Between Two Nerds: How tools evolve - Risky Bulletin

Summary7 min read

Risky Bulletin Podcast Episode Summary

Title: Between Two Nerds: How Tools Evolve
Host/Author: risky.biz
Release Date: May 5, 2025

Introduction

In this episode of Risky Bulletin, hosts Tom Uran and Grok delve into a detailed analysis of a comprehensive report released by a Russian cybersecurity company. The discussion centers around a Ukrainian hacking web panel, presumed to be developed by Ukrainian government forces, examining its features, implications, and the motivations behind its public disclosure.

Overview of the Report

Tom Uran introduces the episode by referencing a report sent by Grok from a Russian cybersecurity firm, which details a Ukrainian hacking web panel. He clarifies that their analysis is based solely on publicly available information, emphasizing transparency and the ethical responsibility of not disclosing any proprietary or undisclosed intelligence.

Tom Uran [00:46]: "Grok, you just sent me a little while ago a report from a Russian cybersecurity company all about a Ukrainian hacking web panel. And it doesn't explicitly say it, but I presume it is from Ukrainian government forces."

Grok concurs, highlighting the non-anonymous nature of the report, suggesting it is officially sanctioned.

Grok [00:51]: "Certainly seems like it's, it's. I mean, it's not from the cyber army or anonymous or anything. For sure."

The panel serves as an interface between operators and their implants or campaigns, providing centralized control over malicious activities. The report is extensive, filled with detailed analyses and numerous screenshots illustrating the tool's capabilities.

Detailed Analysis of the Web Panel

User Interface and Design

The hosts commend the web panel's sophisticated and user-friendly interface, noting its departure from traditional hacker interfaces that are typically austere and command-line driven.

Grok [02:36]: "Yeah, it's very sexy. Like I remember back in my day, hacker interfaces used to be black and green. Those are your color choices. But this, okay, technically it is black and green, but it's really nice looking."

Tom Uran adds that the panel is modern, built with React, indicating a level of professionalism and suggesting that the developers prioritized ease of use and scalability.

Tom Uran [03:12]: "Yeah, so this webpanel talks to other resources that do stuff. So it's just the interface."

The inclusion of features like a login system using Authentic, an open-source platform for access management, further underscores the panel's advanced development standards.

Grok [06:22]: "And just a disclaimer, Authentic is actually a Risky Business sponsor, so endorsed by Ukrainian hackers as the way to go."

Functional Capabilities

The web panel aggregates data from malicious campaigns, generates new implants, manages sessions, collects statistics, and displays interactive maps of victims' infrastructure. Additional functionalities include automated password guessing and the ability to create notes with markdown support.

Tom Uran [01:56]: "It's this shade of green. Just as a top level summary aggregates collected data from malicious campaigns... It can generate new implants, manage sessions, collect statistics. It shows interactive maps of the victim's infrastructure. It does automated password guessing, and it also you can create notes."

Iterative Development and Feature Integration

The conversation highlights the iterative nature of the tool's development. Features such as automated password guessing and notes creation indicate ongoing enhancements beyond the tool's minimal viable product (MVP).

Grok [13:06]: "Yeah, I don't think it shipped with that in the version one, but it does seem like the sort of thing that it's so useful that it's something you'd want to integrate."

Operational Structure and Terminology

The panel's terminology reflects a structured and bureaucratic approach to cyber operations, contrasting with the stereotypical freewheeling hacker mentality.

Grok [07:34]: "So I think that one of the really cool things about this application is that it encapsulates the concepts of operations... The way that they've structured the elements within this sort of shows how they think things relate to each other."

Terms like "session," "binary," "collector," "target host," and "client" indicate a sophisticated organizational framework. The distinction between "targets" and "target hosts" suggests a hierarchical approach to cyber operations.

Grok [09:13]: "So what's more interesting is Target Host versus Target. So target seems to be there, maybe an operation... and within Gazprom there'd be a database that they've hit and that's going to be a host."

