We are ShadowEye, a handful of industry professionals who have a strong interest in the operations of and evolution of nation-state attackers. Generally, the publishing of these kinds of analyses tends to be restricted to a known set of vendors, usually following a predictable methodology, with a heavy focus on malware and campaigns targetting Microsoft products. While exceptionally useful as PR pieces, essays authored with IDA Pro and full of footnotes of hashes aren't particularly useful for understanding the broader picture of how these groups operate, the processes they use, their development standards, and ultimately the way they use their resources, which is what we aim to provide.
Why are we doing this anonymously, you ask?
Being industry professionals, we've no particular interest in drawing the ire or attention of any organisation down on our friends and colleagues. It's also a good way for us to demonstrate that we don't have any vested financial interest in publishing these analyses.
Are we the CIA/FSB/PLA/DPRK?
No. While we're probably going to initially focus on the NSA and CIA leaks due to the vast body of material released, we don't have any biases towards or against any set of operators.
We also want to draw attention to the fact that for all the information published by Crowdstrike, Kaspersky, Symantec et al, no threat actor groups have stopped operating. These are professional teams and consequently the loss of a toolset will not affect their general operations. Discussing their processes is equally unlikely to disrupt any of their work, but will help us reach our goal of drinks with thegrugq in Thailand.
Why are we so dismissive of vendors?
It's not our intent to be dismissive of some of the excellent work produced by a number of vendors, more a general critique of the way that information is presented. Lists of IoCs that consist of filenames and hashes are not particularly useful; implants can be and are regularly tailored and customized for specific targets. Similarly, many of these reports take a very narrow viewpoint indeed, focusing on a single "campaign", which often is more beneficial to the attackers than anyone looking to protect themselves.
We are, however, completely dismissive of using months of hard work analysing malware as evidence that a particular silver-bullet product, be it antivirus, next generation endpoint protection, an appliance, or anything else, has any other purpose besides filtering out the bottom-feeders of the malware world.
Can you help?
Yes, absolutely. We need peer-reviews, corrections, and feedback. Samples from campaigns are welcome, too. We will supply contact details at a later date, but for now, comments on here are fine.
Image Credit: BoingBoing