Danny Adamitis
Danny Adamitis is a Distinguished Engineer at Black Lotus Labs, the threat research team at Lumen Technologies. Danny has tracked nation-state adversaries and cybercriminals using both open-source and proprietary datasets in various roles for several years. More recently he has focused on threats to ISPs, including campaigns in which actors targeted networking equipment, Linux servers, and DNS infrastructure. Prior to joining Lumen Technologies, Daniel worked at Cisco Talos. Danny has a bachelor’s degree in Diplomacy and International Relations from Seton Hall University.
Session
The Black Lotus Labs team at Lumen Technologies documented a 3 year campaign by one of the more elusive threat actors in the world, Secret Blizzard (aka Turla). Here they discovered and broke into Pakistani ISI C2s that were part of an espionage campaign against Indian, Syrian and Afghan governments. Turla is infamous for repurposing the infrastructure of other threat actors, while exfiltrating data and deploying their own tool sets. This was the 4rd documented case of Turla hacking another actors C2 nodes, but it is the first case of their moving past the C2 servers and into operators workstations.
We'll talk about the Sidecopy threat actor, their tradecraft, and how they appeared on our radar. We'll show one of the rare cases where we observed Sidecopy deploy Hak5 equipment in real world operations and how we tied this back to known infrastructure.
A rogue C2 node allowed us to map out Turla's efforts. We'll talk about networks where Turla had access to C2s, but choose not to deploy their agents. Lastly we'll talk about how their activities have shifted due to public disclosure and where they have been operating for the last several months.