Security and Operational Security (OPSEC) Concerns

The hosts express concerns about certain aspects of the report that may represent OPSEC failures, such as detailed descriptions of user IDs and the potential risks if the database were to be compromised.

Grok [20:14]: "So one user can be linked to multiple binaries, and then obviously that's going to be linked also to the clients and stuff. So when an implant connects back, you can figure out who it belongs to."
Tom Uran [21:07]: "Yes, yes. It does seem like having this in a report is an OPSEC fail, even though it doesn't really tell you about... It's just not ideal."

Motivations Behind the Report

Marketing and Propaganda

The hosts speculate that the detailed nature of the report serves marketing purposes, aiming to showcase the Russian cybersecurity company's capabilities and professionalism. This could be an effort to attract government contracts or assert technological prowess.

Grok [17:57]: "I mean, it's obviously for marketing. I think it does feel like, look at how on board I am. I'm definitely part of the team. I'm out there, you know, pulling for Team Russia."

Community and Transparency

Tom Uran challenges the rationale behind the report's depth, questioning its efficacy in burning the tool or hindering its operations.

Tom Uran [16:33]: "So one thing I was wondering about is why we've talked about why the interface is so nice, but why does the report exist?... in this case, it's a web panel."

Educational Value

Despite skepticism, both hosts acknowledge that public discussions and analyses of such tools are valuable for the cybersecurity community. By dissecting the tool's architecture and functionalities, they aim to enhance understanding and preparedness against similar threats.

Grok [21:20]: "...credentials for SSH or credentials for RDP or whatever. And then that's tied to a specific host, which is then tied to a target, which is then tied back up. That, to me, speaks very much of someone who did a hack and wrote down usernames and passwords."

Concluding Remarks

The episode wraps up with a reflection on the complexity and evolution of cyber tools, emphasizing the need for continuous research and discourse to stay ahead of evolving threats. The hosts express skepticism about the report's effectiveness in mitigating the threat posed by the Ukrainian hacking panel but reaffirm the importance of such analyses in the broader cybersecurity landscape.

Tom Uran [27:18]: "I think we've had an interesting discussion, but I think it tells us absolutely zero about how to stop Ukrainian hackers."
Grok [27:33]: "Content for the content guys."

Key Takeaways

Sophisticated Cyber Tools: The Ukrainian hacking web panel demonstrates advanced features and a user-friendly interface, indicative of professional development and iterative improvements.
Structured Operational Framework: The terminology and organizational structure within the tool reflect a bureaucratic and methodical approach to cyber operations, diverging from traditional hacker stereotypes.
OPSEC Considerations: Publicly disclosing detailed operational data may pose significant security risks and represent potential OPSEC lapses.
Motivations for Disclosure: The extensive nature of the report is likely driven by marketing ambitions and the desire to showcase capabilities rather than purely defensive or informational purposes.
Importance of Analysis: Despite questioning the report's utility in halting cyber threats, the hosts affirm that dissecting such tools is crucial for the cybersecurity community to develop effective countermeasures.

Notable Quotes

Tom Uran [14:22]: "Yeah, it seems like this is the result of iterative development. It's definitely not something in the... The minimum viable product."
Grok [24:29]: "There's going to be a ChatGPT side panel on this and it'll be like, talk to your implants."
Tom Uran [26:28]: "Researching and publicly discussing these threats is essential, especially for podcasters like us."
Grok [25:26]: "It's all, it's all, it's very much bureaucratic and structured. It's not freewheeling."

Conclusion

This episode of Risky Bulletin provides an in-depth examination of a Ukrainian hacking web panel as detailed in a Russian cybersecurity company's report. Through a comprehensive discussion, Tom Uran and Grok explore the tool's advanced features, operational structure, potential OPSEC flaws, and the possible motivations behind the report's release. The conversation underscores the evolving nature of cyber tools and the critical role of ongoing analysis and community engagement in combating sophisticated cyber threats.

