Using SOCMINT In Threat Intelligence by Matthias Wilson

i have been in the intelligence field for roughly 20 years the majority of that was in the public sector so military intelligence and intelligence service you might be surprised to see me here at this conference because i do not have the strong technical background that many of the other speakers have and many of the attendees have i am more an intelligence analyst so i get that information that is derived through different assets and then i try to come to conclusions based on that information and that's kind of what i want to show you in today's presentation although i must say i can't really relate to what grant just showed because my background in intelligence was in

signals intelligence so seeing that again was really nice because that's something that i would look into in the past if i am not working on my nine to five job you can find me on twitter for example you can find me on my blog and i'm just really passionate about the whole topic of open source intelligence investigations and intelligence in general so for today i would like to look into social media intelligence sockment and how you can use this and leverage this in your threat intelligence environment and for today's example i do not want to have a very theoretical presentation i want to show you something more or less practical and i will be showing this in the

example of iranian threat actors and how they actually act or what we can get from their social media profiles so for some of you these terms ocean sockment um maybe something that you know of um for some of you it might be new so therefore just a brief introduction into what i will be talking about in general now open source intelligence or osint is basically the collection and most importantly the analysis of data obtained from public sources public sources is basically just googling things for example but it could also include paid sources or sources where you have to log on so something that we would also refer to as the deep web and of course in certain

situations you might be diving into the dark web but most of the things done in ocean are kind of staying in the surface and deep web ocean will also conta can include certain subtypes such as something termed as social media intelligence sockment which is basically looking into social media platforms uh such as the larger ones as facebook linkedin twitter but maybe also regional social media platforms for example the contact which is kind of a russian facebook or in today's example looking into current and old iranian social media platforms but also a lot of the other stuff that is popping up on the scene such as instagram tick tock and so much more now just not to leave it out but

not as relevant for today's uh presentation is geospatial intelligence geo-end which does kind of combine with ocean because we're looking into publicly available maps and satellite imagery and last but not least what leads us here today is threat intelligence where many of you utilize some of the tools that are out there either free or paid such as census showdown risk iq virus total and so much more so whenever you go to these platforms and you pull information from them technically that is open source intelligence now we're going to look into certain individuals today that may or may not be linked to certain apts the only reason that we really find information on them is a very very simple thing that people

often make mistakes people are not aware of their operational security or they don't care or they're just dumb so when i used to work in the intelligence service we would always say that intelligence relies on mistakes our adversaries make or basically there are dumb people out there that might not even know they're dumb and they make these mistakes and that is the reason that with social media intelligence we are allowed to collect a lot of information a lot of detailed information on individuals and i will show you today how some of that information that at first might not be so relevant for your threat intelligence scenario could actually be the missing piece in the puzzle

so before we really dive into this example just a couple words beforehand we're going to talk about the methodology that you can use to track threat actors with ocean and specifically with social media intelligence sockment so going into profiles personal profiles of these individuals now this can be considered borderline boxing i do not want to make a very theoretical presentation that just shows you the even individual steps i wanted to back this up with real life data so today in this presentation you will be seeing real life data you will be seeing certain names of individuals but of course i did not pick an example from a current investigation i did not pick an example

of an investigation which is more or less sensitive i chose individuals i chose a group that has been reported on previous times or numerous times in the past so a lot of what you will see today is data that is derived from official reporting if i can call it that way from such organizations as fireeye and i will be adding my own research to that when it comes into social media intelligence and if the individuals have not been broadly reported on i have redacted their information in this presentation another thing that we have to keep in mind when it comes to this type of work is that the threat actor attribution and the subsequent research

on this can easily be manipulated by planting false flags so our adversaries are very well aware that certain individuals are doing research on them so if they are smart they might plant false flags or on the other hand if we are looking into a certain apt they might also already in their cyber attacks in their malware plant these false flags that lead us to the wrong track so those are the basics of today and now let's just dive in to this practical example to show you how we can leverage the information found in social media accounts and use that to attribute things and find out which individuals may or may not be high be behind certain

