Dark Reading Confidential: The Day I Found an APT Group in the Most Unlikely Place - Dark Reading

Threat IntelligenceCyberattacks & Data BreachesCyber RiskIndustry TrendsDark Reading Confidential: The Day I Found an APT Group in the Most Unlikely PlaceDark Reading Confidential Episode 6: Threat hunters Ismael Valenzuela and Vitor Ventura share stories about the tricks they used to track down advanced persistent threat groups, and the surprises they discovered along the way.Dark Reading Staff,Dark ReadingMay 21, 2025Becky BrackenHello and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading focused on bringing you real stories straight from the cyber trenches.My name is Becky Bracken. I'm your host and editor for Dark Reading. I'm joined today by Dark Reading's editor-in-chief, Kelly Jackson Higgins and Jim Donahue, who is Dark Reading's managing editor of content operations. Today, we are very pleased to bring you a fascinating conversation that we are calling, “The Day I Found an APT Group in the Most Unlikely Place.”Joining us today are two researchers with fascinating stories to tell. Please meet Ismael Valenzuela, who is VP of threat research with Arctic Wolf. Hello, thank you for joining us.Ismael ValenzuelaHello, Becky. Thanks for having me.Becky BrackenWe are also joined by Vitor Ventura. He is a lead security researcher with Cisco Talos. Thank you so much for joining us, Vitor.Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026Vitor VenturaThank you for having me here. It's my pleasure.From left to right: Becky Bracken, Jim Donahue, Vitor Ventura, Ismael Valenzuela, and Kelly Jackson Higgins during the recording on May 13, 2015.Becky BrackenBoth of these experts are here to give their firsthand accounts of catching an APT group in the act. The idea is that we can give our audience some insights into how they can protect their own systems from a surge of APT cyber attacks.So today we're going to start with Ismael Valenzuela, who before joining Arctic Wolf was a researcher at BlackBerry. During his tenure there, he discovered a Russian APT group, FIN7, looking around a US auto manufacturer. So, we want to give Ismael an opportunity to get started and to tell us about how he went about finding this threat in the automotive industry.Ismael ValenzuelaYes, so this is something that we documented about a couple of years ago. And it's a campaign that showcases what we find in the wild. We usually use that expression. And I have to say, it's not just like something that I do myself. There's a team behind all of these efforts with different people in different roles, monitoring what's happening around our customers, and also monitoring the sensors that we have deployed all over the world.So, in this case, we found some precursors of ransomware. And this is something that we usually highlight. We don't have to wait until the very end of an attack chain. Everybody focuses typically on the ransomware, the ransomware payload. But all of these things happen towards the end of an attack chain.If we focus on what happens before and with the proper intelligence, this is what a third research team focuses on, trying to understand what the precursors of these activities are, we can tell when there's something that is deviating from the normal and then take action. So, that's what we did in this particular case.Related:Attackers Abuse LiveChat to Phish Credit Card, Personal DataBecky BrackenIn this particular case, what was it that deviated from normal? What was it that piqued your interest?Ismael ValenzuelaIf we look at the report, one of the things that we see is that attackers are setting up websites that look like legitimate websites and sending phishing campaigns. In some cases, it could be even vishing. This is something very common across all these financially motivated groups. In this case, we're talking about FIN7, but there's many, many others.And they typically use this targeting of high-profile individuals, people that have some level of access. And it could be in many cases, people working in financial organizations or the financial teams. Could be even like the IT folks, even security teams. And in this case, they were cloning a website that hosts an IP scanner. So, a tool that we typically use within security teams.And they were using typosquatting techniques, or I like to call it the cousin domain or the look-alike domain, to entice these users to go there and download these Trojanized, or weaponized, payloads that when you install it, would communicate, it would download these malicious binaries — Anunak, PowerTrash — and it would communicate with the command-and-control servers.Related:The Data Gap: Why Nonprofit Cyber Incidents Go UnderreportedWhen we look at this activity across our sensors, on the network side, on the endpoint side, we usually use techniques that are very well-known in the industry, machine learning techniques, and clustering. Even if we see a binary that we haven't seen before, we know that it looks like something that we have classified as malicious before. With all of these different