Interesting -- not targeting defense contractors or governments..
> In this blog post, we introduce UNC3524, a newly discovered suspected espionage threat actor that, to date, heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. On the surface, their targeting of individuals involved in corporate transactions suggests a financial motivation; however, their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021, as reported in M-Trends 2022, suggests an espionage mandate.
Is there enough money in high finance to support the development of sophisticated tools to rig trading markets?
> Is there enough money in high finance to support the development of sophisticated tools to rig trading markets?
Yes, but a well timed economic WMD on countries heavily reliant on efficient capital markets would greatly distract them from interfering in international events.
insider trading without insider trading - the netflix engineers who got busted by the DoJ last year did well over 3 million USD on just subscriber data - imagine what access to exec inbox would look like -
but wouldn't it be easy to catch people with lot of near expiry far OTM put options for instance?
Or are these people going on r/wallstreetbets to write long DD upvoted by bots, purchased accounts, awards, under VPN to make their purchases seem organic?
Still wouldn't it be obvious somebody doing that routinely and establishing a pattern of unusually high win rates before earnings?
Sort of like how poker companies catch cheaters, simply by knowing the average win rate to be within a specific distribution, even the slightest deviation or outlier would send its risk management scrutinizing play by play to determine a pattern.
Wouldn't large state actors with web of shell companies be able to obfuscate and get away with impunity? Literally printing money and also weaponizing a foreign financial market.
Making money isn't illegal, you need to actually catch them committing the crime. You could also do something like advantage a single business and make your money that way instead of engaging directly with stocks and options.
Buying near expiry OTM options is kind of the gold standard on r/wallstreetbets anyway. But I think giving away insider DDs there would cannibalize the winning chance and could in theory even turn a projected win into a loss which is why ultimately this information isn't thrown around easily. That said, a winning streak by someone can really just be pure luck and most DDs are based on incomplete/speculative information. Also that's really the point of wsb to place actual bets (safe plays are on r/investing...)
had the original comment as a "draft" for 5 hours for this very reason - my guess is - hence the: long lived - you'd only be able to do it over long period of time in "small" amounts - but yes - in theory it should be very easy to spot - however given the level of sophistication here - these folks are clearly very very smart - I can think of a half dozen ways to launder the stocks if super inclined - you'd also probably focus on supply chain trades -
No. I know a few antivirus companies and security searchers continue to run brute force cracks against it going on 10 years now.
Other modules in Gauss monitored transactions with Lebanese banks, so a logical assumption is it was deployed as part of a terror financing investigation against a very specific set of computers.
This activity is steps above a normal botnet or threat actor such as standard ransomware operators. Not only living off the land, but taking care to blend in to the device/environment, not just dropping a randomly named blob. They show a narrow focus of targeting, awareness for evasion, and skill at maintaining persistence. This level of sophistication is not normal, for normal incidents.
I bet sometimes they kick out bots that are competing for resources. Or at least scan for the other bots and carve it out, otherwise when there's two that's when they both start mining full blast, they each try to cash in the crypto keys on the computer before the other one does, and the user gets around to reinstalling the OS because his computer is unusable.
Based on the places where they were putting their threats I doubt mining was their goal. It sounds more that they were spelunking in case they wanted to ransomware and/or just wanting the information in a straightforward way. I wonder if also they were just using these servers as a foothold to attack something else. If you are mixing your traffic among an org's business presence it would be difficult to chase as a hop.
You could try that. But I’m unsure how much that would move the needle in this particular case. It’s too easy to slip up when your only defense is a walled garden. And with wireless controllers and load balancers on the list, that’ll be tricky.
But what would likely have helped is a focus on strong controls around identity and access management. Especially in the form of passwordless auth. Would certainly make lateral moves harder.
Do other companies seriously not do this? I would think that is a basic security concept at this point. Then again, I've seen worse security practices at companies.
> In this blog post, we introduce UNC3524, a newly discovered suspected espionage threat actor that, to date, heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. On the surface, their targeting of individuals involved in corporate transactions suggests a financial motivation; however, their ability to remain undetected for an order of magnitude longer than the average dwell time of 21 days in 2021, as reported in M-Trends 2022, suggests an espionage mandate.
Is there enough money in high finance to support the development of sophisticated tools to rig trading markets?