cyber attacks now in this example i have chosen apt-33 a well-known iranian-backed or iranian-based group that has been causing lots of ruckus over the past couple years now when i look at something like this my focus is on people my focus is not on the technology my focus is not on the i.t infrastructure that was used to perform such an attack and therefore i'm on the right end of this spectrum so for a lot of you attending this conference today you'll probably be on the left side of this slide a slide looking into the modus apparently the techniques that were used the technology that were used so basically summarizing this under defer i personally go to the right

end of this spectrum and look at the human behind the machine behind most attacks there is a group and in that group there are individuals and these individuals they have certain reasons for doing what they do they have a certain motivation behind this this could be a financial motivation this could be a political motivation state-sponsored groups so combining all this information from what you get out of your basically reverse engineering of malware you're tracking the it infrastructure used for such an attack and then me looking at the ocean and sockman side of that who is actually behind this you can combine this to perform a proper risk analysis and really figure out why this did happen so moving further

to the human behind the machine what are the things that we can find and how might these be relevant well at first we're looking for mr x we're looking for an unknown individual and even within the code of malware or within the information that is obtained by a difer you might find things that could be useful to identify the individual for example a nickname or even the language settings that are used these language settings might lead to the origin of this group or this individual and moving on from there using those basically as pivot points in investigations we can find further selectors i'm sorry this is an old second term i use so phone numbers email addresses usernames

or any type of data that will enable us to identify an individual and to pivot off this data point to find further information now if we have gotten so far as that we have identified an individual we might be able to identify certain affiliations who does this person align with or certain associates who is this person actually linked to also maybe the motivation behind this why did this attack happen why is this specific person mad at a certain company or wants to obtain certain information from a company or government why did they perform this attack and also very interesting depending on how good the opsec of these individuals is they might leave traces to previous

activities so seeing the history of a certain threat actor might enable us to figure out how good this person is which technical skills this person has and might help figure out if they are actually capable of performing such an attack or not so going back to apt 33 well why are they such a nuisance here you see three examples of media and press reporting over the past two years where apt 33 was mentioned in the context of attacking industrial control systems a campaign that targeted european energy companies another campaign that targeted high-profile conference attendees so a broad variety of basically cyber attacks either against a specific machine or device in the top two headlines or specific

individuals and the bottom one would probably be to obtain information from these individuals so this is what starts it off and this is the moment where basically a deferred team starts investigating where did this attack come from what exploits are they using what malware how are they infiltrating a system and there's a lot that can be done there but that's not my job like i said i do not have that strong i.t background but basically in combination with a d4 team that's the moment where you can take an intelligence analyst with ocean or sockment skills and send them out to research additional information so let's start off with an example and like i said i chose a

public example so a lot of what you will be seeing here and especially the starting point is not my own investigation it is not my own work i contribute this for example to fireeye to the reporting there and at the end of this presentation i also have some of the links that i used to dive into this topic so when it comes to apt33 there was a very lengthy and interesting report from fireeye that said they found they looked into the malware and within there they found a turned up back door which basically had this little bit of code in there if i may call it that um referencing to a certain user account named x-man fix as a 1365

x so this could be something that can be used for ocean or sockment investigations and of course this was also done by the people that put the report together so they basically went out to google taking this fairly unique username and found that this username was used among many different iranian software and programming forums as you can see here so if we look to the right basic googling nothing fancy here we see an account x-man 1365-x it leads to an iranian site by the way very interesting 1365 is the iranian year for i think let me in 1980 or 1981 so again a hint that there might be an iranian behind this and we find a profile with a real name

and we could also get the birthdate out of there and things like that so fairly easy to use going back even further in other forums we will come to other selectors that we can use for our research so in the middle you see an example from 2008 that's how far it goes back where this user apparently shared his email address x-man underscore 1365 underscore x at yahoo.com so again from an ocean standpoint we can move forward with this we now have a name we have a possible birth date we have an extra email address which can also be utilized in the search for social media accounts and on the left we see another example of one of those mentioned forums

but in this case you see that the username has something that looks really weird at first this username x-man is actually using the arabic numbers so that translates to 1365 but a good example that a lot of times we will be working with foreign languages and in oceans it is then very very important to have this translated properly now you all know you can use google translate or bing translate or dpl or yandex translate to get this done but sometimes you will come across websites or even documents which you cannot ocr which you cannot manually translate because they're not properly ascii coded so there's just one little unique tip that i would like to show you

