WEBVTT

1
00:00:01.639 --> 00:00:11.679
Produced by p I Media. Hi
i'm Ran Levy, Welcome to CP Radio.

2
00:00:17.399 --> 00:00:21.480
In the wake of the terrorist attack
on October seventh, which claimed the

3
00:00:21.480 --> 00:00:26.079
lives of around one thousand, two
hundred civilians in Israel and led to the

4
00:00:26.120 --> 00:00:31.239
capture of over two hundred more,
Iran, which provides support for mass as

5
00:00:31.280 --> 00:00:36.920
well as related terrorist outfits like Chris
Bullah in Lebanon and the Rutis in Yemen,

6
00:00:37.399 --> 00:00:42.719
has over and over threatened to get
involved. Its Minister of Foreign Affairs

7
00:00:42.920 --> 00:00:48.000
has spoken about how quote if the
Zionist aggressions do not stop, the hands

8
00:00:48.039 --> 00:00:53.079
of all parties in the region are
on the trigger and quote expansion of the

9
00:00:53.200 --> 00:00:58.799
scope of the war has become inevitable
end quote, with the prospect of a

10
00:00:58.799 --> 00:01:03.760
wider war. As spotlight has turned
to Iran's military capabilities, though its army

11
00:01:03.920 --> 00:01:10.159
isn't so feared, its nuclear capabilities
are, and even before all that,

12
00:01:10.319 --> 00:01:15.439
history shows we might choose to utilize
the power of cyber attacks. Four years

13
00:01:15.439 --> 00:01:21.040
now, Iran's state sponsored hackers have
been some of the most prolific in the

14
00:01:21.079 --> 00:01:27.040
world, but prolific does not necessarily
mean sophisticated. Its attacks haven't quite impressed

15
00:01:27.079 --> 00:01:32.000
in the way that the US,
Russia, and China's do, they are

16
00:01:32.040 --> 00:01:38.840
more comparable, perhaps to lesser powers
like North Korea and Azerbaijan. Consider,

17
00:01:38.959 --> 00:01:44.719
for example, the group Checkpoint tracks
as Scarred Mandicore. Since twenty nineteen,

18
00:01:45.000 --> 00:01:51.560
Scarred Mandicor has been carrying out espionage
campaigns in countries largely concentrated in the Middle

19
00:01:51.640 --> 00:01:57.200
East, sometimes successfully, but using
back doors that don't look so different from

20
00:01:57.200 --> 00:02:02.079
what you'd see with non state sponsored
cyber communal groups. Some of them appear

21
00:02:02.159 --> 00:02:10.240
to be modified version of publicly available
tools Amittai benchushan el threat intelligence analysis team

22
00:02:10.319 --> 00:02:15.120
lead at Checkpoint Research. One of
them is the Tuna webshell, which is

23
00:02:15.240 --> 00:02:22.400
used to tunnel traffic over a webshell
over at GTP. Tuna was Scarred Manticore's

24
00:02:22.479 --> 00:02:25.919
first known too. You can download
it yourself from GitHub. Hundreds of people

25
00:02:27.080 --> 00:02:30.560
have already. According to its creator, it enables a red teamer or hacker

26
00:02:30.879 --> 00:02:37.120
to wrap and tunnel their TCP Internet
traffic, hence the name Tuna, bypassing

27
00:02:37.199 --> 00:02:44.120
network protections in fireworld environments, and
as we deep dived into the evolution of

28
00:02:44.159 --> 00:02:50.039
this specific Tuna webshell, we saw
that they implemented their own mechanisms into it

29
00:02:50.439 --> 00:02:55.000
and slowly started giving it their own
versioning and embedding additional functionalities within it.

30
00:02:55.520 --> 00:03:00.479
As Scarred Manicore iterated on Tuna in
bits and PA, over time, it

31
00:03:00.520 --> 00:03:06.840
began to look different enough to be
considered its own malware checkpoint, named the

32
00:03:07.000 --> 00:03:14.400
modified Tuna backdoor Foxshell, fox Shehell
became a favorite go to weapon. Over

33
00:03:14.479 --> 00:03:20.039
time, it turned into a very
unique backdoor, a very unique webshell that

34
00:03:20.159 --> 00:03:24.960
was also used in a text against
Albania as reported by CISA. We were

35
00:03:25.000 --> 00:03:31.199
also able to tie that some of
the webshells and internal DLLs that are used

36
00:03:31.199 --> 00:03:37.159
as resources in it to another backdoor
that was used in the Middle East called

37
00:03:37.159 --> 00:03:40.919
the SDD backdoor, a backdoor that
was used in targeted attacks in Saudi Arabia.

