Table of Contents for
Endnotes

Endnotes by Jon DiMaggio The Art of Cyberwarfare

Title Page
Copyright
About the Author
ACKNOWLEDGMENTS
Introduction
- Who Should Read This Book?
- How This Book Is Organized
Part I: An Advanced Cyber-Threat Landscape
Part II: Hunting and Analyzing Advanced Cyber Threats
Appendix A: Threat Profile Questions
Appendix B: Threat Profile Template Example
Endnotes
Index

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Prev Previous Chapter

Appendix B: Threat Profile Template Example

Next Next Chapter

Index

Endnotes

Introduction

¹ Jon DiMaggio, The Black Vine Cyberespionage Group, version 1.11, Symantec Security Response, August 6, 2015, https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group.

² “US OPM Hack Exposes Data of 4 Million Federal Employees,” Trend Micro DE, accessed August 18, 2021, https://www.trendmicro.com/vinfo/de/security/news/cyber-attacks/us-opm-hack-exposes-data-of-4-million-federal-employees.

³ Zach Dorfman, “China Used Stolen Data to Expose CIA Operatives in Africa and Europe,” Foreign Policy, December 21, 2020, https://foreignpolicy.com/2020/12/21/china-stolen-us-data-exposed-cia-operatives-spy-networks/.

⁴ Brendan Pierson, “Anthem to Pay Record $115 Million to Settle U.S. Lawsuits over Data Breach,” Reuters, June 23, 2017, https://www.reuters.com/article/us-anthem-cyber-settlement-idUSKBN19E2ML.

⁵ Emily VanDerWerff and Timothy B. Lee, “The 2014 Sony Hacks, Explained,” Vox, updated June 3, 2015, https://www.vox.com/2015/1/20/18089084/sony-hack-north-korea.

⁶ Office of Public Affairs, US Department of Justice, “North Korean Regime-Backed Programmer Charged with Conspiracy to Conduct Multiple Cyber Attacks and Intrusions,” press release no. 18-1452, September 6, 2018, https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and.

Chapter 1

¹ Steve Ranger, “Cyberwarfare Comes of Age: The Internet Is Now Officially a Battlefield,” ZDNet, June 21, 2016, https://www.zdnet.com/article/cyberwarfare-comes-of-age-the-internet-is-now-officially-a-battlefield/.

² Wikipedia, s.v. “Minister of National Defense of the People’s Republic of China,” accessed December 25, 2020, https://zh.wikipedia.org/wiki/%E4%B8%AD%E5%8D%8E%E4%BA%BA%E6%B0%91%E5%85%B1%E5%92%8C%E5%9B%BD%E5%9B%BD%E9%98%B2%E9%83%A8%E9%83%A8%E9%95%BF.

³ Wikipedia, s.v. “College of Electronic Warfare, National University of Defense Technology” [in Chinese], accessed January 15, 2021, https://zh.wikipedia.org/wiki/中国人民解放军国防科技大学电子对抗学院.

⁴ Timothy L. Thomas, Dragon Bytes: Chinese Information-War Theory and Practice from 1995-2003 (Fort Leavenworth, KS: Foreign Military Studies Office, 2004), https://community.apan.org/wg/tradoc-g2/fmso/m/fmso-books/195631.

⁵ Dana Rubenstein, “Nation-State Cyber Espionage and Its Impacts” (Washington University in St. Louis, 2014), https://www.cse.wustl.edu/~jain/cse571-14/ftp/cyber_espionage/; Robert John Guanci, “Unrestricted Warfare: The Rise of a Chinese Cyber-Power” (Law School Student Scholarship, Seton Hall University, 2014), https://scholarship.shu.edu/student_scholarship/488.

⁶ Marieke Lomans, “‘Investigating Titan Rain (Cyber Espionage)’ Cyber Security & Cyber Operations” (master’s thesis, Netherlands Defence Academy, 2017), https://www.academia.edu/32222445/_Investigating_Titan_Rain_Cyber_Espionage_Cyber_Security_and_Cyber_Operations.

⁷ Cyber Espionage and the Theft of U.S. Intellectual Property and Technology: Hearing Before the Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce, 113th Cong. (2013) (statement of Larry M. Wortzel, Ph.D., Commissioner on the U.S.-China Economic and Security Review Commission).

⁸ Stephen Doherty, Hidden Lynx – Professional Hackers for Hire, version 1.0, Symantec Security Response, September 17, 2013, https://www.wired.com/images_blogs/threatlevel/2013/09/hidden_lynx_final.pdf.

⁹ Brian Krebs, “Bit9 Breach,” Krebs on Security (blog), accessed January 7, 2021, https://krebsonsecurity.com/tag/bit9-breach/.

¹⁰ Robert Lemos, “Government Agencies, Utilities Among Targets of ‘VOHO’ Cyber-Spy Attacks,” eWEEK, September 27, 2012, https://www.eweek.com/security/government-agencies-utilities-among-targets-of-voho-cyber-spy-attacks.

¹¹ Robert Windrem, “Exclusive: Secret NSA Map Shows China Cyber Attacks on U.S. Targets,” NBC News, July 30, 2015, https://www.nbcnews.com/news/us-news/exclusive-secret-nsa-map-shows-china-cyber-attacks-us-targets-n401211.

¹² “Full Text: Outcome List of President Xi Jinping’s State Visit to the United States,” Ministry of Foreign Affairs, the People’s Republic of China, September 26, 2015, https://www.fmprc.gov.cn/mfa_eng/zxxx_662805/t1300771.shtml.

¹³ Wu Jianmin, “China-US Relationship in 2015,” China Daily, updated January 4, 2016, http://www.chinadaily.com.cn/world/2015xivisitus/2015-09/26/content_21988239_6.htm.

¹⁴ Symantec, Internet Security Threat Report ISTR, vol. 22, April 2017, https://docs.broadcom.com/doc/istr-22-2017-en.

¹⁵ Symantec, Internet Security Threat Report ISTR, vol. 22, April 2017, https://docs.broadcom.com/doc/istr-22-2017-en.

¹⁶ Threat Hunter Team, “Thrip: Ambitious Attacks Against High Level Targets Continue,” Symantec Enterprise Blogs, September 9, 2019, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/thrip-apt-south-east-asia.

¹⁷ “Strategic Defense Initiative (SDI), 1983,” Office of Electronic Information, Bureau of Public Affairs, US Department of State, May 1, 2008, https://2001-2009.state.gov/r/pa/ho/time/rd/104253.htm.

¹⁸ Joan Goodchild and Senior Editor, “10 Hacks That Made Headlines,” CSO Online, May 14, 2012, https://www.csoonline.com/article/2131745/10-hacks-that-made-headlines.html.

¹⁹ Juan Andres Guerrero-Saade et al.,“Penquin’s Moonlight Maze: The Dawn of Nation-State Digital Espionage,” Kaspersky Lab, April 3, 2017, https://securelist.com/penquins-moonlit-maze/77883/.

²⁰ Chris Doman, “The First Cyber Espionage Attacks: How Operation Moonlight Maze Made History,” Medium, July 7, 2016, https://medium.com/@chris_doman/the-first-sophistiated-cyber-attacks-how-operation-moonlight-maze-made-history-2adb12cc43f7.

²¹ “London Times--- Russian Hack DoD Computers,” accessed January 7, 2021, http://greenspun.com/bboard/q-and-a-fetch-msg.tcl?msg_id=001OlE; Nicu Popescu and Stanislav Secrieru, eds., Hacks, Leaks and Disruptions – Russian Cyber Strategies, Chaillot Paper no. 148 (October 2018), https://www.iss.europa.eu/content/hacks-leaks-and-disruptions-%E2%80%93-russian-cyber-strategies.

²² John P. Carlin and Garrett M. Graff, Dawn of the Code War: America’s Battle Against Russia, China, and the Rising Global Cyber Threat (New York: PublicAffairs, 2018).