Loading summary

Transcript85 lines

[00:04]
Tom Uran
Hello everyone, this is Tom Uran. I'm here with the Grok for another between two nerds discussion. G'day, Grok, how are you?
[00:09]
Grok
G'day, Tom. Fine, and yourself?
[00:11]
Tom Uran
I'm very good. This week's episode is brought to you by Stairwell. I've got a discussion with Stairwell's Mike Wirecheck about how security is a data search problem out on the podcast channel this week. And it's very interesting discussion. Be sure to catch that. So, Grak, you just sent me a little while ago a report from a Russian cybersecurity company all about a Ukrainian hacking web panel. And it doesn't explicitly say it, but I presume it is from Ukrainian government forces.
[00:46]
Grok
Certainly seems like it's, it's. I mean, it's not from the cyber army or anonymous or anything. For sure.
[00:52]
Tom Uran
Yeah, yeah. So. So we're going to dive into this report. Like, if you dig into it, there's lots of interesting stuff. Now before anyone complains, the report is out there. The Russians have published it. We're not telling them anything they don't already know.
[01:07]
Grok
We're literally talking about the thing that they said that they know.
[01:11]
Tom Uran
Right.
[01:11]
Grok
Like they say, here's stuff we know. And we're going, okay, let's talk about that.
[01:15]
Tom Uran
Yep. And we're examining, I guess the sort of archaeology of it or the bureaucratic nature of development. Stuff we love talking about. So what the report is about is basically the web panel that's the interface between an operator and their implants or perhaps the campaign. So it's a very, very long report. It's extremely comprehensive, it goes into a great deal of detail and it has a whole heap of screenshots.
[01:51]
Grok
So we're going to describe those in minute detail to everyone who's just listening.
[01:57]
Tom Uran
It's this shade of green. Just as a top level summary aggregates collected data from malicious campaigns. Well, they call them malicious, I'll just call them campaigns. It serves as an interface, provides centralized control over an entire network. It can generate new implants, manage sessions, collect statistics. It shows interactive maps of the victim's infrastructure. It does automated password guessing, and it also you can create notes. So I was actually pretty impressed by the whole package. Oh yeah. And not only that, it actually looked nice.
[02:36]
Grok
Yeah, it's very sexy. Like I remember back in my day, hacker interfaces used to be black and green. Those are your color choices. But this, okay, technically it is black and green, but it's really nice looking. It's written in react, I gotta say, which is, I think it's wild because it implies that at some point all operations are going to be suspended while they rewrite everything in view.
[03:13]
Tom Uran
Yeah. So this webpanel talks to other resources that do stuff. So it's just the interface. So they managed to grab the source code for this interface off a command and control box somewhere. They don't really say where. So my first question is, why is the interface so good? Because like, traditionally you'd have a hacker interface and it's all like, you know, if it's above command line, that's kind of nice. And it at least traditionally pushed work to the operator and you just expected the operator to be. To be good.
[03:49]
Grok
Like there's two ways that a hacker interface can go. One of them is the, you know, command line options where if you get something wrong, it just prints a question mark and then waits for you to try again. Like that didn't work. I knew. Yeah, skill issue. And I think the other way is that the person developing it is showing off how capable they are. Right. So on the one hand it's like this bare minimum interface where the user has to sort of struggle through all these esoteric hoops. And that way the user has status within the community for being able to master that.
[04:28]
Tom Uran
Right?
[04:28]
Grok
Yeah, right.
[04:29]
Tom Uran
I guess that's like from the days when hackers would be the people who would write interfaces.
[04:35]
Grok
Yeah, very much, yeah. So it's sort of like the user has status for mastering the interface or the developer has status for making a great interface. I think of the two options we were discussing this earlier, you had a pretty good theory about why you're doing well.
[04:50]
Tom Uran
My thought was that if it is a bare bones interface, it's hard to scale your cyber operations because you've got to train your operators to a higher level. Whereas if you decide that let's devote effort to the interface and make it easier to use, we can get to trained operators quicker and we can build stuff into the interface so we don't have to train them as much and we can get them working quicker. I like that idea. But it's also possible that this is just the way that professional groups work nowadays.
[05:21]
Grok
I mean, we've been out of this for 20 something years. Have computers changed in the last 20 years? I feel like they.
