This. 100 times, this.

While MuddyWater's link to ransomware remains tenuous and unproven, the group is heavily invested in custom tool development. From PowerShell to .NET to C++ malware, Muddy is fast approaching other groups' capabilities. @snlyngaas reports w/ lines from me

It's almost as if there are companies providing/selling capabilities whether its Implants, Exploits, or all of the above and what you may see here are downstream customers. @moranned and I covered this a little bit in https://t.co/O1Unl2tMtr from 2015.

There are a number of these kinds of examples where this kind of sharing can be inferred too in the infrastructure side of things, but.. this is Twitter and they probably also read the same tweets the defenders do.

Thanks for your patience, class! Took a little hiatus for a month. But we're back! In week 5 of “Lies & Disinformation” @Georgetown, we pivoted from Russian influence activities to Chinese and Iranian IO state actors.

This is not an argument against public information sharing. This is an argument against sharing without a coherent plan. If you are going to 'burn' an actor or a campaign ensure that you have a plan to reacquire the adversary if and when they change their TTPs.

This false sense of security could have enabled the other OilRig cells to enjoy more success.

The net result of the Lab Dookhtegan campaign may have been *improvements* to OilRig that complicated a defenders ability to track the various cells and led many, including myself for a time, to believe the campaign targeting Lebanon was the only active one.

OilRig appears to have made efforts to ensure different operational cells linked to them cannot be easily connected via public data so that if one cell is outed the other cells will not be so easily discovered and disrupted.

Since the doxing, OilRig has evolved and made efforts to 'airgap' various campaigns under their purview. The aforementioned blogs document just one of these campaigns - one that targets orgs in Lebanon. OilRig campaigns targeting other countries and sectors continue to this day.

Do these blogs represents the whole of OilRig's activity since April 2019. The answer is a resounding no.

Apart from a small number of blogs from Fireeye, Intezer, and Telsy, security companies have not published about active OilRig campaigns since the original Lab Dookhtegan data dump. The lack of coverage suggested that OilRig was disrupted by the Lab Dookhtegan doxing.

The inclusion of operators identities separates these 'doxing' campaigns from more conventional security blogs that detail only forensic information about a campaign.

Beginning in April 2019, the operators of the Lab Dookhtegan Telegram channel doxed OilRig - a well-known actor believed to be sponsored by the Iranian government. Dumped data included the identities of suspected operators as well as details of attack infrastructure and tools.

Does a doxing a cyber attacker sponsored by an authoritarian state achieve worth while results? An after action review of one case, suggests that this tactic might not have enduring effects and instead may hinder defenders in the long run.

Which Ransomware payload is deployed at the end of a killchain is pretty much a stylistic choice by the attackers. Human Operated Ransomware campaigns overlap in their entry vectors, C2 tools, and lateral movement techniques- and also in viable defenses.

If Twitter was around during World War II do you think Alan Turing would have been posting about techniques to crack the Enigma?

sharing information with other defenders is vitally important, but we, as a community, have a responsibility to do this in a way that doesn't benefit the adversary.

when the adversary improves, defenders lose.

this argument overlooks the fact that posting this information publicly also helps the adversary. Attackers will likely patch vulns in their tools/infra and/or refine their tradecraft to limit mistakes. to quote my colleague @bkmsft "the adversary also has ears"