²³ Fred Kaplan, “How the United States Learned to Cyber Sleuth: The Untold Story,” POLITICO Magazine, March 20, 2016, https://www.politico.com/magazine/story/2016/03/russia-cyber-war-fred-kaplan-book-213746.

²⁴ “Estonia Timeline,” BBC News, last updated September 14, 2011, http://news.bbc.co.uk/2/hi/europe/country_profiles/1107800.stm; Joshua Davis, “Hackers Take Down the Most Wired Country in Europe,” WIRED, August 21, 2007, https://www.wired.com/2007/08/ff-estonia/.

²⁵ Damien McGuinness, “How a Cyber Attack Transformed Estonia,” BBC News, April 27, 2017, https://www.bbc.com/news/39655415.

²⁶ Ariel Cohen and Robert E. Hamilton, The Russian Military and the Georgia War: Lessons and Implications, Strategic Studies Institute, US Army, June 2011, https://apps.dtic.mil/dtic/tr/fulltext/u2/a545578.pdf.

²⁷ “Looking Back: Operation Buckshot Yankee & Agent.Btz,” Netsurion, accessed January 7, 2021, https://www.netsurion.com/articles/looking-back-operation-buckshot-yankee-agent-btz.

²⁸ Noah Shachtman, “Insiders Doubt 2008 Pentagon Hack Was Foreign Spy Attack (Updated),” WIRED, August 25, 2010, https://www.wired.com/2010/08/insiders-doubt-2008-pentagon-hack-was-foreign-spy-attack/.

²⁹ Ellen Nakashima, “Cyber-Intruder Sparks Massive Federal Response—And Debate Over Dealing with Threats,” Washington Post, December 8, 2011, https://www.washingtonpost.com/national/national-security/cyber-intruder-sparks-response-debate/2011/12/06/gIQAxLuFgO_print.html?noredirect=on.

³⁰ Global Research and Analysis Team (GReAT), “‘Red October’ Diplomatic Cyber Attacks Investigation,” Kaspersky Lab, January 14, 2013, https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740/.

³¹ Raymond Chavez, William Kranich, and Alex Casella, “Red October and Its Reincarnation” (Boston University, 2015), https://www.cs.bu.edu/~goldbe/teaching/HW55815/presos/redoct.pdf.

³² Global Research and Analysis Team (GReAT), “‘Red October’. Detailed Malware Description 1. First Stage of Attack,” Kaspersky Lab, January 17, 2013, https://securelist.com/red-october-detailed-malware-description-1-first-stage-of-attack/36830/.

³³ Peter E. Harrell and Collin Anderson, “U.S. Sanctions Abet Iranian Internet Censorship,” Foreign Policy, January 22, 2018, https://foreignpolicy.com/2018/01/22/u-s-sanction-abet-iranian-internet-censorship/.

³⁴ Khashayar Nouri, “Cyber Wars in Iran,” NewAgeIslam, July 28, 2010, https://rethinkingislam-sultanshahin.blogspot.com/2010/07/cyber-wars-in-iran.html.

³⁵ “Behrouz Kamalian,” Foundation for Defense of Democracies, accessed January 7, 2021, https://web.archive.org/web/20141115174547/http://www.defenddemocracy.org/behrouz-kamalian.

³⁶ “Wikipedia, s.v. “Army of the Guardians of the Islamic Revolution,” accessed January 7, 2021, https://web.archive.org/web/20190222004609/http://rdfi.org/index.php?option=com_content&view=article&id=407:wikipedia-army-of-the-guardians-of-the-islamic-revolution&catid=49:irgc-watch&Itemid=70/.

³⁷ “Behrouz Kamalian, IRGC Cyber Operative and EU-Designated Human Rights Abuser,” Internet Haganah, accessed January 7, 2021, https://web.archive.org/web/20140305043650/http://forum.internet-haganah.com/forum/iran-%7C-islamic-revolution/891-behrouz-kamalian-irgc-cyber-operative-and-eu-designated-human-rights-abuser; Dorothy Denning, “Iran’s Cyber Warfare Program Is Now a Major Threat to the United States,” Newsweek, December 12, 2017, https://www.newsweek.com/irans-cyber-warfare-program-now-major-threat-united-states-745427.

³⁸ Iftach Ian Amit, “Cyber [Crime|War]: Connecting the Dots” (PowerPoint presentation, DEF CON 18, Las Vegas, NV, July 30–August 1, 2010), https://web.archive.org/web/20140719231638/http://defcon.org/images/defcon-18/dc-18-presentations/Amit/DEFCON-18-Amit-Cyber-Crime.pdf.

³⁹ “Behrouz Kamalian, IRGC Cyber Operative and EU-Designated Human Rights Abuser,” Internet Haganah, accessed January 7, 2021, https://web.archive.org/web/20140305043650if_/http://forum.internet-haganah.com/forum/iran-%7C-islamic-revolution/891-behrouz-kamalian-irgc-cyber-operative-and-eu-designated-human-rights-abuser.

⁴⁰ Saeed Kamali Dehghan, “Iran Giving out Condoms for Criminals to Rape Us, Say Jailed Activists,” The Guardian, June 24, 2011, https://www.theguardian.com/world/2011/jun/24/jailed-iran-opposition-activists-rape.

⁴¹ United States of America v. Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan a/k/a “Nitr0jen26,” Omid Ghaffarinia a/k/a “PLuS,” Sina Keissar, and Nader Saedi a/k/a “Turk Server,” US District Court, Southern District of New York (2016), https://www.justice.gov/opa/file/834996/download.

⁴² Paul Bucala and Frederick W. Kagan, “Iranian Cyberattacks: What the Justice Department’s Indictment Means and What It Doesn’t,” Critical Threats, March 25, 2016, https://www.criticalthreats.org/analysis/iranian-cyberattacks-what-the-justice-departments-indictment-means-and-what-it-doesnt.

⁴³ Insikt Group, “The History of Ashiyane: Iran’s First Security Forum,” Recorded Future, January 16, 2019, https://www.recordedfuture.com/ashiyane-forum-history/.

⁴⁴ Alibo, “Is this MITM attack on SSL’s certificate?” Google Forum, August 27, 2011, http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en.

⁴⁵ Heather Adkins, “An Update on Attempted Man-in-the-Middle Attacks,” Google Online Security Blog, August 29, 2011, https://security.googleblog.com/2011/08/update-on-attempted-man-in-middle.html.

⁴⁶ Hans Hoogstraaten et al., Black Tulip Report of the Investigation into the DigiNotar Certificate Authority Breach (Delft, The Netherlands: Fox-IT BV, 2012), https://doi.org/10.13140/2.1.2456.7364.

⁴⁷ J. R. Prins, “DigiNotar Certificate Authority Breach ‘Operation Black Tulip’” (interim report, Fox-IT, Delft, The Netherlands, September 5, 2011), https://media.threatpost.com/wp-content/uploads/sites/103/2011/09/07061400/rapport-fox-it-operation-black-tulip-v1-0.pdf.

⁴⁸ Nicole Perlroth, “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back,” New York Times, October 23, 2012, https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html.

⁴⁹ “Untitled,” Pastebin, August 15, 2012, https://pastebin.com/HqAgaQRj.

⁵⁰ Levi Gundert, Sanil Chohan, and Greg Lesnewich, “Iran’s Hacker Hierarchy Exposed,” Recorded Future, May 9, 2018, https://www.recordedfuture.com/iran-hacker-hierarchy/.

⁵¹ Gordon Corera, “How NSA and GCHQ Spied on the Cold War World,” BBC News, July 28, 2015, https://www.bbc.com/news/uk-33676028.

⁵² Ralph Simpson, “Japanese Purple Cipher Machine,” Cipher Machines, accessed January 7, 2021, https://ciphermachines.com/purple.

⁵³ William F. Friedman, “Report of Visit to Crypto A. G. (Hagelin),” National Security Agency, March 15, 1955.

⁵⁴ Friedman, “Report.”

⁵⁵ Friedman, “Report.”