38
00:03:40.960 --> 00:03:46.879
It seems it was analyzed by a
Saudi researcher that we referencing the report

39
00:03:47.000 --> 00:03:53.879
and most recently it was tied to
sophisticated the implant called wind Topics, which

40
00:03:53.919 --> 00:03:58.800
is a driver based implant that was
reported by Fortinet. Showing the evolution.

41
00:03:58.879 --> 00:04:03.439
You know, we started from this
open source webshell Tuna, slowly turning it

42
00:04:03.520 --> 00:04:11.879
into something custom, adding more functionalities, ending internal resources. Then we see

43
00:04:11.919 --> 00:04:15.240
the backdoor, the acidy vector,
and then the wind tapic drivers actually takes

44
00:04:15.879 --> 00:04:20.680
the best of those bursts of both
words and embeds them into this sophisticated implant

45
00:04:20.720 --> 00:04:27.439
that utilizes the driver to inject code
and hide functionalities. Fact show was,

46
00:04:27.519 --> 00:04:32.199
in retrospect, a harbinger of things
to come. Whereas the Iranian threat actor

47
00:04:32.319 --> 00:04:38.480
started off at a level akin to
ordinary cyber communal groups. Here they were

48
00:04:38.519 --> 00:04:43.639
demonstrating that they could distinguish their work, that they could create a unique and

49
00:04:43.800 --> 00:04:48.759
powerful mailware tool capable enough to be
used in successful campaigns across a number of

50
00:04:48.800 --> 00:04:56.759
countries. And then just recently,
Iran arguably truly announced itself as a global

51
00:04:57.000 --> 00:05:02.560
CyberPower, and a campaign recently uncovered
by three cybersecurity groups Checkpoint, Signia and

52
00:05:02.759 --> 00:05:10.040
Cisco Talus, Scarred Manticore, unleashed
tools and tactics unlike anything we've seen from

53
00:05:10.079 --> 00:05:15.600
the Islamic Republic before. If before
they were at the kid's table, this

54
00:05:15.839 --> 00:05:25.519
latest campaign suggests that they might have
just moved up. The story of this

55
00:05:25.639 --> 00:05:32.439
campaign begins with a dynamic link library
or DLL. DLLs are shared libraries groupings

56
00:05:32.480 --> 00:05:38.839
of code stored in memory that can
be evoked by any given application. They're

57
00:05:39.040 --> 00:05:43.759
terribly useful since there are certain things
lots of programs need to be able to

58
00:05:43.800 --> 00:05:47.399
do, and it wouldn't be all
that efficient if every one of them needed

59
00:05:47.399 --> 00:05:51.360
the code to do it. It's
like how every person needs to be able

60
00:05:51.399 --> 00:05:57.360
to use the bathroom, but not
every person in your office needs their own

61
00:05:57.360 --> 00:06:01.839
individual bathroom as much as i'd of
my own office bathroom. By having a

62
00:06:01.879 --> 00:06:08.839
couple that everyone shares, you save
a massive amount of square footage and everybody

63
00:06:09.000 --> 00:06:14.040
still gets to poop. Plus it's
much easier for the janitor to replace the

64
00:06:14.120 --> 00:06:17.199
soap or toilet paper if he doesn't
have to run around doing it in twenty

65
00:06:17.319 --> 00:06:25.680
different bathrooms. DLLs are useful and
utterly normal on every PC. But the

66
00:06:25.759 --> 00:06:31.000
DLL an Italianist colleagues who were facing
was not your average file. So when

67
00:06:31.000 --> 00:06:35.000
we came across the DLL, it
was very strange to us. It was

68
00:06:35.040 --> 00:06:41.279
located in the system thirty two,
which is a legitimate path besides the folder

69
00:06:41.439 --> 00:06:46.519
system thirty two. The DLL file
names themselves also seemed rather ordinary. There

70
00:06:46.639 --> 00:06:54.759
was WLBS control dot DLL and w
LANAPI dot DLL. W LAN, of

71
00:06:54.759 --> 00:06:59.600
course, is very basic and ubiquitous
Wi Fi technology. In other words,

72
00:06:59.839 --> 00:07:03.800
these were the kinds of folders and
files you find everywhere on any PC.

