BSidesSF 2026 - The Phaaaaaaaaantom of the Salt Typhoon is there, inside i-SOON (Daniel Schwalbe)

I would like to introduce Daniel Schwabby who is a head of investigations and a CISO at domain tools and he's going to tell us about the fom of the salt typhoon is there inside. Thank you Daniel. >> Thank you very much. I appreciate the uh sung introduction because nobody wants to hear me sing. All right, maybe later. All right, so this is me. um been doing this for a little over 25 years and um uh right now I am the head of investigations but I'm also the CISO but don't hold that against me please. I actually came up through the ranks and did incident response and all that stuff for many many years and then I finally

got to the point where I was like hm maybe I should run the show. Okay. Um uh my background is state and federal government uh higher education and then for the last 10 years or so private industry which there's definitely something to be said for that. Um I'm also a DNS nerd. So this is obviously a um somewhat DNS heavy presentation. Uh but don't worry if you just heard of DNS you know it's no prerequisite to required to know how this works. Um about 18 months or so ago, I by the way, I'm a pacer and I've been instructed not to like leave this box here because it's being recorded. So I'm going to try really hard not to run

away. Um I love audience participation, so watch out. Um so about 18 months ago, I um together with a colleague uh came up with the idea that we should maybe revamp our security research um practice. And so we founded uh domain tools investigations uh because we all need more hats. And um the thing about the way we're trying to do this is it the research is it's research driven not product driven. So, yes, we're a vendor and we have products, but you're not going to hear about the products in here. And, uh, everything that we put out, if you go to dti domainols.com after this talk, uh, you can, you know, see a bunch of stuff. And basically, um,

if there's cool research to be out there, it doesn't need to be tied to our product. It's about putting stuff for the community by the community. So, for example, we did a three-part series on a great firewall. We don't sell a single thing that protects you against a great firewall. So um lots of the stuff that we put out is relevant to the community but it's not tied to our stuff and I'm a big believer in community which is why I support Bites been yeah fortunate to be invited here. Um so let's go uh talk about Salt Typhoon. Oh but wait quick primer on passive DNS. Um a lot of the hunting and stuff that we

did uh for uh this talk in preparation for the research that we also published um revolves around passive DNS. So you might say like well I know DNS but never heard about passive DNS. Well fear not. Um I talk about it a little bit. I'm very passionate about this. Uh I came to domain tools through another company called foresight security um where we did passive DNS collection for better part of 10 years. So, uh, I love it and it's really great for, um, fat hunting like this. Got to give a shout out to a talk we had here last year about muddy water, also known as static kitten, uh, earth, feta or mercury. And, uh, it also used uh,

pass for the pivots to uh, figure out what the atmosphere's infrastructure is etc. And so we thought, well, this is a nice continuation. This is slightly different but uh pass DNS has a superpower is is really uh valuable for this kind of investigation. So just real quick you know regular DNS your browser makes a query it talks to your local recursive uh DNS resolver it gets an answer back usually that answer gets cached and then you know on so on. Passive DNS collects the cache miss traffic between the recursive DNS server and the authority name server as this graphic here helpfully demonstrates. Um the reason we collect cache miss traffic because is because uh the TTL of a

particular resource record determines how long the server will keep that um answer in its brain or in its cache before it times out and has to be refreshed. We only care about the refresh ones because uh the the cache answer could already be wrong if it coincides with a change in the R uh name uh after the fact. So cache miss traffic is important. Um and then we shove all of that into a database and then we make it querable. And this is really where the power comes from. I'll talk about that here in a second. Um there are many other providers of pass DNS. You don't have to buy it from my company. Um these

techniques apply pretty universally. So uh if you have already have another past DNS uh vendor hooray but use this to do your threat hunting uh it's very powerful. So regular DNS was you know invented a little 40 years ago uh by Dr. Paul Maritus u and it solved a problem that was um scaling at the time but it wasn't designed to answer a bunch of questions uh so right in that are useful. So right in the mid 2000s um guy named Florian Rhymer came up with a concept of passive DNS meaning capturing the information between the recursive server and the uh authority server and then make it searchable both ways. So now regular DNS is really good to go from a domain to an

