) have to consider that you are targets. Maybe someday you will go on a trip somewhere and some strange will come your way at the hotel. Next thing ya know you are being blackmailed or your shit is being copied while you shower. In extreme cases you could end up like this guy who now it is alleged got whacked because he learned about some SVR moles in GCHQ. Of course this guy worked for GCHQ but hey if your company is now liaising all the time with the NSA how far removed are you?
Keep your wits about you.
PS… the mail man always rings once then fires an uzi.
I stand corrected