73
00:07:04.480 --> 00:07:09.959
Usually, if you're looking for something
in particular, like malware, you'll scroll

74
00:07:10.079 --> 00:07:15.079
past them without thinking twice. And
as we deep dived into the artifact related

75
00:07:15.439 --> 00:07:20.040
to what we found, we saw
that the dls really were sideloaded by a

76
00:07:20.120 --> 00:07:26.319
legitimate service, a side loaded DLL. This is something you hear a lot

77
00:07:26.360 --> 00:07:36.319
about nowadays, but it wasn't always
so. For years, when they wanted

78
00:07:36.360 --> 00:07:43.079
to load malware on your computer,
hackers sent Microsoft Office files where it documents,

79
00:07:43.120 --> 00:07:47.079
Excel files, and so on,
containing malicious macros, which are shortcuts

80
00:07:47.079 --> 00:07:51.439
for running custom code. If you
okay the macros in a phishing file,

81
00:07:51.800 --> 00:07:57.120
you open the window for hackers to
plant, say a malware loader on your

82
00:07:57.160 --> 00:08:01.680
computer, which could retrieve and execute
a backdoor ransomware, or anything else you

83
00:08:01.720 --> 00:08:07.720
can imagine. But on the episode
how Microsoft changed cyberspace with one decision were

84
00:08:07.720 --> 00:08:13.560
discussed on this podcast how after years
of macro abuse, Microsoft decided to block

85
00:08:13.720 --> 00:08:20.680
Internet downloaded macros by default. Hackers
now needed new ways to get malware on

86
00:08:20.720 --> 00:08:26.439
your machine. One of the most
popular alternatives they've since landed on is DLL

87
00:08:26.680 --> 00:08:31.159
sideloading. Instead of a file hiding
malware, the attacker sends the victim a

88
00:08:31.320 --> 00:08:39.960
legitimate program with an illegitimate DLL.
Any executable program will come with a manifest,

89
00:08:41.120 --> 00:08:45.679
a kind of a rule book that
specifies which DLLs will load and in

90
00:08:45.720 --> 00:08:50.000
what order. If these instructions aren't
specific enough, though, hackers can take

91
00:08:50.039 --> 00:08:56.879
advantage sneaking their dirty code inside of
a DLL that basically fits the bill.

92
00:08:56.440 --> 00:09:01.559
So you're running a totally normal software
program, but unbeknownst to you or your

93
00:09:01.639 --> 00:09:07.600
computer, the program loads and attackers
malware. In this case, Scarred Manticore

94
00:09:07.879 --> 00:09:13.639
did one better, taking advantage of
an absence of certain DLLs in certain Windows

95
00:09:13.679 --> 00:09:20.200
servers OS versions. So a program
that looks to evoke the DLL in question

96
00:09:20.600 --> 00:09:24.240
shouldn't find it in such distributions,
but in this case, it thinks it

97
00:09:24.320 --> 00:09:31.440
does, and it's the attackers code. This required an intimate knowledge of the

98
00:09:31.480 --> 00:09:37.919
operating system to an agree not many
people anywhere really have. At this point,

99
00:09:37.960 --> 00:09:43.600
I think we realized that this was
a very unique kind of attack,

100
00:09:43.639 --> 00:09:48.600
and a very sophisticated one. But
this was only the very beginning of the

101
00:09:48.639 --> 00:09:56.159
attack. Even more sophisticated tricks were
it to come. When we looked into

102
00:09:56.240 --> 00:09:58.879
the DLL itself, like after we
understand how it was loaded and now the

103
00:10:00.000 --> 00:10:05.360
attack was carried out, we also
saw that it uses some interesting features that

104
00:10:05.440 --> 00:10:11.320
are undocumented in the Windows operating system. Again, the attackers were toying not

105
00:10:11.519 --> 00:10:18.120
with ordinary software, but the fundamental
functions of the OS itself. If a

106
00:10:18.159 --> 00:10:22.559
Windows PC were the Earth, they
were way way below the surface, digging

107
00:10:22.720 --> 00:10:31.000
at its core. More specifically,
it was using undocumented cores of the HTTPCS

108
00:10:31.159 --> 00:10:37.200
driver, which is the Windows driver
that handles all the incoming HTP requests for

109
00:10:37.240 --> 00:10:43.480
Windows servers. The way that it
happens in the background is that actually cause

110
00:10:43.799 --> 00:10:48.679
internal functionalities of the operating systems that
are not supposed to be used by users

111
00:10:48.159 --> 00:10:54.679
like me and you. Even a
programmers shouldn't access those kinds of functionalities directly.