⁵⁶ Peter Kornbluh, “The CIA Rigged Foreign Spy Devices for Years. What Secrets Should It Share Now?” Washington Post, February 28, 2020, https://www.washingtonpost.com/outlook/the-cia-rigged-foreign-spy-devices-for-years-what-secrets-should-it-share-now/2020/02/28/b570a4ea-58ce-11ea-9000-f3cffee23036_story.html.

⁵⁷ “Isotope Separation Methods,” Atomic Heritage Foundation, June 5, 2014, https://www.atomicheritage.org/history/isotope-separation-methods.

⁵⁸ “July 2011 Ars Technica,” accessed January 7, 2021, https://arstechnica.com/tech-policy/2011/07/how-digital-detectives-deciphered-stuxnet-the-most-menacing-malware-in-history/.

⁵⁹ Robert Lee, “The History of Stuxnet: Key Takeaways for Cyber Decision Makers,” Cyber Conflict Studies Association, June 4, 2012, https://www.afcea.org/committees/cyber/documents/TheHistoryofStuxnet.pdf.

⁶⁰ Stephen J. Hadley, “The George W. Bush Administration,” The Iran Primer, October 5, 2010, https://iranprimer.usip.org/resource/george-w-bush-administration.

⁶¹ Jeffrey Goldberg, “Netanyahu to Obama: Stop Iran—Or I Will,” The Atlantic, March 31, 2009, https://www.theatlantic.com/magazine/archive/2009/03/netanyahu-to-obama-stop-iran-or-i-will/307390/.

⁶² Associated Press, “Iran Blames U.S., Israel for Stuxnet Malware,” CBS News, April 16, 2011, https://www.cbsnews.com/news/iran-blames-us-israel-for-stuxnet-malware/.

⁶³ Kim Zetter, “Report: Stuxnet Hit 5 Gateway Targets on Its Way to Iranian Plant,” WIRED, February 11, 2011, https://www.wired.com/2011/02/stuxnet-five-main-target/.

⁶⁴ Nicolas Falliere, Liam O Murchu, and Eric Chien, W32.Stuxnet Dossier, version 1.3, Symantec Security Response, November 2010, https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf.

⁶⁵ Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” WIRED, November 3, 2014, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

⁶⁶ Geoff McDonald, Liam O Murchu, Stephen Doherty, and Eric Chien, Stuxnet 0.5: The Missing Link, version 1.0, Symantec Security Response, February 26, 2013, https://docs.broadcom.com/doc/stuxnet-missing-link-13-en.

⁶⁷ “Part 1: The Tanker Crisis in the Gulf,” The Iran Primer, updated January 16, 2020, https://iranprimer.usip.org/blog/2019/jun/13/tanker-crisis-gulf.

⁶⁸ Julian E. Barnes, “U.S. Cyberattack Hurt Iran’s Ability to Target Oil Tankers, Officials Say,” New York Times, August 28, 2019, https://www.nytimes.com/2019/08/28/us/politics/us-iran-cyber-attack.html.

⁶⁹ Andrew Hanna, “The Invisible U.S.-Iran Cyber War,” The Iran Primer, accessed January 7, 2021, https://iranprimer.usip.org/index.php/blog/2019/oct/25/invisible-us-iran-cyber-war.

⁷⁰ Global Research and Analysis Team (GReAT),Equation Group: Questions and Answers, version 1.5, Kaspersky Lab, February 2015, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf.

⁷¹ Darren Pauli, “Your Hard Drives Were Riddled with NSA Spyware for Years,” The Register, February 17, 2015, https://www.theregister.com/2015/02/17/kaspersky_labs_equation_group/.

⁷² “Equation Group,” Council on Foreign Relations, accessed January 7, 2021, https://www.cfr.org/cyber-operations/equation-group.

⁷³ Kim Zetter, “Suite of Sophisticated Nation-State Attack Tools Found with Connection to Stuxnet,” WIRED, February 16, 2015, https://www.wired.com/2015/02/kapersky-discovers-equation-group/.

⁷⁴ Global Research and Analysis Team (GReAT), Equation Group: Questions and Answers, version 1.5, Kaspersky Lab, February 2015, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf.

⁷⁵ Nicole Perlroth, “Symantec Discovers ‘Regin’ Spy Code Lurking on Computer Networks,” Bits Blog (blog), New York Times, November 24, 2014, https://bits.blogs.nytimes.com/2014/11/24/symantec-discovers-spy-code-lurking-on-computer-networks/; DER SPIEGEL Online-Nachrichten, accessed January 7, 2021, https://www.spiegel.de/consent-a-?targetUrl=https%3A%2F%2Fwww.spiegel.de%2Fnetzwelt%2Fnetzpolitik%2Ftrojaner-regin-ist-ein-werkzeug-von-nsa-und-gchq-a-1004950.html.

⁷⁶ Global Research and Analysis Team (GReAT), “Regin: A Malicious Platform Capable of Spying on GSM Networks,” Kaspersky Lab, November 24, 2014, https://www.kaspersky.com/about/press-releases/2014_regin-a-malicious-platform-capable-of-spying-on-gsm-networks.

⁷⁷ Ryan Gallagher, “The Inside Story of How British Spies Hacked Belgium’s Largest Telco,” The Intercept, December 12, 2014, https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/.

⁷⁸ Mark Eeckhaut and Nikolas Vanhecke, “Britse Geheime Dienst Bespioneerde Jarenlang Belgacom-Klanten,” De Standaard, December 13, 2014, https://www.standaard.be/cnt/dmf20141212_01426880; “Lees Hier Hoe de Britse Geheime Dienst GCHQ Belgacom Aanviel,” NRC, December 13, 2014, https://www.nrc.nl/nieuws/2014/12/13/verantwoording-en-documenten-a1420301.

⁷⁹ Regin: Top-Tier Espionage Tool Enables Stealthy Surveillance, Symantec Security Response, November 24, 2014, https://cyber-peace.org/wp-content/uploads/2015/01/regin-analysis.pdf.

⁸⁰ Dennis Fisher, “Experts Question Legality of Use of Regin Malware by Intel Agencies,” Threat Post, November 25, 2014, https://threatpost.com/experts-question-legality-of-use-of-regin-malware-by-intel-agencies/109566/.

⁸¹ Sangwon Yoon, “North Korea Recruits Hackers at School,” Al Jazeera, June 20, 2011, https://www.aljazeera.com/features/2011/6/20/north-korea-recruits-hackers-at-school.

⁸² Scott J. Tosi, “North Korean Cyber Support to Combat Operations,” Military Review, July–August 2017, https://www.armyupress.army.mil/Journals/Military-Review/English-Edition-Archives/July-August-2017/Tosi-North-Korean-Cyber-support/.

⁸³ Andy Patrizio, “Cybercrime Is North Korea’s Biggest Threat,” Dark Reading, August 17, 2017, https://www.darkreading.com/application-security/cybercrime-is-north-koreas-biggest-threat/a/d-id/735548.

⁸⁴ Office of Public Affairs, US Department of Justice, “Four Chinese Nationals and Chinese Company Indicted for Conspiracy to Defraud the United States and Evade Sanctions,” press release no. 19-797, July 23, 2019, https://www.justice.gov/opa/pr/four-chinese-nationals-and-chinese-company-indicted-conspiracy-defraud-united-states-and.

⁸⁵ Steve Miller, “Where Did North Korea’s Cyber Army Come From?” Voice of America, November 20, 2018, https://www.voanews.com/a/north-korea-cyber-army/4666459.html.

⁸⁶ Associated Press, “Ex-Sony Chief Amy Pascal Acknowledges She Was Fired,” NBC News, February 12, 2015, https://www.nbcnews.com/storyline/sony-hack/ex-sony-chief-amy-pascal-acknowledges-she-was-fired-n305281.

Chapter 2

¹ Nicole Perlroth and Quentin Hardy, “Bank Hacking Was the Work of Iranians, Officials Say,” New York Times, January 8, 2013, https://www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html.

² A. L. Johnson, “Born on the 4th of July,” Broadcom, July 9, 2009, https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=d5fc6afb-02e8-423f-8feb-f77c68ec7c8a&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments.