indicators, we can put together a picture of what's happening.And then by looking at the command-and-control infrastructure, we found out that there were a number of open SSH servers. That indicated that this is probably not something that they were using once for a particular customer, but using this across a campaign for different types of organizations, and we were able to find out that this was perpetrated by FIN7.Kelly Jackson HigginsNow, FIN7 has been around for a long time and evolved quite a bit over the past few years. Were you surprised to see them in this particular case, wasn't it, targeting automobile manufacturers? And is that a different sector for them to be going after?Ismael ValenzuelaThat's a good question. We have seen them for a while, since 2013. And in the past, they were very well known for targeting retail organizations, restaurants, hospitality. But we have seen them pivoting towards what we call big-game hunting. And there's a reason for this. At the end of the day, this is a business. These are cybercriminals. They're trying to get the best return on investment as well.So instead of just doing this type of maybe spray-and-pray attacks and discriminated attacks. They're not taking their time to choose a particular organization that they know has valuable data, that they have valuable operations that they can disrupt and that will cause a big impact. And that they probably have also money and, in some cases, even insurance to be able to pay. So, we have seen this and in the last few years we have seen them targeting transportation, insurance, and defense sectors.When we saw [FIN7] targeting this automobile company in the US, it didn't follow the trend that they were using before. And we have seen them recently. They're still very active. They were disrupted a few years ago by law enforcement. But as in many cases, they regrouped.And we have seen them transitioning from these more like card fraud, point-of-sale systems, to the ransomware-as-a-service ecosystem, [including] initial access sales and enterprise extortion.Kelly Jackson HigginsAnd you were able to catch them before they escalated, correct? Can you talk a little bit about how you sort of stop them from getting too deep into the victims' organizations?Ismael ValenzuelaYeah, and that calls for something that I often talk about, which is the importance of having visibility. Organizations that don't have visibility and they only rely on, let's say, protection. We know endpoint protection is very important, but you're playing like Russian roulette at that point. No pun intended, right? Because these are usually Russian groups.So, you're waiting for like, OK, you know, if they come to this system and they download the payload and they execute the payload, my endpoint is going to save the day. Yes, you're playing Russian roulette at that point. Whereas if you have enough visibility across the entire organization, this is endpoint, this is network. In many cases now, as we see also attackers pivoting to cloud attack techniques, having that disability in the cloud.Then you can put together the whole picture and say, wait a second, this is ... this is not normal. And this matches some of the behaviors, some of the infrastructure, some of the techniques, the TTPs that we have seen in previous attacks. And being able to disrupt that usually requires collaboration with the customer and having the ability to manage the systems and to be able to elicit a response as fast as possible. It is super important, so we don't waste time in these types of cases.Jim DonahueCan I ask how unusual it is for a long-standing group that traditionally has focused on one area to suddenly broaden their attack focus?Ismael ValenzuelaHmm. That's a good question. Well, as said before, these are businesses, right? And they, I can tell you, they read our blogs. I'm pretty sure Vitor is going to say the same thing, right? They read their blogs too. They listen to podcasts. Yeah. These are just people that go to work as we do. And we see these trends, right? When you look at the logs and you see when this activity starts, it usually correlates with maybe like what? 3, 4 a.m. here on the East Coast, which correlates to maybe like 9, 10 a.m. in some Eastern European countries.You can see that trend as well. And they have obviously a lot of money to invest, and they collaborate with other groups. We see more and more overlaps between different groups, which makes that division really difficult. And that's why sometimes we talk about clusters, right? Threat groups [operate in] clusters.But they definitely have the ability to pivot. And they also look at what works [and] what doesn't work. Sometimes when we disrupt these operations by reporting them, by collaborating with law enforcement, they go back, and they take their time. They disappear, sometimes for a few weeks, for a few months. And they come back with a new payload, a new campaign, maybe a new way of doing things.Becky BrackenLet's get Vitor in here. He also found a Russian language APT group, YoroTrooper, targeting governments