112
00:10:54.639 --> 00:11:01.559
To reiterate, not only were scarred
manticore manipulating httis a kernel level driver

113
00:11:01.759 --> 00:11:07.919
that nobody, even programmers, are
supposed to touch, but they were engaging

114
00:11:07.159 --> 00:11:15.559
with undocumented features within it. Totally
unprecedented stuff because this kind of method,

115
00:11:15.679 --> 00:11:20.320
specifically involving the GTPCS driver, was
never observed in the wild, and we

116
00:11:20.440 --> 00:11:24.519
had to try to understand ourselves how
it works and what happens because it's not

117
00:11:24.559 --> 00:11:31.960
documented anywhere. It's not a legitimately
documented functionality of this driver. Specifically,

118
00:11:33.200 --> 00:11:39.840
the malware utilized device input and output
controls or ioctls, which enable an application

119
00:11:39.080 --> 00:11:46.320
to interface directly with a driver.
The attackers had absolutely no business knowing about

120
00:11:46.399 --> 00:11:52.919
the HTP dot CS ioctls, and
it allowed their malicious code to skip anything

121
00:11:52.960 --> 00:11:58.720
in between them and this kernel level
driver. This direct line to the heart

122
00:11:58.799 --> 00:12:03.200
of a PC was just powerful.
It made the attack substantially more difficult to

123
00:12:03.399 --> 00:12:13.480
identify and rooted out. Usually security
measures are monitoring the legitimate kind of calls

124
00:12:13.519 --> 00:12:18.799
the API calls for such things,
so an advanced attacker usually tries to go

125
00:12:20.440 --> 00:12:24.440
lower in the operating system to try
to fascillate those kind of functionalities that are

126
00:12:24.519 --> 00:12:31.399
not legitimate and not shouldn't be used
by normal users. If you're not yet

127
00:12:31.480 --> 00:12:37.919
convinced how cutting edge this attack path
was, here's something to consider. We

128
00:12:37.000 --> 00:12:43.559
don't even know how they did all
this. After all their investigating in collaboration

129
00:12:43.759 --> 00:12:48.720
with a second cybersecurity company as well. Amitaianist colleagues can only take guesses at

130
00:12:48.799 --> 00:12:54.039
house card maticore managed to get that
kind of access and do what they did.

131
00:12:54.960 --> 00:13:00.759
It's quite hard to tell what was
the process behind it, but they

132
00:13:00.759 --> 00:13:07.639
would eventually need to either reverse engineered
the driver itself to understand the undocumented functionalities

133
00:13:07.679 --> 00:13:13.159
in it, which would require knowledge
and understanding of reverse engineering, or they

134
00:13:13.200 --> 00:13:18.440
could do some trial and error,
which is less likely to be successful.

135
00:13:18.000 --> 00:13:22.840
The way that they carried out suggest
that they knew exactly what they were doing,

136
00:13:24.159 --> 00:13:28.600
so I would assume they probably had
to reverse engineer some of the Windows

137
00:13:30.279 --> 00:13:39.960
driver. Amid all this groundbreaking technical
wizardry, you might have forgotten that we

138
00:13:39.200 --> 00:13:45.919
haven't even gotten to what the hackers
malware actually did. Yet, it too

139
00:13:46.279 --> 00:13:52.519
did something novel. Picture a bit
of mailware latching onto the HTTP dot sys

140
00:13:52.639 --> 00:14:00.360
driver like a parasite. By fascinating
the https's driver, they were intercepting incoming

141
00:14:00.399 --> 00:14:07.279
connections. The parasitic malware placed just
above the driver intercepted incoming HTTP traffic,

142
00:14:07.679 --> 00:14:11.840
so if a user, say,
visited a website, mailware was the first

143
00:14:11.919 --> 00:14:16.440
to know about it. The point
of this, though, was to listen

144
00:14:16.519 --> 00:14:22.519
for a very particular request, a
request with a specific URL prefix defined by

145
00:14:22.559 --> 00:14:26.000
the attackers. If such a URL
was evoked, the malware would intercept the

146
00:14:26.039 --> 00:14:31.519
message, decode it, and from
the HTTP requests initiated by the attackers they

147
00:14:31.559 --> 00:14:37.360
extracted payloads and in memory, they
decrypted those and loaded a set of shell

148
00:14:37.399 --> 00:14:43.320
codes which appeared to be part of
a larger framework of malware that we dubbed

149
00:14:43.360 --> 00:14:50.320
Liontail. Liontail is the name we'll
use to describe the whole category of malware

150
00:14:50.600 --> 00:14:54.200
used in this campaign, from the
payload loader to the many other tools it

151
00:14:54.320 --> 00:15:03.159
contained Therein, using this framework could
carry out a lot of kind of activities.