[05:30]
Tom Uran
And it could be that in the early days someone from NSA came along and said, hey, you should write an interface because this is how we do things and it makes things a lot better. That's possible as well, I guess.
[05:42]
Grok
Yeah, I mean, so even, even the architecture though, feels Very much like you got a web developer and says, right, you're now part of developing this hacking tool. And the guy goes, I don't do hacking tools. You know, I'm a user interface designer for a startup or something. And they say, that's okay, Mike, we'll tell you what to do. Here's the API you need to call to interface with our stuff. And so the guy talks to their backend developer and they get a REST API for a Go web server that does all the other stuff. And he just says, okay, great, I've got my Rest API. Now I can write everything in JavaScript like I want to.
[06:22]
Tom Uran
Yeah, it does feel sort of professional in that way. Like right at the beginning it says there's a login and the login uses Authentic, which is an open source platform for access management. And just a disclaimer, Authentic is actually a Risky Business sponsor, so endorsed by Ukrainian hackers as the way to go. You know, single sign on integrates with protocols. And that's not something you do when you're just hacking together a platform, Right?
[06:52]
Grok
Exactly. I mean, if it's an internal tool, then you don't have authentication. And then when you do add authentication, it's whatever the easiest PHP thing is, or the Django or whatever. But this feels very much like someone who builds websites and has been given a task and so they're building a website. You need to build a web application that manages implants. Okay, I'll plug in the authentication thing that I know about. I'll integrate with. They would take the stuff that they're told to do and they develop the ui.
[07:29]
Tom Uran
Yeah, yeah. So there's also, I guess the terminology the interface uses is also interesting.
[07:35]
Grok
So I think that one of the really cool things about this application is that it encapsulates the concepts of operations, so not the con op, like here's how this operation is going to work, but like the operational concepts, the way that this unit, this group thinks about doing hacking, because the way that they've structured the elements within this sort of shows how they think things relate to each other. Their tool obviously reflects their internal understanding of how they work. Yeah, and so there's sort of this, this interesting hierarchy that they have and they have this interesting like set of roles and rights that you can have, which is session, binary, all sessions, beacon collector credentials, target host, target admin client, all target hosts. So very, very briefly, session is a specific connection to an actual implant. So it's sort of the lowest level of interaction. You only have connection to One specific implant sort of thing. Right. Binary, as far as I understand, is the ability to create new implants. So whoever did this development used great names and everything, but they didn't put up a readthedocs.com and they haven't open sourced it. So we don't actually know. They haven't documented it well enough is what I'm saying.
[09:14]
Tom Uran
Right.
[09:14]
Grok
There's a bit of guesswork going on. Collector, I feel, is like someone who's allowed to go in and look at stuff that's been collected or maybe to task new collections, but isn't allowed to modify other stuff. And they probably don't use all of these because it seems far too granular to be manageable. So what's more interesting is Target Host versus Target. So target seems to be there, maybe an operation. It's sort of like they would say Gazprom would be a target, and then within Gazprom there'd be a database that they've hit and that's going to be a host. Right. So they sort of have this broader idea of a target being a collection of hosts, and hosts will have sessions that you can access. Then above targets, you're going to have your actual users who sort of fall into this broader category above that called Client. I think Client is probably a misnomer because it's a holdover from whenever they started out because it looks like it's just used as a sort of team name.
[10:19]
Tom Uran
Yeah, yeah. So this report is based on just one webpanel collected from one command and control server. My speculation is that there's maybe one organization is using this web panel or it's one campaign based on this web panel and that there's other ones with different client IDs. And so it's client is a misnomer. And that would sort of make sense in terms of this is how advanced groups operate. You've got like separate groups and those have separate campaigns and you've got targets within those campaigns or targets within those groups, and then you've got actual hosts within the targets. So that all makes sense from a kind of meta point of view. And it's not clear to me whether camp Client in this case represents a campaign or an organizational unit. Yeah, but I think it's got to be one of those.
