1、What a clusterA case study in threat actor collaboration and framework for comparative attributionPwC Threat IntelligenceSANS CTI Summit 2025TLP:WHITE IntroductionsJono Davis Technical AnalystPwCBeen in the team for 5 years focusing on Ransomware-as-a-Service threat actors(occasionally APAC)lonely_m
2、ushroomMalware reverse engineeringPassionate about IR(international relations sorry)theoryLove Muay ThaiUnfortunately a Spurs fanPwC Threat IntelligenceStrategic and Technical rolesGlobalThreat research used by public and private sector organisations to protect networks,defend nations,providesituati
3、onal awareness&inform strategy.Team members spread across 8 countries and 3 continents Focus on both technical and strategic analysisIntegrations into broader PwC cyber engagementsCross-collaboration alongside intel partners Support to IR,red teams,threat hunting teams etc.KatechondicSANS CTI Summit
4、 2025PwC Threat IntelligenceJanuary 2025102*Attribution challenges and complexities when a threat actor is tracked and reported on by numerous organisationsAgenda for todayCase in point:Red Ishtar(a.k.a.CeranaKeeper,Stately Taurus,Earth Preta)Unraveling the cluster(s)of Mustang PandaOvercoming these
5、 challenges with a framework for comparative attributionAttribution:the complexitiesSANS CTI Summit 2025PwC Threat IntelligenceJanuary 2025104 Attribution its hardTHREAT ACTOR NAMINGOPEN SOURCE IS KINGSILOED THREAT INTELOVERCLUSTERINGSo many namesMajor facet of our communityWe dont talk to each othe
6、r enoughIts all Winnti,right?Case in point:Red IshtarSANS CTI Summit 2025PwC Threat IntelligenceJanuary 2025106 First:Red Ishtar vs.Red LichRed Ishtar:ShellfLoader and ShellfCodeShellfLoaderRed IshtarShellfCodeRed Ishtar:Associated with Earth Preta,Stately Taurus,CeranaKeeperRed Lich:Associated with