152
00:15:03.200 --> 00:15:07.360
We've seen them do credential harvesting,
We've seen them do reconnaissance. We

153
00:15:07.399 --> 00:15:13.559
saw them use this framework to run
commands, running commands, uploading and downloading

154
00:15:13.600 --> 00:15:20.039
files, and various other info stealing
related activities like credential harvesting and lateral movement

155
00:15:20.279 --> 00:15:26.080
over the target network. And being
a framework, lion Tail contained some parts

156
00:15:26.200 --> 00:15:30.519
it could evoke or ignore based on
the system it was running on. For

157
00:15:30.559 --> 00:15:35.679
example, one of the back doors
that we reported on is something that we

158
00:15:35.840 --> 00:15:43.320
call Lionhead, which is some sort
of web forwarder that is installed on exchange

159
00:15:43.360 --> 00:15:48.279
servers, and what it does is
actually fascinating. The same functionality of the

160
00:15:48.360 --> 00:15:56.879
htpc's driver to forward incoming requests to
specific exchange end points. Essentially, Lionhead

161
00:15:58.279 --> 00:16:03.519
was to email what then on tail
backdoor we described was two HTTP and by

162
00:16:03.559 --> 00:16:11.120
doing so it allows the threat actor
to easily download mails. The robustness of

163
00:16:11.240 --> 00:16:18.080
lion Tail and the remarkable means Scarred
Manticore used to plant it on target systems

164
00:16:18.360 --> 00:16:22.879
allowed the group to run through some
serious victims. The campaigns included attacks across

165
00:16:22.960 --> 00:16:27.480
Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the

166
00:16:27.679 --> 00:16:36.399
United Arab Emirates. Each one of
the targets was extremely interesting and very relevant

167
00:16:36.639 --> 00:16:41.320
to the Iranian cause. We're seeing
governmental organizations, we're seeing military organizations,

168
00:16:41.360 --> 00:16:47.120
and we're seeing a lot of telecommunications
organizations that are targeted by Scart, mendicor.

169
00:16:47.159 --> 00:16:52.279
This is very telling of their goals
of collection and espionage. It's not

170
00:16:52.399 --> 00:16:56.919
yet known what the group might have
stolen from any one of these targets,

171
00:16:57.480 --> 00:17:03.960
but these details are almost beside the
point. Some of those targets were interesting

172
00:17:03.960 --> 00:17:08.920
also in that aspect that you wouldn't
think it's very easy to infiltrate those kind

173
00:17:08.920 --> 00:17:12.920
of organizations. I'm sure it wasn't
easy, but those guys managed to do

174
00:17:14.000 --> 00:17:19.279
so, which indicates how good they
are. Scarred Mandicore is now very sophisticated,

175
00:17:19.599 --> 00:17:26.000
and that in itself has broader implications. I've been looking at Iranian threat

176
00:17:26.039 --> 00:17:30.079
actors for quite some times, and
I could say that the evolution of Scarred

177
00:17:30.119 --> 00:17:37.359
Menicore specifically is worrying in the sense
that they are starting to create like costum

178
00:17:37.480 --> 00:17:44.359
tools that are not trivial. Even
if Vranian actors in the past have created

179
00:17:44.400 --> 00:17:48.359
their own Tuesday were always, you
know, a little bit more of the

180
00:17:48.440 --> 00:17:52.079
same. You had backdoors that are
more sophisticated. Some of them started to

181
00:17:52.200 --> 00:17:59.319
use like emails as exfiltration channel in
the more sophisticated one. But seeing this

182
00:17:59.640 --> 00:18:04.799
actor or that utilizes undocumented functionalities of
drivers, for example, is something that

183
00:18:06.240 --> 00:18:11.039
I haven't seen personally in any Iranian
group. And considering the fact that we

184
00:18:11.200 --> 00:18:15.960
see where it started in twenty nineteen
from an open source webshell to where it

185
00:18:17.000 --> 00:18:23.559
is today, that's quite a thing
to consider. In only four years,

186
00:18:23.759 --> 00:18:30.720
Scarred Manticore went from forgettable to groundbreaking. The impact that could have on the

