SOCshare March 2024: Cyber Threat Intelligence through social media channels

“The main cyber threats come from Russia and Belarus, and their activity has increased especially since the start of the war. One of the main objectives of the attacks is ideological, although the real aim is to spread propaganda. There is an active response to political events and targeted attacks against Ukraine and its supporters. Currently, only a small part of the attacks are carried out for commercial or entertainment purposes”, says cyber intelligence analyst Alexander Kulik.

According to the expert, cyber-attacks of various scales against Ukrainian organisations are constantly being carried out, with one of the most recent major ones targeting Poland in early March, in support of farmers who are protesting and refusing to allow Ukrainian grain in. Transport companies, road authorities and other organisations in the neighbouring country have been attacked. France has been hit by cyber-attacks following President Emmanuel Macron’s announcement of a possible troop deployment to Ukraine. Currently, many attacks are targeting Moldova and Romania. Lithuania was targeted by hackers in the summer, during the NATO summit. At that time, government websites were heavily attacked.

Analysts working in Lithuania carry out cyber threat intelligence constantly and everywhere. They infiltrate dark web forums, engage in Telegram groups, monitor information on publicly available online discussion and message boards and the social network X.

“We regularly check what attacks have taken place, what the next plans are, what new groups have formed. Intelligence helps to identify new threats, to know what to watch out for and to prepare in advance for future attacks, thus minimising the potential damage,” says A. Kulik, cyber intelligence analyst at NRD Cyber Security, a cybersecurity consulting, services and technology company.

Continuous monitoring of Telegram can then identify indicators specific to a particular cybercriminal group, such as IP addresses, servers and other resources used for attacks. The data collected helps to shape the modus operandi of a specific group and helps to protect against future attacks.

Not just automated solutions

The expert notes that it is still difficult to rely solely on automated cybersecurity solutions. The ability of an analyst to understand and react quickly to the changing context of cyber threats, to find relevant information and assess whether threats are dangerous, and to share this knowledge with clients, partners and the cyber security community remains a critical competency.

Hacktivist groups often make their achievements and activities public in order to gain notoriety, fame or to demonstrate their power, and analysts who have infiltrated or joined certain groups can regularly monitor the information that is disseminated. For example, Telegram has 5-6 active channels of the main groups, which not only announce attacks, but also share IT news, articles on cyber security, in order to build a community and spread their ideology.

Most of the cyber-attacks that are reported are so-called DDoS attacks, where the websites of organisations or companies are attacked with huge amounts of requests, which disrupt the functioning of the site and can make it unavailable.

How the data leak was handled

In addition to planned cyber-attacks, information about leaked data from the affected large companies and their sales can be found on hacker forums, groups or bulletin boards.

“We have experienced a data leak at a client. The hackers had posted some of the information from internal correspondence on their channel, a cryptocurrency ransom was demanded, and the hackers boasted that they had recruited people. The information disseminated by the group made it easier to identify the nature of the hacking and to tackle the problem. We found that the information was either shared by a person within the organisation, or access was gained to emails sent within the organisation. This allowed us to take action to mitigate the potential damage. The organisation changed passwords, disconnected certain users, and took other actions to prevent the incident and prevent potential attacks,” says Kulik about the case.

Cyber threat monitoring also provides information on attacks that have occurred due to vulnerabilities in software such as Microsoft or Oracle. Customers are then alerted to an attack that has occurred or is planned and what protection options are available.

“It is important to share with the community the attacks that have taken place and the signs of them. Sharing information between different security operations centres strengthens the overall cyber resilience in Lithuania and Europe. We are currently implementing the SOCshare project with Vilnius Municipality, which will allow us to collect and share signs of cyber attacks and hacking. This will help everyone involved to see how to identify and respond to specific threat indicators to minimise potential damage,” says NRD Cyber Security’s cyber intelligence analyst.

The project between Vilnius City Municipality and NRD Cyber Security is worth EUR 2.9 million. EUR 1.4 million will be financed by the European Union and the rest will be covered by the project partners. The project will run for three years.

The article was published in Lithuanian at 15min.lt: https://www.15min.lt/verslas/naujiena/mokslas-it/kibernetiniu-ataku-zvalgyba-ekspertas-dalijasi-kaip-ji-vyksta-1290-2214950