³ Novetta, Operation Blockbuster: Unraveling the Long Thread of the Sony Attack, February 2016, https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf.

⁴ Chico Harlan and Ellen Nakashima, “Suspected North Korean Cyber Attack on a Bank Raises Fears for S. Korea, Allies,” Washington Post, August 29, 2011, https://www.washingtonpost.com/world/national-security/suspected-north-korean-cyber-attack-on-a-bank-raises-fears-for-s-korea-allies/2011/08/07/gIQAvWwIoJ_story.html.

⁵ United States of America v. Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan a/k/a “Nitr0jen26,” Omid Ghaffarinia a/k/a “PLuS,” Sina Keissar, and Nader Saedi a/k/a “Turk Server,” US District Court, Southern District of New York (2016), https://www.justice.gov/opa/file/834996/download.

⁶ “Denial of Service Attacks Against U.S. Banks in 2012–2013,” Council on Foreign Relations, accessed January 7, 2021, https://www.cfr.org/cyber-operations/denial-service-attacks-against-us-banks-2012-2013.

⁷ QassamCyberFighters, “Bank of America and New York Stock Exchange Under Attack,” Pastebin, September 18, 2012, https://pastebin.com/mCHia4W5.

⁸ Jim Finkle and Rick Rothacker, “Exclusive: Iranian Hackers Target Bank of America, JPMorgan, Citi,” Reuters, September 21, 2012, https://www.reuters.com/article/us-iran-cyberattacks-idUSBRE88K12H20120921.

⁹ United States of America v. Ahmad Fathi, Hamid Firoozi, Amin Shokohi, Sadegh Ahmadzadegan a/k/a “Nitr0jen26,” Omid Ghaffarinia a/k/a “PLuS,” Sina Keissar, and Nader Saedi a/k/a “Turk Server,” US District Court, Southern District of New York (2016), https://www.justice.gov/opa/file/834996/download.

¹⁰ Trend Micro, “Deep Discovery Protects Users from Cyber Attacks in South Korea,” TrendLabs Security Intelligence Blog, March 20, 2013, https://blog.trendmicro.com/trendlabs-security-intelligence/mbr-wiping-trojan-other-attacks-hit-south-korea/.

¹¹ Jaromír Hořejší, “Analysis of Chinese Attack Against Korean Banks,” Avast (blog), March 19, 2013, https://blog.avast.com/2013/03/19/analysis-of-chinese-attack-against-korean-banks/.

¹² Global Research and Analysis Team (GReAT), “South Korean ‘Whois Team’ attacks,” Kaspersky Lab, March 20, 2013, https://securelist.com/south-korean-whois-team-attacks/65106.

¹³ David M. Martin, “Tracing the Lineage of DarkSeoul,” Global Information Assurance Certification (GIAC) Research Papers, March 4, 2016, https://www.giac.org/paper/gsec/31524/tracing-lineage-darkseoul/126346; Jonathan A. P. Marpaung and HoonJae Lee, “Dark Seoul Cyber Attack: Could It Be Worse?” (presentation, 6th Conference of Indonesian Students Association in Korea, Daejeon, South Korea, July 6–7, 2013).

¹⁴ John Leyden, “South Korea Data-Wipe Malware Spread by Patching System,” The Register, March 25, 2013, https://www.theregister.com/2013/03/25/sk_data_wiping_malware_latest/.

¹⁵ Mathew J. Schwartz, “How South Korean Bank Malware Spread,” Dark Reading, March 25, 2013, https://www.darkreading.com/attacks-breaches/how-south-korean-bank-malware-spread/.

¹⁶ Ye Ra Kim, “Before Dark Seoul Becomes Destroy Seoul” (working paper, Cyber Law and Policy Program, Columbia University, New York, February 14, 2014), https://ciaotest.cc.columbia.edu/wps/iwps/0032092/f_0032092_26113.pdf/.

¹⁷ “Ukraine Banks Among the Targets of Global Cyber Attacks,” PYMNTS, June 28, 2017, https://www.pymnts.com/news/security-and-risk/2017/ukraine-banks-targets-of-global-cyber-attacks/.

¹⁸ “Reckless Campaign of Cyber Attacks by Russian Military Intelligence Service Exposed,” UK National Cyber Security Centre, October 3, 2018, https://www.ncsc.gov.uk/news/reckless-campaign-cyber-attacks-russian-military-intelligence-service-exposed; Pavel Polityuk and Alessandra Prentice, “Ukrainian Banks, Electricity Firm Hit by Fresh Cyber Attack,” Reuters, June 27, 2017, https://www.reuters.com/article/us-ukraine-cyber-attacks-idUSKBN19I1IJ.

¹⁹ “Ukraine’s Biggest Lender PrivatBank Nationalised,” BBC News, December 19, 2016, https://www.bbc.com/news/business-38365579.

²⁰ Daniel R. Coats, Worldwide Threat Assessment of the US Intelligence Community, statement for the record, Senate Select Committee on Intelligence, January 29, 2019, https://www.dni.gov/files/ODNI/documents/2019-ATA-SFR---SSCI.pdf.

²¹ “Messaging and Standards,” SWIFT, accessed January 7, 2021, https://www.swift.com/about-us/discover-swift/messaging-and-standards.

²² United States of America v. Park Jin Hyok, No. MJ18-1479, US District Court, Central District of California (June 8, 2018), https://www.justice.gov/opa/press-release/file/1092091/download.

²³ United States of America v. Park Jin Hyok, No. MJ18-1479, p. 57.

²⁴ United States of America v. Park Jin Hyok, No. MJ18-1479, p. 19.

²⁵ United States of America v. Park Jin Hyok, No. MJ18-1479.

²⁶ BAE Systems Applied Intelligence, “Lazarus & Watering-Hole Attacks,” Threat Research Blog, February 12, 2017, https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html.

²⁷ United States of America v. Park Jin Hyok, No. MJ18-1479, US District Court, Central District of California (June 8, 2018), https://www.justice.gov/opa/press-release/file/1092091/download.

²⁸ United States of America v. Park Jin Hyok, No. MJ18-1479.

²⁹ United States of America v. Park Jin Hyok, No. MJ18-1479.

³⁰ United States of America v. Park Jin Hyok, No. MJ18-1479.

³¹ Emma Chanlett-Avery, Liana W. Rosen, John W. Rollins, and Catherine A. Theohary, “North Korean Cyber Capabilities: In Brief,” Congressional Research Service, August 3, 2017, https://sgp.fas.org/crs/row/R44912.pdf.

³² “Alliance Access,” SWIFT, accessed October 26, 2021, https://www.swift.com/our-solutions/interfaces-and-integration/alliance-access.

³³ “Three Years On from Bangladesh - Tackling the Adversaries,” SWIFT, April 2019, https://www.swift.com/resource/three-years-bangladesh-tackling-adversaries.

³⁴ Serajul Quadir, “How a Hacker’s Typo Helped Stop a Billion Dollar Bank Heist,” Reuters, March 11, 2016, https://www.reuters.com/article/us-usa-fed-bangladesh-typo-insight-idUSKCN0WC0TC.

³⁵ “HIDDEN COBRA – FASTCash Campaign,” Cybersecurity and Infrastructure Security Agency (CISA) Alert (TA18-275A), last modified December 21, 2018, https://us-cert.cisa.gov/ncas/alerts/TA18-275A.

³⁶ Threat Hunter Team, “FASTCash: How the Lazarus Group Is Emptying Millions from ATMs,” Symantec Enterprise Blogs, November 8, 2018, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware.

³⁷ “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks,” Cybersecurity and Infrastructure Security Agency (CISA) Alert (AA20-239A), last modified October 24, 2020, https://us-cert.cisa.gov/ncas/alerts/aa20-239a.