let's assume we come across a site where we cannot have this automatically translated and we really want to know what it says so something you can use in this case is in google translate just drawing stuff and i'm not kidding i will show this in a short video you go to google translate select the input text then you can hand write this works for basically any language and then you can start drawing stuff what you see in your document so let's just let me finish drawing what i have here and see what google says afterwards so just a nice little tip a nice little technique that might be useful for normal ocean investigations google will give me certain results i

will pick the one that looks the most like what i have seen and et voila you have my name even including the proper spelling with two t's and an h so so far we're at very very basic googling very basic google doors very basic ocean and we kind of want to move on into the realm of social media intelligence so going further with this googling and this ocean we will also come across information like this if people don't have proper opsec so here again we see excerpts of x-man's activities on previous iranian hacker and programming forums where he basically asks questions or displays his skills now again keep in mind i don't have the technical background that

you guys do but i'm pretty sure the top left one will be something that might be interesting to you for me i do not have the background on that but if i look in the bottom right i will see that this person displays certain skills that he or she has so certain programming languages that they're fluent in from virtual basic to pascal to c plus to javascript and all kinds of things like that so again this could all be gathered to figure out if this person is actually capable of performing the cyber attack that we started out with or how capable they actually are now the last thing i would like to discuss before we move into the actual

social media part is you saw we had an email address so if i have an email address chances are hi if it's been around for quite a while that it has been breached in or in some kind of breach data somewhere so looking into this we see x-man 365x at yahoo.com and it has been found in certain leaks so this leads to another bright variety a variety of options that all depend on your individual laws company regulations and also your ethical standpoint so from this breach data which you can also maybe even find the actual data somewhere on the dark web or obtain that somewhere on the surface web in certain forums you might be able to find out more

information names maybe even a bank account other user names other selectors just a whole bunch of stuff but the question is always are you allowed to use this is it ethical to use this that's not something i'm going to answer today but if you have access to this information again in most cases it will provide a pivot point let's just say x-men had a very very unique password of course that would also enable us to look up this password and breach data and might lead to further accounts and with further accounts i mean also maybe even further social media accounts where this crate these credentials were actually used so moving away from ocean in general and the possibilities

there getting to the point where we dive into social media and one of the first things you can do in social media is you can try to identify affiliations you can try to identify people that are linked to this individual so we started off with x-man and we found out his real name and we started looking into social media platforms and we come across a linkedin profile which could or could not be this individual here's a guy named mariju narvar he's apparently an engineer and if you go into the details you'll see it's a software engineer and he's located in iran but he only has two connections and this seems like a dead end because he doesn't

use this profile the same thing could be done with the previous iranian forums in which he was in trying to find individuals and get data from them often we will also again rely on leaks data and for this specific example i would like to show you how this was used to further the investigations so down here is something that was basically a leaked data set and this has happened in iran in the past a couple times that on telegram for example in certain groups or on certain message boards data was linked on these threat actors on x-man 1365 and in one of those documents we have the information oh yeah this guy he's also linked to another dude named

gladiator cracker and there's of course more information in there so moving into this we find further friends buddies affiliations that we can look into now for the sake of this demonstration let's just take gladiator cracker and see what google comes up with as basically the first step in our investigations and it is very easy because this again is a unique handle a unique username which immediately or almost immediately leads us to a site like this for example where we have a username gladiator underscore crt crk aka gladiator cracker and that is also aligned to a real name which is nima nikju and looking into this we see certain videos to kill kaspersky internet security to bypass a resp

a v-stream sandbox image to bypass cuckoo sandbox so lots of things that will or can be coming from the realm of penetration testing or malicious activities now moving forward with this name you know it's just following the breadcrumbs we also come across a youtube channel where we have similar videos of people or of a person uploading exploits and things like that now this could help to attribute a certain cyber attack if we know this person is somehow affiliated and these were technique techniques that were used um to you know put those puzzle pieces together but on the other hand why does this person do not does not have any upset why are they posting all this why are they