[11:18]
Grok
Yeah. My feeling is that it's going to be an organizational unit because Client seems like a holdover from a very early phase where it would have been you're going to be developing this thing that's going to be used by our operational teams who are going to sort of, you know, there'll be the clients that you administer and we'll have an admin who's in charge of assigning different units to different targets or something like that. And it's just. That would have been the terminology that you start out with. And then as it goes on, you realize that that's not very good. But going back and changing everything just isn't worth it because changing the name for an internal reference is pointless when you've got all these features you have to add.
[11:56]
Tom Uran
Yeah. So in terms of the niceness of the interface, it'll do network maps of targets and it'll label them with the operating system, whether it's a gateway, the type of link between the two hosts. If it's a host where you can't get access, it's one color, and if you had access and you've lost it, it's another. And if you've got root assets, it's green. So all that seemed very nice to me.
[12:26]
Grok
Yeah, I was just going to say, speaking of the nice interface, they actually have a change theme button so that they've got a light mode and a dark mode.
[12:37]
Tom Uran
Now, that's a must have nowadays, isn't it?
[12:40]
Grok
Yeah, that was obviously a priority one.
[12:43]
Tom Uran
Now, speaking of must haves and priorities, it seemed like there are things in here that are not what you'd call first cab off the rank priorities. So right at the beginning I mentioned this feature for automated password guessing based on already collected credentials from infected hosts, which seemed like a wonderful, nice to have feature.
[13:07]
Grok
Yeah, I don't think it shipped with that in the version one, but it does seem like the sort of thing that it's so useful that it's something you'd want to integrate. You're going to have your teams out there and someone's going to say, look like 70% of the stuff we get into is with password reuse. We get these hashes and we should just. If we do password cracking, it'll save so much time from all these other things that we have to do. And it's going to be, obviously the logins will be a lot easier, there'll be less logging, etc. Etc. And so they went to the people developing this and they said, hey, can you integrate our password cracking with this, with, you know, what we've been using for the interface? And, you know, as long as there was an API to do it, the guy could just bang it in there. It looks quite hacker like because the feature is called Hashtopolis. So they've got some hashing cluster and this interfaces with that. You can just sort of pass tasks off to it and get them back. So, yeah, it's absolutely a cool thing to have, and it probably greatly improves their performance. But it seems very much like not an afterthought, but definitely something that they developed after it had already shipped.
[14:22]
Tom Uran
Yeah, it seems like this is the result of iterative development. It's definitely not something in the. What's it called? The minimum viable product.
[14:31]
Grok
Yeah.
[14:33]
Tom Uran
And similarly, they've got ability to create notes for targets and their associated hosts supporting markdown. And that seems also like that's a feature you'd want pretty quickly.
[14:44]
Grok
I think your MVP is it builds new binaries that you can implant. Like, it builds new implants. It shows you implants that you've connected to, and it probably allows you to connect to an implant. Like it gives you a session. I think that's what you can get away with as bare bones. And then you build up from that.
[15:04]
Tom Uran
Like, if you're in a war and you think that cyber is important enough to have people doing stuff, this seems like the sort of features that you would add in the expectation that you'll continue using this indefinitely.
[15:17]
Grok
And I think there's some indications of that because this is. What's it called, Bulldog something.
[15:22]
Tom Uran
It's a web panel related to the Bulldog backdoor malware.
[15:26]
Grok
Yeah. Okay. So this started out as a sort of like bulldog backdoor web panel host control center panel thing. Right. It just rolls off the tongue and it's got this huge bulldog icon as the logo in the middle. And that said it also supports building binaries for backdoors that are not bulldog. And so I think what probably happened was this was so nice that the other implants they're using have been modified.
[16:02]
Tom Uran
To now work with this or vice versa, I guess.
[16:05]
Grok
Yeah. They've said these other implants that we're using, they've got functional interfaces, but we don't really like them. We like this interface. Let's start using this interface for those as well.
