Allison Wikoff

A Muddy, Coincidental Quartermaster?

Digital quartermasters are most commonly thought of in relation to some long standing China-based intrusion sets, but the concept of tooling and training proliferating across multiple threat actors is by no means unique to this region. This presentation details an Iran-based information security education company, from which several employees and their tradecraft can be tied to multiple Iran-based threat actors, suggesting they may provide more offensive cyber training for its students.

This session will cover some of the observed TTPs associated with Iran-based threat actors, including a threat actor PwC intelligence analysts call Yellow Nix, which is similar to open-source reporting on Muddywater, and Yellow Dev 24, a.k.a Nemesis Kitten, that share strong overlaps with the training curriculum and tooling. Additionally, we will detail ties between the training company and front companies associated with government entities.

Attendees will leave this session to decide the following: is this company just the “SANS Institute” of Iran, or potentially something more nefarious…

Allison Wikoff is the Americas Lead for the Global Threat Intelligence practice at PwC where she supports numerous business and strategic threat intelligence initiatives. She has 20 years of experience working in network defense, incident response, intelligence analysis and threat research.

The focus of the latter half of Allison’s career has been researching nation-state cyber activity with a focus on Iran. She holds numerous industry certifications and an advanced degree from Columbia University where she guest lectures for several information security-focused graduate courses.