across Eastern Europe. Do you want to tell us a little bit about that campaign and how you came across it?Vitor VenturaSure. When this started, we were not looking for this. And this kind of goes back to what you initially said about how to find it in an unpredictable place. This was around 2022, we were looking for targets, for actors that would be targeting Ukraine. And when we were looking through our data and everything, we found some malicious actor, back then we didn't have a name for it, that was actually not targeting Ukraine.And that was surprising for us. Here is a malware that is using all sorts of Cyrillic alphabet, which has a huge number of domains, like Ismael was saying, typosquatted domains, which can have relevant similar domain names. In this case, it was subdomains. But in reality, they were not targeting Ukraine. And that was surprising for us.Which kind of links back to the place where when we are looking for threat actors in our own telemetry, we should try to look for what we cannot see. And what I mean by that is that if I'm looking at the report from, for instance, from Talos, and I want to see if I can do the exact same traces that that report mentions in my own telemetry, if I don't have that data, well, one of the two, either I have a visibility problem, which is one of the biggest problems that we usually have in our industry. Or someone is actually messing with my telemetry, and that's why I'm not seeing them. I often say that when we do want to do threat hunting, we need to look for what's not there. Because when we think about what the endpoint telemetry finds, that's already known. But if you're looking for an incredibly advanced actor, maybe what we want to look for is the data that we don't have.[Find] the kind of threat techniques that are mentioned in reports that I cannot execute in the same way because I don't have the data. And then look into those spaces. So that's what happened with YoroTrooper. We were looking for actors that would be targeting Ukraine. didn't find... We find this one which had all the characteristics that we could imagine. It was a C2, it had a lot of activity, well, some activity, but the decoy documents were written in Cyrillic.But actually, it was not targeting Ukraine. We cannot see it in our telemetry around Ukraine. And that kind of kept us to look deeper into it. And that's how we found that it was targeting all the countries around overseas, organization plus Turkey, and then a few others stuff that also allowed us to go into the C2 to try to understand what they were doing with the data that they had, how they were exfiltrating data. And we kind of pivot around all of that. But I guess that for the audience, the biggest takeaway from how we found it is actually looking for the discrepancies in what we have in our telemetry and what we were expecting to see and what we were not expecting to see. And that often makes the whole difference to finding incredibly advanced actors.Kelly Jackson HigginsThat seems pretty challenging to be able to do that, like looking for what you're not looking for, kind of. How do you bridge that gap?Vitor VenturaThe idea is when we pick up a report that is made … often those reports will explain what were the TTPs or the techniques used by the malicious actors during their attacks. And what I, if I was a defender, if I had to defend an organization; what I would like to be able to do is if I know what they are doing, I want to go into my telemetry and see if I can gather that data.That's one of the first steps.So, if I cannot gather that data, I have a visibility problem. Because if that actor gets into my organization, it does the exact same steps. I will not see it, or I will see it too late when it's already releasing ransomware or some other things. So, in that aspect, that's one key point. I want to have visibility. [I] want to look into that. On the other side, there's also some activity that we are expecting to see on in our organization, that if it's not there, something is wrong.A good example would be that edge devices often have a lot of logs. One of the first actions that an advanced actor will do is stop logging. So, if all a sudden I don't have any logs from that, that's a problem. Why don't I have those logs? So that's the exercise that I would recommend.However, [as a] heads up, I would say, it's an incredibly frustrating exercise because you might not find anything because it's really not there and you need to do all that. That's why the activity of threat hunting needs to have one level of frustration capability versus the results that it can provide. And it's not just about finding actors, it's also about finding the visibility gaps.Because when we try to do this, we'll see, okay, if I don't have the data, then I have a problem. And I need to fix that because in the next run, I will have that data and I will be able to look for that kind of activity.Kelly Jackson HigginsReally interesting. Jim, did you want to take it from here?Jim DonahueThis may sound like an odd question, but I'm curious in the groups, how