IP address. It's pretty terrible about going from an IP address to a domain. Now if you're a fellow DNS nerd, you might say, "Well, hold on. What about pointer records?" Yeah, that's true. They exist. Except the vast majority of IPs don't have pointer records. Uh so you can nx them as a respon response or more commonly the forward and the reverse don't match because they don't have to. So you look up you know google.com for example you get an IP address. If you are looking up that IP address and it has a pointer record it'll be something like you know web server 27 infra whatever whatever. It's not very clear that that's associated with google.com unless you do some

additional digging. Where passive DNS comes in, you now can ask the question given this IP address, tell me any and all other domains or fully qualified domain names that are pointed at that IP address. Super powerful. The other thing you can do is say, okay, I have a domain that's questionable or that I'm investigating, and then I'm going to look up the name server, the authorative name server. Any domain on internet has to have at least one, preferably two. And now you can say in the database, hey, given this name server, tell me any and all other domains or FQDNs that this name server is authoritative for. Can't do that in regular DNS. Super powerful, especially

when the adversary maintains its own name server infrastructure to make it harder to take down their stuff. This will get them. Um, you can do subdomain enumeration. I gave a talk at um what was it Defcon a couple years ago where we basically brute forced um using passive DNS any possible subdomain on a list of target domains. So it's like a challenge and then we gave a talk about it afterwards. So it's really great for that because sometimes the bad stuff happens in subdomains and being able to look for them without knowing exactly what they are is another strong suit of past DNS. You can also do cool things like, okay, this is a questionable IP.

It holds a host a bunch of bad things. Now, let's see what's in the network neighborhood. So, you, you know, typically pick the slash24 um above it and see what else is hosted in that thing. If it's, you know, some bulletproof hosting stuff or whatever, you might find a lot of interesting domains that are seemingly unrelated, but you can tie together that way. You can find questions that only the answer is known. What do I mean by that? Well, a CNAME um is a canonical name that points at another name, but if you have the answer, you don't know what the question was. Well, with past Finesse, you can answer that. So, you can ask

questions off the answer and or off the answer and say, "What's what was the question that was asked when this was looked up?" Super useful. You can do wild card searches, full left-hand wild cards, uh, full right-hand wild cards, but now you can also, well, now it's been a few years, you can also do full regular expression searches across any label of a full fully qualified domain name. The nonDNS nerds are like, "What the heck did you just say?" Um, a label is the thing between dots. So, if it's fu.bar.bass, the words between the dots are the labels. And doing pattern searching, regular expression searching, um, on those is another superpower of pass. You can find, for example, DGA patterns.

They had kind of fallen out of favor. But when DJ was really big, you could find other hosts using the pattern search that you otherwise would not have known about. All right, so I'm going to talk about Salt Typhoon. Um, definitely considered an advanced uh persistent threat, although it doesn't have an AP number per se. Uh, Microsoft coined it uh Salt Typhoon, but um there's some other names for it, too. We really need some kind of translation table for all of the freaking different APS that everybody names something else. I get it. You all want to have your stake in the ground with marketing and whatnot, but like it makes things unnecessarily confusing. So on the right hand side there is like

yeah it's ghost emperor, famous sparrow 2286, etc., etc. Like they're all the same thing. Um, the core mission of Salt Typhoon appears to be signals intelligence. Uh, long-term deep-seated persistence, X-filling stuff, low and slow, really hard to detect. Um, and, uh, it is definitely to the best of our knowledge based on the evidence that we were able to find, uh, linked to, um, Chinese state sponsored activity, typically MSS and PLA to a degree. So, there are TTPs. There are tactics, techniques, and procedures. um they love uh living off the land binaries. Um that's not to say that they don't uh employ custom implants or custom malware when it's necessary, but for the most part they use things that already exist

