Hello all!
We are ShadowEye, a handful of industry professionals who have a strong interest in the operations of and evolution of nation-state attackers. Generally, the publishing of these kinds of analyses tends to be restricted to a known set of vendors, usually following a predictable methodology, with a heavy focus on malware and campaigns targetting Microsoft products. While exceptionally useful as PR pieces, essays authored with IDA Pro and full of footnotes of hashes aren't particularly useful for understanding the broader picture of how these groups operate, the processes they use, their development standards, and ultimately the way they use their resources, which is what we aim to provide.
Why are we doing this anonymously, you ask?
Being industry professionals, we've no particular interest in drawing the ire or attention of any organisation down on our friends and colleagues. It's also a good way for us to demonstrate that we don't have any vested financial interest in publishing these analyses.
Are we the CIA/FSB/PLA/DPRK?
No. While we're probably going to initially focus on the NSA and CIA leaks due to the vast body of material released, we don't have any biases towards or against any set of operators.
We also want to draw attention to the fact that for all the information published by Crowdstrike, Kaspersky, Symantec et al, no threat actor groups have stopped operating. These are professional teams and consequently the loss of a toolset will not affect their general operations. Discussing their processes is equally unlikely to disrupt any of their work, but will help us reach our goal of drinks with thegrugq in Thailand.
Why are we so dismissive of vendors?
It's not our intent to be dismissive of some of the excellent work produced by a number of vendors, more a general critique of the way that information is presented. Lists of IoCs that consist of filenames and hashes are not particularly useful; implants can be and are regularly tailored and customized for specific targets. Similarly, many of these reports take a very narrow viewpoint indeed, focusing on a single "campaign", which often is more beneficial to the attackers than anyone looking to protect themselves.
We are, however, completely dismissive of using months of hard work analysing malware as evidence that a particular silver-bullet product, be it antivirus, next generation endpoint protection, an appliance, or anything else, has any other purpose besides filtering out the bottom-feeders of the malware world.
Can you help?
Yes, absolutely. We need peer-reviews, corrections, and feedback. Samples from campaigns are welcome, too. We will supply contact details at a later date, but for now, comments on here are fine.
Image Credit: BoingBoing
Welcome shadoweye, hope you will have a great time here on steemit!
Julian Assange is that you? :) In any case, keep us posted @shadoweye and welcome to our home.
Hello, Shadoweye, Let me welcome you to Steemit. Hope you gonna have fun with our community. Feel free to follow me @rightuppercorner Have a great time @rightuppercorner
Hi @shadoweye... Nice to know about you... Welcome to Steemit..🌹.. This is a nice intro post... I hope you will do great over here..😊.. Follow Me @onority
Nice! I can see that you have signed up recently so welcome aboard. This deserves an upvote and I hope to read more from you in the future!
As you are new to steemit, getting those big upvotes are gonna be hard so I suggest you to try out @MinnowPowerUp as you can earn up to 30% more steem power than just powering up with steem directly! It's a subscription based daily upvote bot that draws its power from a delegation pool. I have also made this post where I explain my experience with the service in more depth and show how I earn over $1 a day in upvotes.
A new Steemian ^^ hello @shadoweye I hope you enjoy your time here, its a great community ! Nice post, wish you much luck! I will follow your account. Don't hesitate to contact or follow me at any time :-) See you around @tradewonk