long are particular people in them? Or do we have any idea? The group Ismael found has been around since, what did you say, 2013? Do people have longevity in them? Do they go to different groups?Vitor VenturaSo we should, when we talk about groups, and I think Ismael will agree with me, it really depends on what we are talking about. If we are talking about ransomware, ransomware groups — and let's put some air commas into this. There's pretty much a conglomerate of different players doing different activities. So what do I mean by this?First, you might have the access brokers which may provide access to a certain group or to an affiliate. That affiliate may get in and deploy the ransomware, but the ransomware is then managed by some other ransomware-as-a-service guys. So just in this little example we already have three different entities that on a certain attack you might consider as a group.But in reality, there are three different entities that might work across different groups in different activities. It's actually interesting that you make me that question because as I was saying, we were just out at PIVOTcon and my team presented an attempt to model this paradigm. Well, it's a proposal for the community, of course, to be able to model this new paradigm of the interactions between the groups in such a way that you can actually model this question because right now we have a group and then we have the activities and the TTPs and the victims.But what we need to change, and we need to think in a different way, which is [that] you may have a group which actually provides access to another group, and the level of knowledge between them and the level of between the groups might be completely different. So, when we do attribution and Ismael touched on that point by talking about the attribution that makes attribution difficult. Well, in that sense, you cannot just rely on one specific point.We need to look into all the different subgroups that might involve that specific activity and understand that they may not be clustered in such a way where we can say, it's that.And just to kind of give a good example also, a while back we found something which we published [a report on] last week, [an initial access broker] ToyMaker. And the whole thing about ToyMaker was that we started with an investigation [into] an APT targeting an organization in Southeast Asia.And we start to see the access, and we can see that they were onto the system. They compromised the system, and [then] they stopped. And a few days later, Cactus ransomware was released there. And back then, it didn't make sense.There was some difference in the TTPs, the tactics used. And when we start digging a little more what we come to understand was that the first group was just an access broker. They got in, they got the access, and they stopped, and then there's a handover from that group into Cactus, so that Cactus could actually release their malware. This handover has two important points. One, it doesn't necessarily mean that Cactus knew who they were buying from — and I'm saying buying but I don't have any proof that there was money in the exchange — but who they were getting the access from.And the other way around also, they might just be handing over the access to Cactus and then hoping to get some financial gain. When we think about this, we need to model two different groups in two different TTPs because they have different tooling, they have different things they were after. Their activity inside the organization was completely different, because the first acted during ... I can't remember from the top of my head, but like two weeks and ... they didn't do anything for the next four or five days.And then we could see the whole ransomware and exfiltration activities coming in. So, you can clearly see a gap from one to the other. There's a handover. So, when we talk about these people based in the groups, well, we cannot really say that because even the groups themselves [are] hard to identify, let alone, who are inside them and how they move around from place to place.Our hope with this new model is that we can actually start to identify the relationship between the groups, even though we don't know who exactly is inside them. But if we can create a typification where we say, this group, this access broker typically will sell access to this group or this group and that group, we might have a better understanding of what's going on in these kinds of handovers and how they really work. Because until now, this is a gap that we have in the way that we model the threats.Jim DonahueThank you, that was really interesting.Becky BrackenIsmael, I'm hearing pretty definitively you and Vitor both say visibility is the name of the game. Is that the number one thing that cybersecurity teams need to get their arms around? Would you agree that that is the number one piece of advice for tracking these APT groups?Ismael ValenzuelaAbsolutely. Again, kudos to PIVOTcon and Vitor, your team as well, did a very good presentation there. Just came back from Malaga in Spain, attending