by Kyle Ehmke, ThreatConnect
For many of the notable APT breaches over the last two years, domains that spoofed or typosquatted legitimate ones belonging to the target were an essential part of the adversaries' attacks. Notably, Chinese APT actors have leveraged such domains to breach healthcare and government organizations, ultimately compromising personal information for millions of individuals. A Russian APT has also used these types of domains recently to steal and ultimately leak documents from the Democratic political party. An organization can use knowledge of these practices to potentially discover targeted APT activity or proactively identify indicators that attackers may use against them. This presentation will expand on information identified in our research on the Anthem and DNC hacks, and show how an organization can leverage threat intelligence in conjunction with domain registration data to further bolster their defensive efforts. More specifically, ThreatConnect intelligence researchers will detail the process by which they identified potential Chinese APT activity against the pharmaceutical sector using registration information for spoofed and typosquatted domains.