on uh systems. So they're really good at PowerShell. That tells you they're mostly targeting Windows, but it's not exclusively limited to Windows. Um they use um domains either for fishing or for other things that are typically registered in the names of fake US personas. uh we found some of them and we're able to tie some uh additional domains to it through that. Um they also uh like to do their work uh kind of mimicking standard network operations. So it's harder to detect through like um uh you know IDs IPS type stuff because the signatures for them are hard because otherwise uh if your regular admins are doing it and you know it lights up your

um uh pager board that would be annoying. So they try to stay under the radar by mimicking the uh real network administration etc. Um they do credential harvesting via Elsa's memory dumps. Again that's a Windows thing but it's not to say that they only target Windows but their main targets um tend to use Windows. So it's kind of a chicken and the egg thing. Uh and it's pretty difficult to detect their activity uh via signature based security products because it's so closely tied to regular operations. Um so we believe based on research that the ministry of state security, Chinese ministry of state security and the PLA strategic support force are sponsoring the salt typhoon campaign. Uh and it's

an interesting thing but where unlike muddy water, it's not like a single actor group really closely tied together but it's actually more of a like a campaign. So you have front companies, contractors and hybrid firms. The front compan companies are basically just, you know, uh, cardboard cutouts fully, uh, MSS linked stood up by them, just given the appearance. But then there's also some contractors that probably are doing some legitimate work, but definitely are at the bidding of uh, these state actors. And then there's some hybrid firms that do a little bit of both, but are also mainly state sponsored. Um the three that we identified through the GitHub leagues uh which is a lot of

this research is based on more on that in a bit um are these three entities and they all have their own different um expertises. So uh it makes sense to you know just like in in in regular security work there are security firms that specialize on certain you know there's one's really good at pentesting the other one's really good at you know infrastructure analysis that kind of stuff. So similar to that, the these companies, whether they're fronts or legitimate companies that have just gotten their arm twisted really hard, um are specializing in different things, and that really makes the um uh operation there very turnkey. You can be like, "Okay, we're after this particular thing. Let's test these guys. We're

after that thing over here. Test the other guys." The key targeting profile for uh Salt Typhoon appears to be the US, UK, Taiwan, no surprise there. uh and the European Union. Uh and there's been confirmed breaches in uh Telos, especially in the US, but also to a degree in Europe. Um they've been very very prolific and they love telecoms because it um carries all of the important messaging and uh there's something called lawful intercept that a lot of the telecoms have to be uh participating in where the government can come and say, "Hey, here's a warrant. we need communications between point A and point B monitored, captured, and then shipped off to us. Well, uh,

Salt Typhoon has figured that out, and they're actually using some of the lawful intersect, uh, setups to unlawfully intercept things and extract. So, it's pretty clever. Um, there's also been some limited targeting of, uh, US state national guard networks. You know, every US state plus the District of Columbia has a National Guard um that is typically state tasked, but can at certain points be federalized, but they're mainly in charge of like local support and they get called in when there's natural disasters, etc. Some other things too lately, which is unfortunate, but um as a former National Guard member myself, that's my personal opinion. Um but anyway they um targeting that gives you a lot of idea a good idea

what the local command and control in response to natural disasters but also potentially economic disasters. What if the power goes out in the state? What is the National Guard's plan to like help the citizens there? If you're targeting that kind of infrastructure, you want to know what the response is. So that's why infiltrating those networks and trying to extract as much uh information there as possible is useful. Um there's also been uh in the te telecom backbone networks you know where there's uh routers you can uh implant things there and get the routing tables out get live traffic information that's super useful VPN gateways are big because that typically gives you additional access that's only

uh accessible via that VPN so if you can exploit that you might be able to uh accept you intercept things that are thought to be more secure. So we think that most Chinese AP activity is government linked but the uh Chinese government is a very big apparatus very uh heavy on um administrative uh and also ge different geographical functions and so um every AP that's been identified so far has a slightly different affiliation and sometimes they even compete with themselves a little bit which is kind funny. Uh you think they'd be doing more coordination, but you know, sometimes the left hand doesn't know what the right hand knows. I mean, if you work for a large