³⁸ “Odinaff: Another Threat to SWIFT, Banking System,” Emergency Management and Safety Solutions, October 16, 2016, https://ems-solutionsinc.com/odinaff-another-threat-to-swift-banking-system/; A.L. Johnson, “Odinaff: New Trojan used in high level financial attacks,” October 11, 2016, retrieved January 7, 2021, from https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=257dd693-5986-41bf-bc33-f9dc76d9c6a8&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments/.

³⁹ Mathew J. Schwartz, “Sophisticated Carbanak Banking Malware Returns, with Upgrades,” Data Breach Today, September 8, 2015, https://www.databreachtoday.com/sophisticated-carbanak-banking-malware-returns-upgrades-a-8523; Carol Morello and Ellen Nakashima, “U.S. Imposes Sanctions on North Korean Hackers Accused in Sony Attack, Dozens of Other Incidents,” Washington Post, September 13, 2019, https://www.washingtonpost.com/national-security/us-sanctions-north-korean-hackers-accused-in-sony-attack-dozens-of-other-incidents/2019/09/13/ac6b0070-d633-11e9-9610-fb56c5522e1c_story.html.

⁴⁰ Tony Capaccio, “US General: Iranian Cyberattacks Are Retaliation for the Stuxnet Virus,” Business Insider, January 18, 2013, https://www.businessinsider.com/iranian-cyberattacks-retaliation-for-stuxnet-virus-2013-1.

Chapter 3

¹ Andrea Hotter, “How the Norsk Hydro Cyberattack Unfolded,” Fastmarkets AMM, August 22, 2019, https://www.amm.com/Article/3890250/How-the-Norsk-Hydro-cyberattack-unfolded.html.

² Hotter, “How the Norsk Hydro Cyberattack Unfolded.”

³ “Targeted Ransomware: A Potent Threat Begins to Proliferate,” RSA Conference, 2020, https://www.youtube.com/watch?v=FbZyADzEez4.

⁴ Malpedia,s.v.“Cobalt Strike,” accessed January 8, 2021, https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike.

⁵ “Lockergoga-1.png (667 × 719),” Trend Micro, accessed January 8, 2021, https://documents.trendmicro.com/images/TEx/articles/lockergoga-1.png.

⁶ Office of Public Affairs, US Department of Justice, “Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses,” press release no. 18-1559, November 28, 2018. https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public.

⁷ Zane, “Ryuk Ransomware Creates Chaos: Targets Government and Hospital Institutions,” Cyclonis, January 17, 2020, https://www.cyclonis.com/ryuk-ransomware-creates-chaos-targets-government-hospital-institutions/.

⁸ José Zorilla, “EvilCorp Arrives to Mexico: Multiple Infection Campaigns by the Evil Corp Criminal Group,” Metabase Q Offensive Security Team, access November 18, 2021, https://global-uploads.webflow.com/5fffaaff80401ac09b3ae4ff/6189b8edd5e56c6d07905b0e_Metabase%20Q%20-%20EvilCorp%20Arrives%20to%20Mexico.pdf.

⁹ Arjun Kharpal, “Hackers Being Hunted After Stealing $30.7M via Malware,” CNBC, October 14, 2015, https://www.cnbc.com/2015/10/14/hackers-being-hunted-after-using-dridex-malware-to-steal-over-30m.html.

¹⁰ “Bitpaymer Ransomware,” Coveware, accessed January 8, 2021, https://www.coveware.com/bitpaymer-ransomware-payment.

¹¹ US Department of the Treasury,“Treasury Sanctions Evil Corp, the Russia-Based Cybercriminal Group Behind Dridex Malware,” press release, December 5, 2019, https://home.treasury.gov/news/press-releases/sm845.

¹² “Maksim Viktorovich Yakubets,” FBI, December 2019, https://www.fbi.gov/wanted/cyber/maksim-viktorovich-yakubets.

¹³ Brian Barrett,“Alleged Russian Hacker Behind $100 Million Evil Corp Indicted,” WIRED, December 5, 2019, https://www.wired.com/story/alleged-russian-hacker-evil-corp-indicted/.

¹⁴ Stefano Antenucci, “WastedLocker: A New Ransomware Variant Developed by the Evil Corp Group,” NCC Group, June 23, 2020, https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/.

¹⁵ Jim Walter, “WastedLocker Ransomware: Abusing ADS and NTFS File Attributes,” SentinelLabs, July 23, 2020, https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/.

¹⁶ Brian Barrett, “The Garmin Hack Was a Warning,” WIRED, August 1, 2020, https://www.wired.com/story/garmin-ransomware-hack-warning/.

¹⁷ Barry Collins, “Garmin Risks Repeat Attack If It Paid $10 Million Ransom,” Forbes, July 28, 2020, https://www.forbes.com/sites/barrycollins/2020/07/28/garmin-risks-repeat-attack-if-it-paid-10-million-ransom/.

¹⁸ Catalin Cimpanu, “North Korean Hackers Used Hermes Ransomware to Hide Recent Bank Heist,” Bleeping Computer, October 17, 2017, https://www.bleepingcomputer.com/news/security/north-korean-hackers-used-hermes-ransomware-to-hide-recent-bank-heist/.

¹⁹ Jovi Umawing, “Threat Spotlight: The Curious Case of Ryuk Ransomware,” Malwarebytes Labs, December 12, 2019, https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/.

²⁰ John Fokker and Christiaan Beek, “Ryuk Ransomware Attack: Rush to Attribution Misses the Point,” McAfee Labs (blog), January 9, 2019, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/; Itay Cohen and Ben Herzog, “Ryuk Ransomware: A Targeted Campaign Break-Down,” Check Point Research, August 20, 2018, https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/.

²¹ Itay Cohen and Ben Herzog, “Ryuk Ransomware: A Targeted Campaign Break-Down,” Check Point Research, August 20, 2018, https://research.checkpoint.com/2018/ryuk-ransomware-targeted-campaign-break/.

²² Alexander Hanel, “Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware,” CrowdStrike Blog, January 10, 2019, https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/.

²³ Charlie Osborne, “MegaCortex Ransomware Slams Enterprise Firms with $5.8 Million Blackmail Demands,” ZDNet, August 5, 2019, https://www.zdnet.com/article/megacortex-ransomware-slams-eu-firms-with-demands-of-up-to-5-8-million/; Jovi Umawing, “Threat Spotlight: The Curious Case of Ryuk Ransomware,” Malwarebytes Labs, December 12, 2019, https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/; Ionut Ilascu, “New LockerGoga Ransomware Allegedly Used in Altran Attack,” Bleeping Computer, January 30, 2019, https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/.

²⁴ Insikt Group,“A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers,” Recorded Future, June 18, 2019, https://www.recordedfuture.com/cobalt-strike-servers/.

²⁵ Adam Shaw, “Biden Eyes Taskforce to Target Colonial Pipeline Hackers, Tells Russia to Act as Operations Return,” Fox Business, May 15, 2021, https://www.foxbusiness.com/politics/biden-taskforce-colonial-pipeline-hackers-russia-operations-return.

²⁶ Dissent, “’We Are Apolitical’ – Darkside Threat Actors,” DataBreaches.net, May 10, 2021, https://www.databreaches.net/we-are-apolitical-darkside-threat-actors/.

²⁷ David E. Sanger and Nicole Perlroth,“F.B.I. Identifies Group Behind Pipeline Hack,” New York Times, May 10, 2021, https://www.nytimes.com/2021/05/10/us/politics/pipeline-hack-darkside.html.

²⁸ Brian Krebs, “DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized,” Krebs on Security (blog), May 14, 2021, https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized.

²⁹ Graham Cluley, “FBI: Don’t Pay Ransomware Demands, Stop Encouraging Cybercriminals to Target Others,” The State of Security, October 3, 2019, https://www.tripwire.com/state-of-security/featured/fbi-dont-pay-ransomware/.

Chapter 4

¹ Mark Clayton, “Ukraine Election Narrowly Avoided ‘Wanton Destruction’ from Hackers,” Christian Science Monitor, June 17, 2014, https://www.csmonitor.com/World/Passcode/2014/0617/Ukraine-election-narrowly-avoided-wanton-destruction-from-hackers.

