Ryo Minakawa
Ryo Minakawa is a malware and intelligence analyst at NFLaboratories. His works include analyzing malware used in APT attacks targeting East Asia and generating threat intelligence. He also works with NTT Communications’ NA4Sec project and monitors the infrastructure used by various attackers. He is also a developer and contributes to OSS intelligence platforms such as OpenCTI. Some of his research has been presented at JSAC2023 and JSAC2024. I hold GREM, GCTI, OSCP, OSEP and CISSSP certification.
Session
This presentation shares the findings and lessons learned from an investigation into a pro-Russian hacktivist group, tentatively called X. Their DDoS attacks have been reported worldwide and have been conducted in an organized manner. Since their activities began in March 2022, both the scale and the targets of their attacks have gradually expanded.
We have been tracking the DDoS attacks conducted by X for nearly a year and carrying out "Operation So-seki" to alert and provide knowledge to the targeted organizations. In Operation So-seki, we obtained a botnet client tool used by X and clarified the mechanism of the command and control (C2). We have automated collecting DDoS target information and analyzed more than 1,000 attacks by monitoring botnets and effectively tracking their infrastructure using net flow.
In this presentation, we will share the findings through cross-analysis of the above information, the methods of analyzing and tracking their infrastructures, operators behind the X, their tactics techniques and procedures (TTPs), DDoS countermeasure techniques, and what we have learned from dealing with DDoS hacktivist groups.