[16:15]
Tom Uran
Yeah, I think you said there were nine different implants. Was that right?
[16:19]
Grok
Yeah. Well, I think it supports four different classes, like strains, and then nine different types. So like DLL injection and things like that. So it's quite comprehensive.
[16:34]
Tom Uran
So one thing I was wondering about is why we've talked about why the interface is so nice, but why does the report exist? Like, it's extremely long, it's very, very detailed, and it sort of reminds me a Bit of. We spoke a long time ago about a report that the US government released into the Russian security services Snake malware, the fsb. And in that case, it seemed like the purpose was to burn the malware by saying, we know so much about it. In this case, it's a web panel.
[17:14]
Grok
I mean, you can't.
[17:14]
Tom Uran
That's right, you can't burn it.
[17:19]
Grok
You're running it on your own infrastructure. There's just. There's no way that it makes sense to burn it. I'm a little bit curious about that myself. I mean, they really go into a lot of details. Usually when you see reports, it's going to be, you know, threat actors doing this against, you know, the victimology suggests telcos in the South Asia region. Here's some IOCs, MD5 sums.
[17:46]
Tom Uran
Yeah. So I was wondering if it's because they're not a government contractor, but they want to be one and so this is their marketing. Look at this great job we did against this Ukrainian stuff.
[17:58]
Grok
I mean, it's obviously for marketing. I think it does feel like, look at how on board I am. I'm definitely part of the team. I'm out there, you know, pulling for Team Russia. So I'm not sure whether that's targeted at their client base to show we're a patriotic organization. You should definitely buy from us, or if it's aspirational and targeted at the government to say, like, look how patriotic they are.
[18:24]
Tom Uran
We'll have to see if their executive gets arrested by the FSB next week. So that, I guess, remains a bit of a mystery.
[18:36]
Grok
Some of the stuff that they list in here under the, like the building binary interface, these seem very aspirational. It's very easy to add an option in a menu, right?
[18:49]
Tom Uran
Yep.
[18:50]
Grok
And so it's a lot easier just to put them all in at the beginning. Like AMD 64, ARM 64, 386, MIPS, LE and MIPS. So those last two would be. If you're going after, like, smaller SOHO routers and stuff like that, it just, it feels like they've added quite a lot. Like, it's really comprehensive what all of these things can do and that you can interface from. Like, it's so cool, right? Like, you've got like, agents, proxies, beacons, shells, collectors. Like, I guarantee you it didn't start out like this, right?
[19:24]
Tom Uran
Yeah.
[19:24]
Grok
Yeah. I bet you in another two years the person who inherits this is going to be so upset that it was built wrong. There's going to be someone who has to Come in and maintain this, and it'll have accreted so many different levels of functionality. They're going to try and do a rewrite in Rust. That's what's going to happen on this sort of binary creation interface. One of the things that is interesting is that when it builds the binary file, this implant that it's going to use, it creates a token and then that token is linked to, like that's what's used to authenticate and interact with the C2 server. And then that token is also associated with the users, the target and the client.
[20:15]
Tom Uran
Right.
[20:16]
Grok
So one user can be linked to multiple binaries, and then obviously that's going to be linked also to the clients and stuff. So when an implant connects back, you can figure out who it belongs to.
[20:29]
Tom Uran
Right.
[20:30]
Grok
And to me, that seems like it might be a little bit of an OPSEC fail if the database gets captured. So, like, one of the things they were saying is that they know of seven user IDs, so when they were looking at this, they saw only one client ID, but seven user IDs. So there's one team with seven people in it, which sounds about right to me. Which means that sometimes the operational databases do get captured. What I'm saying is you can Maybe have the C2 server installed somewhere out on the Internet, but you should make sure that the database is more tightly secured.
[21:08]
Tom Uran
Yes, yes. It does seem like having this in a report is an OPSEC fail, even though it doesn't really tell you about. It doesn't give you IOCs or anything like that. It's just not ideal.
[21:20]
Grok
So one of the things that I do like about this is how by going so deep down into the different interfaces and stuff, you can see quite a lot of how these operations work just in that when you have credentials, you don't just get a username and password or something, you get it tied to a specific service. So these are credentials for SSH or credentials for RDP or whatever. And then that's tied to a specific host, which is then tied to a target, which is then tied back up. That, to me, speaks very much of someone who did a hack and wrote down usernames and passwords.
