Spy vs Spies:

An Examination of Counterintelligence Tooling for Contested Networks

The LightBasin threat group maintains long-term access to telecommunications and financial sector targets worldwide using a wide range of custom malware dating from as early as 2016. They frequently operate in contested environments compromised by multiple adversaries, which presents additional risks to remaining undiscovered on target. In response, the threat actor has deployed counterintelligence tooling that performs checks to identify malware attributed to several telecommunications-focused adversaries, unknown threat actors, and eCrime-motivated activity; this talk examines how we can investigate this capability to derive intelligence about the actor and their intelligence-collection objectives.