This is an interesting article based on FireEye, Inc. ‘s CEO Kevin Mandia presentation during CTI Forum. Some interesting points:
- US nation state malware usually carries guardrails and is contained to a specific geography (Stuxnet was an exception to this rule!). Moreover, the U.S. and China are more disciplined in their operations than adversaries like North Korea and Russia, who are instead unrestrained.
- It was mentioned that before publishing a public threat intelligence report, FireEye will typically tip off intelligence officials from the Five Eyes alliance about the release. This statement is closely tied to Kaspersky Lab report on Slingshot earlier this year (a US counter-terrorism operation).
- If FireEye detects malware on a customer’s system that researchers think is from the U.S. or an allied country, it will quietly remove it. But Mandia said such malware ought to be stealthier.
- FireEye explained the “boring” naming convention that FireEye uses for APT groups. It is (more or less) inspired by Churchill whose guidance on military operations naming was guided by the principle that a mother should never have to say her son had died in Operation “Bunnyhug” or “Ballyhoo”. Credits to Nate Beach-Westmoreland for this.