Kaspersky recently uncovered a global cyber espionage network they call NetTraveler. This impacted more than 350 government organizations in over 40 countries. India was particularly hard hit along with a Mongolia and Russia. Kaspersky also released a valuable report called NetTraveler attacks Part I [PDF]
Indicators in OpenIOC format
The report released by Kaspersky contains indicators of compromise which can be of help for users of Trisul to check their past traffic for potential compromise. We’ve created a OpenIOC format XML file out of the report. We think we got everything except the semaphore indicators.
Sweeping past traffic with Trisul
You can use the same techniques for APT1 to sweep these indicators too. You can also automate the whole thing by reading in the OpenIOC format XML file and using the scripts in our GitHub trisul-samples repository
We will release scripts in the next couple of days that can directly consume intel in OpenIOC format.