² Jerin Mathew, “Equipment Installed in Crimea to Tap Lawmakers’ Phones: Ukraine Security Services Chief,” March 4, 2014, https://www.ibtimes.co.uk/equipment-installed-crimea-tap-lawmakers-phones-ukraine-security-services-chief-1438821; Alison Smale and Steven Erlanger, “Ukraine Mobilizes Reserve Troops, Threatening War,” New York Times, March 1, 2014, https://www.nytimes.com/2014/03/02/world/europe/ukraine.html?_r=0.

³ “Ukraine – Presidential Election – 25 May 2014,” GlobalSecurity.org, accessed November 18, 2021, https://www.globalsecurity.org/military/world/ukraine/election-2014.htm.

⁴ Mark Clayton, “Ukraine Election Narrowly Avoided ‘Wanton Destruction’ from Hackers,” Christian Science Monitor, June 17, 2014, https://www.csmonitor.com/World/Passcode/2014/0617/Ukraine-election-narrowly-avoided-wanton-destruction-from-hackers.

⁵ “CyberBerkut” [in Russian], accessed January 8, 2021, https://web.archive.org/web/20150205233005/http://cyber-berkut.org/.

⁶ Jeff Stone, “Meet CyberBerkut, The Pro-Russian Hackers Waging Anonymous-Style Cyberwarfare Against Ukraine,” International Business Times, December 17, 2015, https://www.ibtimes.com/meet-cyberberkut-pro-russian-hackers-waging-anonymous-style-cyberwarfare-against-2228902.

⁷ “Dnepropetrovsk Region Administration Computer Network Is Destroyed, the Central Election Committee Continues Lying” [in Russian], CyberBerkut, May 25, 2014, https://web.archive.org/web/20150203192542/http://cyber-berkut.org/en/olden/index3.php.

⁸ Brian Yates, “CyberBerkut Attempt to Alter Ukrainian Election,” Guardian Liberty Voice (blog), May 25, 2014, https://guardianlv.com/2014/05/cyberberkut-attempt-to-alter-ukrainian-election/.

⁹ ИВАШКИНА, Дарья. “Хакеры Заявили, Что Взломали Переписку Авакова Об Убийстве Сашко Билого.” Komsomolskaya Pravda, April 22, 2014, https://www.kp.ru/daily/26222/3105944/.

¹⁰ Benjamin Jensen, Brandon Valeriano, and Ryan Maness, “Fancy Bears and Digital Trolls: Cyber Strategy with a Russian Twist,” Journal of Strategic Studies 42, no. 2 (February 23, 2019): 212–234, https://doi.org/10.1080/01402390.2018.1559152.

¹¹ Sam Bowne, “Hijacking Web 2.0 Sites with SSLstrip and SlowLoris — Sam Bowne and RSnake at Defcon 17,” November 14, 2009, https://vimeo.com/7618090.

¹² Tara Golshan, “How John Podesta’s Email Got Hacked, and How to Not Let It Happen to You,” Vox, October 28, 2016, https://www.vox.com/policy-and-politics/2016/10/28/13456368/how-john-podesta-email-got-hacked.

¹³ Tara Golshan, “How John Podesta’s Email Got Hacked, and How to Not Let It Happen to You.”

¹⁴ Office of Public Affairs, US Department of Justice, “Grand Jury Indicts 12 Russian Intelligence Officers for Hacking Offenses Related to the 2016 Election,” press release no. 18-923, July 13, 2018, https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian-intelligence-officers-hacking-offenses-related-2016-election.

¹⁵ Office of Public Affairs, US Department of Justice, “Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace,” press release no. 20-1,117, October 19, 2020, https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and.

¹⁶ Department of Homeland Security, “Joint Statement from the Department of Homeland Security and Office of the Director of National Intelligence on Election Security,” October 7, 2016, https://www.dhs.gov/news/2016/10/07/joint-statement-department-homeland-security-and-office-director-national.

¹⁷ “This Set Consists of Media Reports from Hillary Clinton’s Electional Staff,” DC Leaks, July 7, 2016, https://web.archive.org/web/20160707111315/http://dcleaks.com:80/index.php/hlr_hrc/.

¹⁸ “This Set Consists of Media Reports from Hillary Clinton’s Electional Staff,” DC Leaks.

¹⁹ Editorial Team, “CrowdStrike’s Work with the Democratic National Committee: Setting the Record Straight,” June 5, 2020, https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/.

²⁰ Guccifer2, “Want to Know More About Guccifer 2.0?” GUCCIFER 2.0 (blog), June 22, 2016, https://guccifer2.wordpress.com/2016/06/22/about-guccifer2/.

²¹ Guccifer2, “Guccifer 2.0 DNC’s Servers Hacked by a Lone Hacker,” GUCCIFER 2.0 (blog), June 15 2016, https://guccifer2.wordpress.com/2016/06/15/dnc/.

²² Lorenzo Franceschi-Bicchierai, “Here’s the Full Transcript of Our Interview with DNC Hacker ‘Guccifer 2.0,’” Motherboard, Vice, June 21, 2016, https://www.vice.com/en/article/yp3bbv/dnc-hacker-guccifer-20-full-interview-transcript.

²³ Lorenzo Franceschi-Bicchierai, “Here’s the Full Transcript of Our Interview with DNC Hacker ‘Guccifer 2.0.’”

²⁴ Dan Goodin, “‘Guccifer’ Leak of DNC Trump Research Has a Russian’s Fingerprints on It,” Ars Technica, June 16, 2016, https://arstechnica.com/information-technology/2016/06/guccifer-leak-of-dnc-trump-research-has-a-russians-fingerprints-on-it/.

²⁵ GlobalSecurity.org, s.v. “Felix Edmundovich Dzerzhinsky,” last modified September 7, 2018, 13:09:00, https://www.globalsecurity.org/intell/world/russia/dzerzhinsky.htm.

²⁶ Nicu Popescu and Stanislav Secrieru, eds., Hacks, Leaks and Disruptions – Russian Cyber Strategies, Chaillot Paper no. 148 (October 2018), https://www.iss.europa.eu/content/hacks-leaks-and-disruptions-%E2%80%93-russian-cyber-strategies.

²⁷ Chloe Farand, “French Social Media Awash with Fake News Stories from Sources ‘Exposed to Russian Influence’ Ahead of Presidential Election,” The Independent, April 23, 2017, https://www.independent.co.uk/news/world/europe/french-voters-deluge-fake-news-stories-facebook-twitter-russian-influence-days-election-a7696506.html.

²⁸ United States of America v. Yuriy Sergeyevish Andrienko, Sergey Vladimirovich Detistov, Pavel Valeryevich Frolov, Anatoliy Sergeyevich Kovalev, Artem Valeryevich Ochichenko, and Petr Nikolayevich Pliskin, US District Court, West District of Pennsylvania (2020), https://www.justice.gov/opa/press-release/file/1328521/download.

²⁹ Encyclopedia Britannica Online, s.v. “En Marche! French Political Movement,” accessed January 8, 2021, https://www.britannica.com/topic/En-Marche.

³⁰ Nicholas Vinocur, “Macron Confirms ‘Massive’ Hack Just Ahead of Election,” POLITICO, May 6, 2017, https://www.politico.eu/article/macron-confirms-massive-hack-just-ahead-of-election/.

³¹ Jean-Baptiste J. Jeangene, “The ‘Macron Leaks’ Operation: A Post-Mortem,” Atlantic Council, April 2017, https://www.atlanticcouncil.org/wp-content/uploads/2019/06/The_Macron_Leaks_Operation-A_Post-Mortem.pdf.

³² Chris Doman, “MacronLeaks – A Timeline of Events,” AT&T Alien Labs Research Blog, May 6, 2017, https://cybersecurity.att.com/blogs/labs-research/macronleaks-a-timeline-of-events.

³³ “Le Pen Meets Putin Ahead of French Presidential Election,” France 24, March 24, 2017, https://www.france24.com/en/20170324-marine-le-pen-visits-russia-french-presidential-election-putin.