this conference too.It's something. Imagine, for example, I always say, this is like the alarm system in your house, right? Yes, if somebody breaks in, you want to have an alarm. You probably have a smart doorbell, right? That is also like telling you when somebody's coming close to your front door.But many of us — at least that's what I do — I also want to have a separate system, a CCTV system of cameras. It's just like recording 24/7 that I use for, as Vitor said, for hunting to find out what's odd, what's happening around the perimeter. Why? Because I don't want to have an alert every time that my neighbor's dog is running through my front door or a squirrel goes by or something like that, which happens very often.I want to have alarms, alerts, and visibility. That's basic. Attackers know that many organizations, especially the low-maturity ones, lack this ability. For example, Vitor was talking before about stopping the logs. That's one of the first things that should tip off all the alarms.Endpoint sensors, [if] they stop reporting, if your edge devices, they stop sending syslog — that should be something to investigate right away.Or visibility in terms of connections going outbound. A lot of these tools, for example, use PowerShell, living-off-the-land techniques, Microsoft legitimate binaries to go and download stuff from the Internet. Is that normal? In most scenarios, it is not.But it's also very difficult to just ... you know, for a vendor to say, "I'm going to stop this around for everybody because it can create false positives, can disrupt the business." But if we have that type of visibility, we can learn what normal looks like in my environment and then make detections, real-time alerts, but also have the ability to do hunting to find these types of precursors before it is too late.And that's why a lot of these things are often managed by somebody else that has the ability to collect all of this telemetry from network, from endpoint, from cloud, and to put together all of this information. Because the reality is that for a small organization that's doing retail ... for example, here in the US, they don't really care if it's FIN6, FIN7, Scattered Spider, Dancing Panda, or flying dragons. What they really care about is that they need to conduct business. I cannot afford to pay millions in a ransom. So that's why we have these types of threat research teams to be able to help our customers with this.Becky BrackenVitor, I'd like to give you the last word on visibility and your best piece of advice for these teams dealing with these situations.Vitor VenturaYeah, definitely visibility. It's really one of the cornerstones of what we can do to defend. And often small, little things will go great lengths to protect and help react faster to the attacks. Things like having logging of DNS queries, understanding who is resolving which domains. These little things...And I know it's difficult to have a lot of logs for a long time, especially in big organizations. We need to acknowledge that. But there are some small things that can make a big difference between reacting to an event in, I don't know, one hour or three days. And that makes all the difference. I would also recommend, because most organizations don't really have the capability to digest all of that information to prepare ... alerts that are impossible to generate false positives. A good example would be a domain account, a domain administrator account that no one ever uses. If that account ever logs in, that's a high-priority alert because you know that was someone that was compromised. And those kinds of things, those little things that you know that absolutely there will be no false positive on that.That can also trigger like a canary, basically, a canary in the mine that would alert for a high-risk compromise. Then that along with good procedures may allow you to give better responses.In the end, visibility is good, but of course, because there's a problem in digesting all that [data], there are certain tricks that can be implemented to make response faster [for] an organization to be able to address all of that. And then visibility becomes a tool to recover, basically.Becky BrackenWell, I want to thank you both. We have reached the end of our time together today. Ismael Valenzuela, Vitor Ventura, thank you so much for sharing your thoughts and insights with us. It was hugely helpful and I'm sure our audience will find it helpful as well. So, thank you.On behalf of Dark Reading, my name is Becky Bracken. On behalf of Kelly Jackson Higgins and Jim Donahue from Dark Reading, I want to thank you all for taking the time to listen today. You have been listening to Dark Reading Confidential, a podcast from the editors of Dark Reading focused on bringing you real-world stories straight from the cyber trenches.Thanks so much and we'll see you again next time.Read more about:CISO CornerAbout the AuthorDark Reading StaffDark ReadingDark Reading is a leading cybersecurity media site.See more from Dark Reading StaffMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space