[21:57]
Tom Uran
That's right. Had a massive notebook which is just full of unusable information. That's tremendously valuable.
[22:07]
Grok
They're trying to brute force remember which thing goes to which. Like the. The story about how. The story of how Linus added file system permissions for like, read writes and stuff. Basically, he said he didn't need them. And then one day he accidentally deleted his entire disk. The next day, the next day that turned into a top one priority and suddenly now there's permissions. Originally this was meant to be this sort of like bulldog interface, but now they've just added support for all these other things. But there's still other leftover legacy stuff like the sessions, which, as we said, is the specific connection to a specific implant on a host that is still called GS netcat, which is the G.
[22:55]
Tom Uran
Socket, which is like a specific way of talking to a particular implant.
[23:01]
Grok
Right, right. It's a specific protocol of a specific type of implant that was specifically used. Yeah. So yeah.
[23:10]
Tom Uran
So presumably that's the. What is it? The original? It's like the appendix of the webpanel.
[23:22]
Grok
You can take that out, you don't need it anymore.
[23:26]
Tom Uran
Well, I guess it's not an appendix, but it's used for more things than an appendix.
[23:30]
Grok
Is what I find quite cool is like the way that you get a session from this is when you click on the session, it will show you like, basically it dumps something you can just copy and paste, which will have the command line string that you just need to paste into your terminal and it will get you connected to that session on that implant. And that is the sort of thing that you add very, very quickly because it is such a pain in the ass to do just to type everything by hand. And it's not an impressive show of skills. Right. Like typing a comma separated list of IP addresses is not a cool skill to have. It's just annoying busy work. And computers are very good at that.
[24:13]
Tom Uran
So that presumably means that once you're operating on the host, you have to do everything manually. Like there's no fancy GUI operations at that point. I wonder if we're going to see like another report in a couple of years where some of that is automated.
[24:30]
Grok
There's going to be a ChatGPT side panel on this and it'll be like, talk to your implants. I do think it's interesting. Like it shows interesting history, like these vestigial parts. It shows that there's been development of this, that this is a used tool. It has all the hallmarks of something that's been used long enough to be upgraded and patched and modified to work better.
[24:57]
Tom Uran
It's like a living document where you can see the change history.
[25:01]
Grok
Yeah, yeah, very much. And I like how it encodes sort of like, as I was saying, this sort of ontology of operations, these concepts that they have and the way that they Think about things where you've got sessions and hosts and targets and users and clients and just, it's all, it's very much bureaucratic and structured. It's not freewheeling.
[25:26]
Tom Uran
I mean, who would have thought that hackers would think like that? Not a mystery. I've just like reached the very bottom of the report, like I don't know, 20 pages later and they actually say why they have written this report. I don't know that I'd buy it though. Researching and publicly discussing these threats is essential, especially for podcasters like us. It helps organizations and users understand the risks and take proactive measures. Groups like Sheddings Me, which is the Russian name for the threat actor, are constantly improving their tools, creating new, increasingly sophisticated implants and stealth techniques. Without analyzing these threats, it is impossible to develop countermeasure strategies that can match the dynamics of the attackers. Which is why we felt it was important to share this information with the community.
[26:28]
Grok
How does publishing the control panel help people understand the threats for. I mean, I certainly appreciate it, but.
[26:44]
Tom Uran
Now there is another paragraph and this is like exactly what we're doing in fact. And it says research into the front end component of the attackers command and control server infrastructure provides valuable information about their capabilities, the control mechanisms they use and the methods they use to interact with infected devices. This in turn allows us to identify weaknesses in their operating models and improve efficiency of monitoring malicious activity. Now again, like.
[27:16]
Grok
I don't buy that.
[27:18]
Tom Uran
I think we've had an interesting discussion, but I think it tells us absolutely zero about how to stop Ukrainian hackers.
[27:30]
Grok
Content for the content guys.
[27:34]
Tom Uran
Thanks a lot Grant. Thanks a lot Machine.