³⁴ Gabriel Gatehouse, “Marine Le Pen: Who’s Funding France’s Far Right?” BBC News, April 3, 2017, https://www.bbc.com/news/world-europe-39478066.

Chapter 5

¹ Jon DiMaggio, The Black Vine Cyberespionage Group, version 1.11, Symantec Security Response, August 6, 2015, https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group; Brendan I. Koerner, “Inside the Cyberattack That Shocked the US Government,” WIRED, October 23, 2016, https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/; World Anti-Doping Agency, “WADA Confirms Attack by Russian Cyber Espionage Group,” September 13, 2016, https://www.wada-ama.org/en/media/news/2016-09/wada-confirms-attack-by-russian-cyber-espionage-group; Kim Zetter, “Google Hack Attack Was Ultra Sophisticated, New Details Show,” WIRED, January 14, 2010, https://www.wired.com/2010/01/operation-aurora/; Novetta, Operation Blockbuster: Unraveling the Long Thread of the Sony Attack, February 2016, https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf.

² IBM Security. (2020, February 10). Cost of a Data Breach Report 2019. Retrieved January 24, 2021, from https://www.ibm.com/downloads/cas/RDEQK07R#:~:text=The%20average%20total%20cost%20of%20a%20data%20breach%20in%20the,the%20global%20average%20of%2025%2C575/.

³ John McCrank and Jim Finkle, “Equifax Breach Could Be Most Costly in Corporate History,” Reuters, March 2, 2018, https://www.reuters.com/article/us-equifax-cyber/equifax-breach-could-be-most-costly-in-corporate-history-idUSKCN1GE257; Xeni Jardin, “Was That Huge 2017 Equifax Data Breach Part of a Nation-State Spy Scheme?” Boing Boing, February 14, 2019, https://boingboing.net/2019/02/13/was-that-huge-2017-equifax-dat.html.

⁴ “Slowloris,” Learning Center, Imperva, accessed January 24, 2021, https://www.imperva.com/learn/ddos/slowloris/?redirect=Incapsula.

⁵ “Low Orbit Ion Cannon (LOIC),” Learning Center, Imperva, accessed January 24, 2021, https://www.imperva.com/learn/ddos/low-orbit-ion-cannon/.

⁶ Deepanker Verma, “LOIC (Low Orbit Ion Cannon) – DOS Attacking Tool,” Infosec Resources, December 21, 2011, https://resources.infosecinstitute.com/topic/loic-dos-attacking-tool/; “LOIC,” SourceForge, updated August 17, 2020, https://sourceforge.net/projects/loic/.

⁷ Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, “The Diamond Model of Intrusion Analysis - Active Response,” July 2013. Retrieved November 26, 2021, from https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf.

⁸ Caltagirone, Pendergast, and Betz, “The Diamond Model of Intrusion Analysis.”

⁹ Office of the Director of National Intelligence, A Guide to Cyber Attribution, September 14, 2018, https://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf.

¹⁰ Threat Hunter Team, “Dragonfly: Western Energy Sector Targeted by Sophisticated Attack Group,” Symantec Enterprise Blogs, October 20, 2017, https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks.

¹¹ WPENGINE, “Sykipot Explota una Nueva Vulnerabilidad de Adobe Flash,” Kaspersky Lab, October 29, 2010, https://securelist.lat/sykipot-explota-una-nueva-vulnerabilidad-de-adobe-flash/66746/.

¹² Gabriel Currie, “Hackers Get Hungry,” Cyber Security (blog), PwC, May 26, 2017, https://pwc.blogs.com/cyber_security_updates/2017/05/index.html.

¹³ Currie, “Hackers Get Hungry.”

¹⁴ Currie, “Hackers Get Hungry.”

¹⁵ Wikipedia, s.v. “UTC+08:00,” accessed January 23, 2021, https://en.wikipedia.org/w/index.php?title=UTC%2B08:00&oldid=1002196814.

¹⁶ “Your Domain Name Broker,” Brannans.com, accessed March 6, 2017, https://www.brannans.com.

Chapter 6

¹ Eric Chien and Gavin O’Gorman, “The Nitro Attacks Stealing Secrets - broadcom inc,” May 1, 2013. Retrieved November 26, 2021, from https://docs.broadcom.com/doc/the-nitro-attacks-stealing-secrets-11-en.

² [Trojan horse virus email warning] Please pay attention to it!” [in Chinese],” Google Groups, March 22, 2010, https://groups.google.com/g/wlaq-gg/c/XV76xu8IzKM/m/h4sk_NQ1_X4J/.

³ “June 2010,” Contagio Malware Dump (blog), https://contagiodump.blogspot.com/2010/06/.

⁴ Chintan Shah, “Operation Mangal - Win32 / Syndicasec Used In Targeted Attacks Against Indian Government Organizations - Part-1 : Exploits, Attack Timeline and Targets,” Malicious Code Analysis and Research (blog), December 1, 2014, http://extreme-security.blogspot.com/2014/12/operation-mangal-win32-syndicasec-used.html.

⁵ BAE Systems Applied Intelligence, “Lazarus & Watering-Hole Attacks,” Threat Research Blog, February 12, 2017, https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html.

⁶ “Whois Record for MassEffect.Space,” DomainTools, accessed January 16, 2021, https://whois.domaintools.com/masseffect.space.

⁷ “Welcome to AOL,” America Online, April 21, 1997, https://web.archive.org/web/19970421165310/http://www.aol.com/.

⁸ Erika Noerenberg and Nathaniel Quist, Shamoon 2 Malware Analysis Report, LogRhythm Labs, April 2017, https://gallery.logrhythm.com/threat-intelligence-reports/shamoon-2-malware-analysis-logrhythm-labs-threat-intelligence-report.pdf.

⁹ Christiaan Beek and Raj Samani, “Spotlight on Shamoon,” McAfee Labs (blog), January 27, 2017, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spotlight-on-shamoon/.

¹⁰ hasherezade, “Introduction to ADS – Alternate Data Streams,” hasherezade’s 1001 Nights (blog), March 19, 2016, https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/.

¹¹ Erika Noerenberg and Nathaniel Quist, Shamoon 2 Malware Analysis Report, LogRhythm Labs, April 2017, https://gallery.logrhythm.com/threat-intelligence-reports/shamoon-2-malware-analysis-logrhythm-labs-threat-intelligence-report.pdf.

¹² Christiaan Beek and Raj Samani, “Spotlight on Shamoon,” McAfee Labs (blog), January 27, 2017, https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spotlight-on-shamoon/.

¹³ DiMaggio, “Operation Bachosens: A Detailed Look into a Long-Running Cyber Crime Campaign.”

¹⁴ Ray Zadjmool, “Hidden Threat: Alternate Data Streams,” TechGenix, March 24, 2004, http://techgenix.com/alternate_data_streams/.

¹⁵ A. L. Johnson, “Bachosens: Highly-Skilled Petty Cyber Criminal with Lofty Ambitions Targeting Large Organizations,” Broadcom, May 31, 2017, https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=07799a0b-af41-450e-a730-effb95a0cfeb&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments.

¹⁶ Jon DiMaggio, “Operation Bachosens: A Detailed Look into a Long-Running Cyber Crime Campaign,” Medium, April 3, 2018, https://medium.com/threat-intel/cybercrime-investigation-insights-bachosens-e1d6312f6b3a.

¹⁷ Dan Goodin, “NSA-Leaking Shadow Brokers Just Dumped Its Most Damaging Release Yet,” Ars Technica, April 14, 2017, https://arstechnica.com/information-technology/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/.

¹⁸ A. L. Johnson, “WannaCry: Ransomware Attacks Show Strong Links to Lazarus Group,” Broadcom, May 22, 2017, https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=b2b00f1b-e553-47df-920d-f79281a80269&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments.