putting all this information out it doesn't really make sense in the case of iranian hackers it could be that they just don't care because they're untouchable in their home country or maybe the other option is they're not behind it who knows remember the whole false flag discussion so what this could look like is a video like this let me just start this and in here you see there is an email address so again if this wouldn't have been part of the text in a web page you would have been able to derive some kind of information out of this video and another thing that we see here would be how this person does certain techniques

certain skills that this person has maybe even the hardware or software setup that this person is using so watching something like this will lead to a lot of new insight when working in threat intelligence now i don't want to bore you with the complete video you can just move a bit further with this video and you will actually see that there are certain things that are performed certain uh steps that is really a nice manual on how to use this exploit and also keep in mind this is quite old so i'm pretty sure that this has been patched in the meantime so again it all comes down to identifying individuals identifying skills identifying affiliations and something very

interesting that is basic googling now this individual who for some reason we have linked to the apt-33 group through this original leak that was put out there also has social media profiles and if you look at the social media profile of this individual um there are some things that are very interesting so this is a recent view now he says he's based in ankara in turkey it used to be iran and he also explained at a certain time he has to leave his beloved motherland but at the same time he says oh yeah i'm a security consultant i'm into threat intelligence i'm a malware analyst and so on and so forth so what we also

have to keep in mind is that people here actually know what they are doing and what they are talking about and here we can see an example from this profile in the past um where he mentioned that he worked for the cabocho security center according to a lot of the reporting firearm reporting and recorded future reporting this organization this company is linked to the iranian government and participates in malicious activities now if you take a look at this profile right now you will see that now he says i work for the sapar security lab so the question for me as an analyst is is why did this change why did he make this change everything

else is the same malware analysis software system programmer or security researcher then he lists the things that he does the time span is the same so maybe the company got a new name or maybe this is also an attempt to hide certain tracks but a very bad attempt as well but just little details like this little things like this will lead to questions that an intelligence analyst should ask and then you write those down and try to find the answer for this so if we know this person is online maybe because they have no feeling of upset maybe because they're innocent maybe because they just don't care we can also look into their activities our dear friend here um

gladiator cracker also known as nema he also has twitter profiles and on twitter on linkedin many people actually express their personal opinions so you can kind of profile them and try to figure out what is their political in alignment what do they think about how do they feel about certain issues and that at the end could lead to an actual motivation for a certain cyber attack so if we look into this guy's twitter for example we'll see there was a certain tweet that he was not happy about the chinese ambassador said something and he said well you're a freaking idiot you know next time inform yourself before you open your mouth so if there is any activity from the

apt-33 group against anything chinese and this fits the timeline we could have a certain motivation here that he and his buddies are angry about something that the chinese politician here is talking about the other thing on the bottom right um nima a while back shared information that he was kind of locked out of his github account now your github account has been restricted due to u.s trade control law restrictions so again if we have an attack sometime after that against github microsoft or something like that this could be an indicator for the motive of such malicious activities but again it could it doesn't have to we will actually have to find hard evidence and hard proof for this

and unless he doesn't say yep it was me and i did it with my buddies that is very hard to prove but looking into this factor which is not that technical on the contrary that might lead to information that will help you in threat intelligence figure out if these people are or are not linked to these attacks what you will see a lot of times when looking into these iranian-based threat actors or hackers they don't like their own government either a lot of times they will go on rants on social media about their own government so again this could be an indicator that they might not be linked to the government but at the same time i worked for the

government long enough and every once in a while i would also say this is just messed up so that doesn't have to be hard evidence and proof that they are not in fact working for the government so moving forward i start looking at nema's buddies because from what i've seen so far he is more or less linked to the original apt there a 33 hacker he is involved in a lot of reverse engineering pen testing and things like that so the next step would just be to see you know who else is linked to these guys is there anyone else that is interesting so in that case i'm looking into this profile and i come across a tweet where he

shares a picture of this guy and that tweet actually mentions something like oh gosh i hope you'll get released soon um you know so that is you know just something i keep in my mind and then i look at this person and see that they not only follow each other on twitter but they also regularly interact especially this guy named iman emperor who always reacts to tweets regarding pen testing reverse engineering and that tells me well he's probably into this topic as well and i know that they know each other in real life because i have a picture of both of them together so you know slowly moving forward i have a guy where i can say they know each other in

