At GEOINT 2024, Rob Falcon delivered a lightning talk where he discussed the integration of geospatial intelligence (GEOINT) into cyber intelligence investigations. As the Lead Cyber Analyst at 3GIMBALS, Rob brings a wealth of experience from both military and private sector backgrounds, offering unique insights into the evolving landscape of cyber threats.
Key Takeaways from the Talk
Understanding Sandworm APT: Rob began by discussing Sandworm, a notorious Russian state-sponsored advanced persistent threat (APT) group. He highlighted their long history of cyber attacks, including the 2008 defacement of a Georgian government website and their ongoing assaults on Ukrainian critical infrastructure. Sandworm’s sophisticated techniques, including the use of novel malware strains targeting industrial controls, underscore the persistent and evolving nature of such threats.
Investigating Cyber Attacks: One of the talk’s focal points was the importance of investigating Sandworm’s command and control (C2) infrastructure. Rob explained how C2 nodes are critical for threat actors to communicate and exfiltrate data during cyber attacks. He detailed a specific investigation involving Sandworm’s Chisel malware, which targeted Ukrainian military mobile devices and revealed the IP addresses used by the threat actors.
Scalable Analysis with Programming: Rob demonstrated the necessity of scaling cyber investigations using programming. By coding applications that sift through vast quantities of IP addresses and other intrusion artifacts, analysts can gather crucial data efficiently. He shared his approach using IBM’s X-Force Exchange and MaxMind’s GeoIP2 database, which resulted in a browser-based heat map of Sandworm’s attack infrastructure. Interestingly, the map revealed that Sandworm heavily relied on Western European infrastructure, challenging the assumption that Russian cyber attacks would originate from Russian territory.
Implications for Cyber Defense: The insights gained from such geospatially enabled cyber investigations have profound implications. Rob emphasized that cyber defenders should not limit their focus to Russian territory but should remain vigilant about global IP address connections. By integrating GEOINT into cyber intelligence workflows, analysts can produce more accurate and actionable reports, empowering policymakers to take deliberate actions against adversaries and educating the public on cybersecurity issues.
For those interested in exploring this topic further, Rob has made his contact information available for any technical inquiries or detailed discussions.