¹⁹ Kim Zetter, “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon,” WIRED, November 3, 2014, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

²⁰ Gavin O’Gorman and Geoff McDonald, The Elderwood Project, Symantec Security Response, 2012, https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/the-elderwood-project.pdf.

²¹ Gavin O’Gorman and Geoff McDonald, The Elderwood Project.

²² FireEye. (2013, September 24). オペレーションDeputyDog: 日本をターゲットとした、ゼロデイ (CVE-2013-3893) 標的型攻撃について. FireEye. Retrieved November 28, 2021, from https://www.fireeye.com/blog/jp-threat-research/2013/09/deputy-dog-part-1.html.

Chapter 7

¹ US Navy, “OPSEC,” All Hands Magazine, accessed March 15, 2021, https://web.archive.org/web/20181218221856/https:/www.navy.mil/ah_online/OPSEC/.

² “DNSDB Scout,” Farsight Security, accessed March 15, 2021, https://www.farsightsecurity.com/tools/dnsdb-scout/.

³ “RiskIQ PassiveTotal,” RiskIQ, July 20, 2020, https://www.riskiq.com/products/passivetotal/.

⁴ “Enterprise Security Products,” DomainTools, accessed March 15, 2021, https://www.domaintools.com/products.

⁵ “Billions of Archived Domain Name Whois Records,” Whoisology, accessed March 15, 2021, https://whoisology.com/.

⁶ “dnsmap,” Google Code Archive, accessed March 15, 2021, https://code.google.com/archive/p/dnsmap/.

⁷ “VirusTotal Intelligence Introduction,” VirusTotal, accessed March 15, 2021, https://support.virustotal.com/hc/en-us/articles/360001387057-VirusTotal-Intelligence-Introduction.

⁸ “Free Automated Malware Analysis Service – Powered by Falcon Sandbox,” HybridAnalysis, accessed February 11, 2021, https://www.hybrid-analysis.com/.

⁹ “Automated Malware Analysis,” Joe Sandbox Cloud Basic, accessed February 11, 2021, https://www.joesandbox.com/#windows.

¹⁰ “Welcome to Triage,” Hatching Triage, accessed June 5, 2021, https://tria.ge/.

¹¹ “What Is Cuckoo?” Cuckoo Sandbox v2.0.7 Book, Cuckoo Foundation, accessed February 11, 2021, https://cuckoo.sh/docs/introduction/what.html.

¹² InfoSec_Pom, “Opening Virtualbox Network Interface and Cuckoo Web Interface with 2 Bash Scripts,” October 31, 2017, https://www.youtube.com/watch?v=NCdzOwsUfVQ.

¹³ “What Is Cuckoo?” Cuckoo Sandbox v2.0.7 Book, Cuckoo Foundation, accessed February 11, 2021, https://cuckoo.sh/docs/introduction/what.html.

¹⁴ “Google,” accessed February 11, 2021, https://www.google.com/.

¹⁵ “Google,” accessed February 11, 2021, https://www.google.com/.

¹⁶ BAE Systems Applied Intelligence, “Lazarus & Watering-Hole Attacks,” Threat Research Blog, accessed February 11, 2021, https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html.

¹⁷ “New Report,” NerdyData.com, accessed February 11, 2021, https://www.nerdydata.com/reports/new.

¹⁸ “Tweetdeck,” Twitter, accessed September 18, 2021, https://tweetdeck.twitter.com/.

¹⁹ “‘LockBit’ Launches Ransomware Blog, Blackmails Two Companies,” Gemini Advisory, September 16, 2020, https://geminiadvisory.io/lockbit-launches-ransomware-blog/.

²⁰ “Privacy & Freedom Online,” Tor Project, accessed February 11, 2021, https://torproject.org.

²¹ “High-Speed, Secure & Anonymous VPN Service,” ExpressVPN, accessed March 15, 2021, https://www.expressvpn.com.

²² “Best VPN Service. Online Security Starts with a Click,” NordVPN, accessed March 15, 2021, https://nordvpn.com/.

²³ Defense Point Security, “DefensePointSecurity/threat_note,” GitHub, https://github.com/DefensePointSecurity/threat_note.

²⁴ “MISP - Open Source Threat Intelligence Platform & Open Standards for Threat Information Sharing,” MISP, accessed September 18, 2021, https://www.misp-project.org/.

²⁵ “Features: Intelligence to Detect and Mitigate Threats,” Analyst1, accessed March 15, 2021, https://analyst1.com/platform/features.

²⁶ “DEVONthink,” DEVONtechnologies, accessed March 15, 2021, https://www.devontechnologies.com/apps/devonthink.

²⁷ “Go Deep,” Wireshark, accessed February 11, 2021, https://www.wireshark.org/.

²⁸ lanmaster53, “lanmaster53/recon-ng,” GitHub, 2021, https://github.com/lanmaster53/recon-ng.

²⁹ lanmaster53, “lanmaster53/recon-ng.”

³⁰ Christian Martorella, “laramies/theHarvester,” GitHub, 2021, https://github.com/laramies/theHarvester.

³¹ “SpiderFoot: OSINT Automation,” SpiderFoot, accessed February 11, 2021, https://www.spiderfoot.net.

³² “Downloads: Select Your Operating System and Filetype,” Maltego, accessed February 11, 2021, https://www.maltego.com/downloads/.

Chapter 8

¹ VirusTotal, accessed April 26, 2021, https://www.virustotal.com/gui/file/a301260b4887b1f2126821825cacce19dc5b8a8006ab04f0a26f098a9555750a/detection.

² Wishnu Wardhana, “Welcome Message from the APEC CEO Summit Chair,” APEC CEO Summit 2013 Indonesia, accessed April 26, 2021, https://web.archive.org/web/20131004152036/http://apec2013ceosummit.com/#host.

³ “Trojan.Mdropper,” Norton Internet Security, accessed April 26, 2021, http://www.nortoninternetsecurity.cc/2014/08/trojanmdropper.html.

⁴ “CVE-2012-0158,” CVE, accessed April 26, 2021, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0158.

⁵ “CVE-2012-0158,” CVE.

⁶ Jason Geater, “Repair DLL Errors: Netid.dll Download and Update,” ExeFiles.com, accessed April 26, 2021, https://www.exefiles.com/en/dll/netid-dll/.

⁷ Deland-Han, “Dynamic Link Library (DLL) - Windows Client,” Documentation, Microsoft Corporation, accessed April 26, 2021, https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/dynamic-link-library.

⁸ “Imphash Usage in Malware Analysis – Categorizing Malware,” Optimization Core, March 7, 2020, https://www.optimizationcore.com/security/imphash-usage-malware-analysis-categorizing-malware/.

⁹ Andrea Lelli, “Infostealer.Sofacy,” Symantec, Broadcom, September 7, 2011, https://www.google.com/url?q=https://www.symantec.com/security-center/writeup/2011-090714-2907-99&sa=D&source=editors&ust=1619480146703000&usg=AOvVaw1Qs8KNRjXxoq6_f8vLH6e1.

¹⁰ Editorial Team, “Fancy Bear Hackers (APT28): Targets & Methods,” CrowdStrike, February 12, 2019, https://www.crowdstrike.com/blog/who-is-fancy-bear/.

¹¹ “APT28 - A Window into Russia’s Cyber Espionage Operations?” FireEye, accessed April 26, 2021, https://www.fireeye.com/offers/rpt-services-campaign-apt28.html.

¹² “DNSDB Scout - Dashboard,” Farsight Security, accessed April 26, 2021, https://scout.dnsdb.info/dashboard.

¹³ “About Us,” Academi, archived July 24, 2014, https://web.archive.org/web/20140724180721/http://academi.com/pages/about-us.

¹⁴ “Who Are We?” Eurosatory, accessed April 26, 2021, https://www.eurosatory.com/home/the-exhibition/who-are-we/?lang=en.

¹⁵ “About Us,” TOLOnews, accessed April 26, 2021, https://tolonews.com/about-us.

- Add Highlight
No Comment

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Endnotes

Create new playlist

Sign In

Sign Up

Introduction

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Table of Contents for
Endnotes