corporation, that should ring true. So, why wouldn't it be true there? So, the primary sponsor appears to be the MSS uh Changdu bureaus. They are organized regionally by different things and some taskings uh are um basically done on on regional differences. Um but they have a strategic alignment on foreign intelligence collection and the cyber battlefield prep. This is why targeting local National Guard networks is also important because a lot of state national guard have cyber units um that are tested out to the uh larger uh active duty force but they're basically the local backup and they're so very familiar with the local network topology. So I live in Seattle um about just after 911 we did an assessment on

um critical infrastructure and how difficult it would be to actually kill somebody with the internet. In 2001 2002 it was still pretty difficult. Nowadays it's gotten a lot easier. Um so cyber battlefield preparation is one of their missions figuring out where to where to strike if that comes uh uh to be an issue in order to you know cause maximum chaos and deception. Um but they also have the dual use capability because um they're using some of their implants to collect information on the regular but also position themselves strategically within infrastructure to potentially cause um you know denial service or other shutdown of infrastructure. So it's the dual use low and slow information collection but also sitting in the right

point where uh if they remain undetected they could could push a button and shut down parts of the infrastructure and cause disruption that way. Uh there is an overlap with the PLA. So we believe based on information that was disclosed um and it focuses on the you know C4 uh C4 ISR which stands for command control communications computers that's the four C's intelligence surveillance and reconnaissance. We love acronyms. That's one of them. Um, but so the PLA has an interest there because again, if there were ever, you know, hostilities between the countries, that's something you would definitely want to uh strike in the enemy to disrupt their local communications as much as possible. So now, um, let's talk about ISO. you

know, as conveniently in the title. Um, we believe based on information that was um disclosed um through a leak. I don't think it was accidental. Somebody, you know, it's like a Snowden situation. Um, and so is a uh Chinese cyber security firm that until these disclosures was thought to be not necessarily state linked. Well, we were wrong. There's direct operation ties between ISON and um Salt Typhoon and in the 2024 GitHub leak which had a lot of internal documentation, meeting minutes, you know, or charts, different ties together, some uh uh even like invoices for, you know, paying various different contractors, etc. And so uh my research team grabbed uh that leak and picked it apart and you know there's been some

other publication about it but we took the angle of trying to map the connections between the various contractors etc. um in order to paint a clearer picture on how they actually organized which is you know fascinating. I mentioned the um uh great firewall piece three-part piece that we published. Um, I've been dealing with the great firewall both in a defensive and offensive way since the early 2000s. And uh, you know, reading the final research report once uh, the draft was submitted to me by my team uh, was kind of indicating because like oh yeah, we thought this how it w that's how it was. And a lot of the stuff in the leak for that actually confirmed that. But there

was some other things I I read. I was like I would have never thought that's how the like tasking and organization works. So it was very revealing uh and kind of indicating that we got most of it right but always nice to know have more. So based on these leaks um we have more information about how their infrastructure registration works whether they are using custom malware and where uh what their target profiling is uh and you know there's some shared uh tool chains and infrastructure between other AP groups but that's probably just because you know if it works and you see somebody else it's working why not copy it that's fair game in that case um

salt typhoon is likely a subset um of a group that was formerly known as AP41 uh Double Dragon, Brass Typhoon, etc. Um but there's a split and the tasking is different. Uh AP41 was espionage and financial gain where cell typhoon is much more strategic espionage and potential uh disruption of the cyber battlefield. uh AP41 uh was hitting a v wide variety of a wide v variety of industries. Sorry, English is not my first language. Sometime I stumble over this stuff. Um Salt Typhoon concentrates on the telecom spine and the critical infrastructure for obvious reasons. So OSENT, I love Osent uh open source intelligence. Um there's a lot of public eye produc um that can be pieced

together and the leak certainly helped. But you know there's individuals that have been named um which were also then added to a uh FBI most wanted list. Uh more on that in a second. But the the ties to the astronaut infrastructure uh was pretty revealing in the fact that seemingly legit companies were either front companies or mostly infiltrated by the various uh state sponsor state actors uh is a uh a pretty uh damning reveal that the leaks confirmed. Uh, and so if we extrapolate that out and talk about or think about other APS that we're familiar with, if you start thinking about that this could be a repeatable pattern, um, the rabbit hole gets really deep.