187
00:18:30.759 --> 00:18:37.440
cybersecurity landscape and geopolitics more generally are
significant because it's not like we're talking about

188
00:18:37.640 --> 00:18:42.599
no way of the size shells here, we have evidence that in the path

189
00:18:42.759 --> 00:18:49.640
their access was actually utilized to conduct
destructive attacks. Certain weapons in Scarred Manticore's

190
00:18:49.640 --> 00:18:56.319
toolset overlap with those used by the
Iranian state hackers known as Homeland Justice in

191
00:18:56.359 --> 00:19:03.200
a campaign against Albania in May of
That case might have appeared like espionage at

192
00:19:03.240 --> 00:19:08.039
first, as the attackers spent over
a year moving within their target networks and

193
00:19:08.200 --> 00:19:15.599
expeltrating sensitive data, but then all
at once they deployed ransomware and wiper manware,

194
00:19:15.720 --> 00:19:22.839
taking down government websites and services,
posting political messages and leaking sensitive data.

195
00:19:22.960 --> 00:19:30.279
Even those kinds of stealthy attacks and
spionage motivated thread actors sometimes utilize their

196
00:19:32.000 --> 00:19:37.759
access for destructive means. And that's
important to remember because the fact that this

197
00:19:37.880 --> 00:19:41.400
thread actor has been in your network
and collected information for a certain period of

198
00:19:41.440 --> 00:19:45.920
time does not mean that one day
it won't exploit in your network and like

199
00:19:45.039 --> 00:19:52.000
start deploying wipers and ransomware. And
we actually seen some indications that this is

200
00:19:52.039 --> 00:19:57.680
happening in Israel as well. We
haven't covered it in the report yet,

201
00:19:57.720 --> 00:20:06.720
but we do know that some of
the confirmed Scared Menicore's victims experienced destructive attacks

202
00:20:06.720 --> 00:20:11.319
in Israel, wiper attacks and leakage
in some of using some fake personas.

203
00:20:12.400 --> 00:20:18.960
As Iran loves cyberbombs into Israel and
the rest of the Middle East, everybody

204
00:20:18.079 --> 00:20:29.359
will be forced to take notice or
else. I think a lot of researchers

205
00:20:29.559 --> 00:20:36.079
don't fully understand the evolution that we're
seeing from Iranian actors over the last few

206
00:20:36.160 --> 00:20:38.920
years. In the realm of like
the Big Four, like Iran, North

207
00:20:40.000 --> 00:20:44.079
Korea, Russia, and China.
Iran is also has always looked as like

208
00:20:44.119 --> 00:20:49.680
the kitten, the non harming,
very simple, very unsophisticated threat actor,

209
00:20:49.720 --> 00:20:56.279
which was true at a certain point, but I think this one Scared Manicore

210
00:20:56.480 --> 00:21:02.960
completely changes that. I think in
certain aspect it's more sophisticated than a lot

211
00:21:03.000 --> 00:21:07.920
of Chinese, Russian or North Korean
actors that I've analyzed in the past,

212
00:21:10.279 --> 00:21:12.079
and that's important to remember. Like
a lot of times, I had this

213
00:21:12.200 --> 00:21:18.319
debate with my friends over the term
APT like advanced persistent threat, which turned

214
00:21:18.359 --> 00:21:25.680
into a name for any state sponsored
actor in the cyber threat intelligence field,

215
00:21:25.680 --> 00:21:30.759
but originally meant like very advanced attackers. And my friends who aren't really deep

216
00:21:30.799 --> 00:21:36.799
into intelligence or like, you can't
call Iranian actors apts because they're not really

217
00:21:36.880 --> 00:21:41.640
advanced, and I think this one
completely shatters this perception of Iranian actors.

218
00:21:48.279 --> 00:21:52.440
That's it for this episode. Thank
you for listening. For past episodes,

219
00:21:52.559 --> 00:21:59.200
visit Checkpoints Research blog at research dot
checkpoint dot com and you can follow Checkpoint

220
00:21:59.240 --> 00:22:03.680
Research on there or follow me at
ed rand Levy. That's r A n

221
00:22:03.960 --> 00:22:07.359
L e v I CEPY Radio is
produced by p I Media, written by

222
00:22:07.440 --> 00:22:12.680
Nate Nielson, produced by Hila Shemish, and edited and narrated by Rand Levy.

223
00:22:14.119 --> 00:22:22.160
See you next time. Bye bye
m