Deanon Hackers via Public Leaks: Tracking APT Groups using Leaks

Real-world case studies how OSINT can help to track APT groups

Description

Advanced Persistent Threat (APT) groups rely on anonymity and compartmentalization, but even the best operational security can be compromised by public leaks and open-source intelligence (OSINT). This talk will explore how we can deanonymize APT groups, nation-state actors, and other malicious entities by leveraging public data leaks, open-source tools like OCCRP’s Aleph, and cross-referencing leaked databases with existing intelligence.

Through real-world case studies, we will demonstrate how cybercriminals, state-sponsored hacking groups (such as APT28, Sandworm, and Refined Kitten), and even intelligence operatives can be traced and identified using open data sources. The talk will include a live Proof of Concept (PoC) showcasing techniques for correlating leaked emails, financial records, and digital footprints to unmask cyber actors.

Attendees will gain insights into OSINT methodologies, digital forensic techniques, and tools that can be used for cyber threat hunting and intelligence gathering.

Key takeaways:

How database leaks (e.g., T-Mobile, Facebook, NSA, Ukraine, Turkey, Israel voter leaks) can be weaponized for APT hunting.

How OCCRP's Aleph is used by journalists and researchers to uncover hidden connections.

The role of cross-referencing leaked data with official indictments and FBI wanted lists.

A live PoC showing how we can track APT groups and Russian GRU operatives using open-source intelligence.

Discussion on implications for national security and cyber warfare.

Why the committee chose this talk

Gathering information from public sources (OSINT) is a major tool for defenders. And we ar all learners in that discipline searching for new ideas.