real life and this other guy is also heavily interested in these hacking and pen testing activities so that would be just another person i would look into the reason that the picture is very interesting is it is really solid proof that they have met each other in real life uh for a lot of osun investigations like if you were to look at my twitter account i have a couple thousand followers i maybe know 25 of those in real life so if someone wants to look into that and make assumptions on who i am linked to or not that doesn't really work unless you find my face smiling next to another face in one picture so based off this and

based off the fact that this iman guy is interested in similar topics i chose to look into this person as well so i moved forward i took this guy looked at him and next to what i found on twitter i also found a facebook account for example um that uses this handle iman emperor which is very unique in my opinion and i get to a real name so now we're moving basically from sock mints to osint again define this and back to sockment now let's have a look at the emperor what this guy is all about well first of all you look into his twitter and there's a lot of activity on there as well and a couple of things that i'll

point out in a second um since we're working with a foreign country or people with a foreign background i also find old iranian social media that's out there as well might not be used as much but there are things like face nama or club where you would find iranian citizens so here again i can go back into the past and i can get additional information on this guy names his history affiliations birth date a lot of stuff that might be relevant to me in the future and because it's apparently a cool thing to do nowadays go on linkedin and set up a profile there and immediately i here see that this guy lists he is a pen tester

at the kavos security center so next to the fact that i know that this dude and the other guy nima know each other in real life i also now know that they worked at the same company and if this company is somehow linked to uh state affiliated or state organized malicious activities um we could also assume that uh amir aka the emperor might also be involved also very interesting i find out on twitter that he was in jail so he was imprisoned by the iranian authorities for doing some hacking there and i also find out that he claims to be a pen tester at emperor team so emperor team i'm like so what what is this what is this about is

this a company and we can move on from here and use this as a search term so again now looking into this knowing that this person might be affiliated with state-sponsored hacking activities but then reading through his timeline and figuring out he was imprisoned for hacking activities in his company makes me think well what's wrong with this what does he work for the government does he not work for the government why would he work for the government if imprisoned many many questions out there not all that can be answered but just to give you an example of how complex this all is so going further into his social media um we find things like this from january

2021 where someone said tell me you're a hacker without telling me you're a hacker and he just goes emperor team as if we were to we were supposed to know what this is and who this is and here with another more or less unique spelling which could be a further point of investigations using ocean and or sockment now also looking into iman's activities we cut stumble upon a very old paste bin where he basically shared certain uh scripts or codes for things that we he would do he would also also actually share data breaches so hey we're the emperor team and we hacked this and this iranian server and here's all their personal data so once more we might have someone that

is working against foreign adversaries um you know iranian a point of view but he also does some mean stuff within his own country which probably got him arrested in the first place and on the other side you will just see other examples um where you have bits and snippets of code that he shared to do certain things sql injection and things like that and also at the same time we get to a email address iman.emperor gmail.com which we could use for further investigations and since he is very proud of his work this young man he also shares things on linkedin stating oh yeah that was me that was me and my crew back in january 21 he posted this and

this was a hack or a defacing of a website many many years back done by the emperor team and in specific these people so we're kind of getting a network of iranian hackers by them disclosing information on social media so to kind of summarize all this we started out with apt 33. we looked into the reports that came from fireeye where a lot of the technical analysis the reverse engineering was done we picked up on the super awesome ocean analysis that fireeye did finding certain individuals and their backgrounds and we took it a bit further to find more on this whole network of individuals so x-man was linked to apt33 through that little snippet you saw

where he basically uh used windows with the username x-man 36-1365 underscore x further information that was leaked for example led to the combination or the link between x-men and gladiator and apt-33 and moving on from gladiator we got to iman who we know is in real life linked to this gladiator guy they have met they know each other and we have a pretty good overview of their private life so if we look into this we actually see lots of personal data up to the point where you can get their car and license plate number thinking one of these examples that didn't show it but we had that as well and iman linked to his hacking crew

emperor team with other individuals and a lot of these other individuals will have a similar footprint online enabling you to figure out what are their capabilities what is their past so their history in this and of course lots of personal data the personal data again for me is relevant as a intel analyst that does not do the technical research but just as pivot points for potential social media research or ocean research and for you ladies and gentlemen that have a more or less technical background and are really into threat intelligence looking into what all these guys do you can see their skills and the techniques they might use you might have indications on the hardware and software