Um there are some individuals that have been subject to US indictments um which you know in the scheme of things is rare but in this particular case these two individuals are wanted by the FBI um because uh of documented cases uh the department of justice brought charges for 12 PC contract hackers that's relatively new within the last like two weeks this was announced um but It's been going on for a while. Uh and yeah, these are just uh two individuals at the top of that particular food chain, but they are linked to Isun and Salt Typhoon. Uh conversely, um some of the filings of these indictments and the sanctions work has given a little bit more uh visibility publicly

because, you know, you file a court filing unless it's a sealed indictment, it comes out and there's a lot of details about that. uh in there. Uh so we consume all of that and see what it matches based on what we found, etc. and correlate them. So there's still some additional information, but um really seems like a lot of these indictments were constructed on top of some somebody in the government analyzing the uh the GitHub leak and tying some things together. So it's kind of nice to see that it's working on both sides of the aisle. Um so known campaigns and motivations, it's not really intermission. I'm sorry you don't get a break, but we tried to stay in the theme

of the uh you know uh musical play bill. Um 2024 they were really busy uh telecom meta metadata breach. Um this is was targeted at collecting signals intelligence uh figuring out how the US telecoms are working, what's their comm and communic command and uh communication structure where they can implant themselves to disrupt things. Uh also in 24 they went after various state national guard networks uh you know preparation of battle space as we already talked about um you know as an ally of the United States for now uh British infrastructure within the five eyes uh is also useful because if you hit one you're probably going to want to hit the other so they can't come to each

other for assistance. Um and so uh British telecom infrastructure was hit pretty heavy in 2023. uh in 22 there's a lot of evidence of implants across router infrastructure in the EU. So most EU member states, you know, they all have their own telecoms. Some of them span multiple countries. Uh so if you get in on one, you typically can find past lateral movements to go the others. Uh which is an additional collection of signals intelligence and also figuring out how to you know mess with Europe if the time comes. And then um there's ongoing uh campaigns linked to I soon uh which kind of reflects China's shift to contract contractor enabled cyber SC. Um, historically over

the last 15 or so years that I've been looking at this stuff, it's um, it was much more likely that PLA units, you know, you know, just like the US has um, uh, cyber focused uh, military units, PLA was really early and heavily into that. But the shift to the contractor uh ecosystem is interesting. And I think it's both efficiency also. you can probably pay contractors a little bit more so they're more likely to stick around and you know there's conscription service there but also there's you know certain people that are you know basically lifers in the uh Chinese military but you have less likely to get people who are into this aka hackers or whatever to want to

join the military. So using private contractors where they can get hired under the cover of a legitimate job in a you know security pentest firm or whatever um seems to be uh a shift that is uh more broadly than just um uh with Salt Typhoon. There's other APS that are shifting to that which is pretty interesting. Um yeah, the just the the two highlights here, the National Guard networks uh across multiple states and um the damage was pretty significant because they were able to get a bunch of the um uh local command and control stuff which is useful if you want to disrupt things. And then the telecom um a lot of lateral movement uh at the backbone level even

competitive uh telecommunications companies in the United States are do a fair amount of cooperation. You know if you think of a mobile network um you can roam between carriers and there's a handoff. Yes, you still have to pay and all that stuff but there's a lot of data being interchanged between networks. they're not uh air gap from each other. And because of that, once you're on the inside, you have access to the backbone. You can move laterally pretty easily uh and get a lot of information in a really short amount of time. All right. So now the DNS part of the presentation because we looked into Salt Typhoon's domain infrastructure and picked it apart. Um high level observations

they do like to reuse infrastructure which is not unexpected once you've built a fairly reliable infrastructure might as well use it. Uh there's name server IP clusters which with with the use of passive DNS uh we could pivot on and discover many many more uh seemingly unrelated domains but they had enough connections in the metadata essentially that it seems very likely that they uh would be controlled by the same entity. Um they have some favorite hosting companies. That's not surprising at all. Uh and it's also uh split out between the different contracting companies who does what. Yeah. One organization seems to procure the domains, register them using false information, hands it over to the other one. They're weaponizing