they use the it infrastructure or things like profiles and passwords which also might be useful so to summarize all this this is not bad for just a bit of googling and browsing through social media now the final question is in this little exercise where i am very much borderline doxing these individuals are they actually really involved in this are these actually the guys that are really into apt 33 apt-34 muddy water and whatever well even though they don't really care about opsec that much they are aware of what is going on around them so let me just show you the response of nema he goes out on twitter and says hey am i really responsible for muddy water apt33

malware and then he goes on a rant about apt muddy water and says yeah the stuff you use is crap you know that's not that good and i know my stuff because i am a a malware analyst and i know what i'm talking about so the question is is he part of this organization is he part of this apt is it a false flag well who knows that's not a question that i'm going to answer but this again just shows you the problems that we have when working in this environment so ladies and gentlemen that sums up my short and brief introduction into the possibilities of ocean and especially sockment in threat intelligence now this will not

work in each and every country and it always depends on how much starting points you have and how much information you could find on individuals it might be different in russia it will definitely be different if you look into north korean activities but the basic methodology is just following the breadcrumbs so the key takeaways for this talk ocean and specifically sockment may shed light on the background of threat actors given you have a good starting point and given this starting point is not a false flag the information that you can collect may include but is not limited to the overall motivation are they generally speaking pissed off about some other government or company and might

attack that governor company because they are angry or are they doing this because it has been tasked to them by their own government there could be financial motives involved the guy we saw amir hussein he lives a more or less jet set life if you put it in contrast to other iranians traveling a lot showing off what he has so again that might be something that could lead to a motive and of course their general convictions and beliefs it might give you information on the career background and or skill set past activities which could give indications on future activities and last but not least the best part about the whole sockment process the affiliations with other groups and

individuals the bottom line is you should always try to combine and verify this information with other assets all source intelligence is the best way to go ahead never really base your assumptions on one type of intelligence because as i stated in the beginning and many times before you have to watch out for false flags just to get back to this example if someone purposely put x-man 1365 underscore x in that little snippet of code and x-man wasn't even involved this whole investigation i did now would be rendered useless so here are some of the sources that i used to start this investigation very interesting to read about the hierarchy lots of things to look into

and that ladies and gentlemen concludes my short talk on the value of sockment in threat intelligence if you would like to read more about the things that i do please do visit my blog keyfindings.blog or follow me on twitter at mwocent and now i think we still have a couple minutes left should there be any questions perfect mathias that was a very interesting uh very interesting talk um we had a nice chat going on while you were speaking one of the things that kept coming up was you know the hacker's vanity you know it's the the human factor involved in kind of wanting to be seen and wanting attacks attributed to them um we're very short in time so there's a

couple of questions have come in um i'll just ask the first one it's basically are you struggling to do your role with the rise of deep fake tech creating false positives uh so not not so much with deep fake at the moment because a lot of the people we're looking into are actually real people but i do think that in general that is an issue for the future um so if i were on the other side and i would try to do an operation like this i would purposely pulse uh place false flags and then looking into this technology deep fakes and things like that will definitely be something that i utilize so now i'm giving tips to the

bad guys but at the moment i can't really see it that much but as technology evolves and it gets easier and easier for normal people to run on their computers um this will definitely be a possibility absolutely and just one more quickly is how do you keep track of all these links emails tweets profiles etc as you're investigating do you use a tool like maltego uh i personally don't use multigo not as you might use it um to automatically grab information i personally do everything manually unless it exceeds a certain amount that i can do manually i would use matego case file to make link charts or i would use things like draw.io or if

you go to that website there's a client you can download you can mind map your things so i'm a big fan of mind mapping information like this person is linked to this person is linked to this person and very old school even before i start mind mapping on the computer i start you know scribbling things on notes and post-its and drawing it but just mind mapping is what i use to get all this information together in a structured way at the end of the day thank you for your time with us yeah we're just all right [Music] thanks for having me or did you have another question no that's it with this um thank you for

your time um very interesting talk and um we'll move on to the next speakers thanks mathias thank you bye take care