them for fishing campaigns or other things, etc. So there's a pretty good indication that there's a strong playbook on the inside on how these seemingly unrelated companies are working together. um they also you know like to use TLS certificates for their uh domains that they spin up and they shy away from let's encrypt uh and instead getting uh domain validated certificates from like godaddy sectiggo etc. And the thought there is people still sometimes see a let's encrypt certificate and they're like well what's that you can't even afford the you know 20 bucks for a real certificate. So the error of legitimacy by using uh domain validated certificates seems to appeal to them but they're also maybe a little lazy because

there's some uh shared common names in the certificates that we found. Uh and and so that also you know ties certain domains together because if you are able to use the same certificate means you control the private key which means if you have them on four seemingly unlated domains that at least gives some indication that somewhere on the back end somebody has control over all of them. Um domain registration information that was kind of a fun one. Um, fake top fake registered names that we found. Sean Francis, Monica Burge, Tommy Arnold, and Larry Smith. Can you get more generic than that? Um, if there's a Larry Smith in the audience, I apologize, but that's a pretty common

name. Um, there's some other ones. Gerilyn Pickkins. Seems like there's a lot of um, uh, generative AI in used and trying to figure out what are like some common sounding names that can blend in. Um but each of these individuals fake personas own multiple domains and we were able to tie them together and we are also able to show some connections between the domains. Um most of the who is information the contact information is proton mail so they really love proton mail. You know make of that as you will. Uh and the addresses are like generic madeup things either in Miami Florida Lena Illinois you know things like Drive and Trails End Road. that's very clearly

um AI generated because uh I'm not sure that you would make those up as a native speaker. Um so the tradeoff for the P personas was interesting. Um instead of just going straight up with um private registration or you know anonymizers, they built these personas uh and reuse them across multiple different domains. Um that's not to say that they're not using some private registration but it's not their primary use case which I found very interesting. Uh the idea is to blend in with domestic traffic maybe bypassing GIP filters etc. you know hosting um tends to be in geographies closer to where the target is similarly otherwise you just you know block all traffic from certain ASN that

you don't like but if you co-mingle with uh your stuff uh in spaces that would be really hard to block because you're blocking the majority legitimate traffic uh that definitely happens uh personas link to the domains uh by the way this is all published on our our research blog I'll give a link at the end uh so it's a bit of I chart but you know we we tied those together and then domains also linked to emails meaning the proton mail accounts uh notable the ones that I highlighted here was basically mimicking legitimate technology or telecom services which um supposed to enhance the perceived authenticity and uh also the call to action uh the proton mail pattern as I

mentioned they really love proton mail for the infrastructure for the uh contact emails which is a bit of a tell and they also use these randomized uh an anonymized uh alpha numeric handles here uh but it's a pattern and so we were able to look for other stuff in who is information based on the pattern so that was super useful uh final takeaways here before we get to Q&A is um the strategic goals here are pretty interesting um and it uses access as a weapon it's very clearly tied to military activity not just state security uh and the dual use implants for both collecting information and also personal uh later potentially pushing the bigger button is uh also

kind of novel in this situation and the deep persistence inside the backbone really tells you they're serious. Um the industrialization of the APS I think this is something that we're seeing more and more you know in in the US we call them public private partnerships uh kind of like that except with more uh force behind it and probably threats of prison. So um make of that what you will uh if you're looking for salt tapoon in your own network passive DNS is definitely a really great thread hunting u tool here but also look for proton mail accounts as a uh who is registration information for domains the fabricated US personas you can get some IOC's from our uh research uh and grab

it there uh the patterns in the domain naming and registration can be interesting but of course now that we've published all of this that they're going to change their ways. That's just a, you know, a given. So, this is the piece. Uh, I promise this is not malware. It just points at this very long and ugly uh URL. So, therefore, I wanted to make it a little bit easier so you don't have to type it or you just go to DTI and put in the search site. We fix search. All right. Do we have any questions? >> All right. Thank you, Daniel. As a reminder, if you want to ask any questions, please use Slido to do so.

You can access that at bsidesf.orgqna. Uh I have one question here in slido to kick us off. Is there evidence of Salt Typhoon targeting carrier location determination functions? I assume this is for cell phone carriers. We have not seen any direct evidence of this in the leaks or associated information. Uh I cannot imagine that they would not target that. um especially if you're uh trying to target particular individuals that you might uh be after for other reasons that would be a key thing. And so telecom operators mostly in the mobile space uh I can't imagine that they wouldn't get go after this but we've not found direct evidence of that. >> All right. Uh in the absence of slid

questions we have questions from the audience. Uh yes sir in this row here and then behind you. You mentioned National Guard intelligence gathering exploration physical structural world that they can do. >> Qu the question was uh we've talked about compromising National Guard networks. Aside from espionage, are there kinetic or real world effects that they might be positioning for? Uh that's a really good question. Uh I think the main mission is to figure out how communication works and then would strategically target that to disrupt it. Um I'm not aware of any uh direct links especially between state guard and like critical infrastructure type stuff that they could disrupt that way. However, uh having been in those units before, there

tend to be um like playbooks for certain disasters that will call out in specific details like who to contact and whatnot. And of course, as an attacker, you can use that as a road map and who you're going to go after. So, I think that's more likely the goal after those going after those is the information that you otherwise would not be able to come by on how to target downstream effects and critical infrastructure that way. question behind you. Yes.

>> AWS Asure or compromised. >> Sorry. Have you noticed any trends in the infrastructure they use to host whether that's a cloud provider or some specific uh VPS? >> Yes, they do definitely have their preferences. Um specific details you can find in the uh published research. I mentioned it on a couple slides, but it'll be easier if you uh look at the the research. It tends to be more um like staying away from the hyperscalers. And I think this is also just be able to kind of blend in more, which seems kind of counterintuitive, but um everybody's looking for the stuff in AWS. And so if you're like on a smaller VPS provider that coingles itself with, you know,

other nefarious activity, but not necessarily stage sponsored activity, that's a way to kind of fly below the radar a little bit more. Oh, this is just, you know, script kitty is being annoying. Yeah. No. >> All right. We have a question from Slido. Have you seen any evidence of the physical tools of Isoon deployed being used with Typhoon APS or evidence of either pivoting to blackmail like Dark Hotel? >> We've not seen evidence of that. I would not be too surprised if that uh wasn't happening, but I think it's going to happen at a much lower uh and a much more infrequent scale because their main concern is to not be detected to stay long-term uh rooted in places. uh and I

think the uh link to uh the PLA will make any sort of slip ups or downstream use of captured information for either uh financial gain or otherwise less likely because you're going to get your hands slapped real fast. >> All right, other questions from the audience. >> Yes, up here.

So the question was where can corporations get these IoC's or TTPs so they can defend themselves if they don't have their own thread intel? >> Yeah, excellent question. So we publish uh IoC's both in the write up itself and on GitHub for easy uh automation uh consumption. uh we participate in like uh threat intelligence platform like uh vertex etc. So uh if you look at our uh publications we indicate where we publish the IOC's and you know we try to kind of follow suit what most other people do so you don't have to look all over the uh you know various different sites. So, we we try to make it as easy as possible, but there's not like

unfortunately a one-stop shop.

>> Okay. Do we have any more audience questions? Uh, one here. Yes.

The question was, one of the annoyances when doing OSINT is privacy protection services. Do these folks not use those? >> That's where the fake personas come in. I think they prefer to put out what appears to be legitimate information. It's not. uh rather than straight up privacy protection uh a cost more money but also that can attract more like oh there's clearly something nefarious going on why are they hiding so they're kind of trying to hide in plain sight now of course we know due to GDPR and other regulations most registars just proactively redact a bunch of stuff um so that's um less useful but we have not seen a lot of usage of like straight up

you know privacy uh services you can pay to hide your uh information. Uh that does not appear to be one of their preferred methods. >> Other questions? >> Got to turn that on first. Other questions from the audience?

All right. In that case, Daniel, thank you very much and uh we will get this room moving for our next presentation. >> Thank you.