Flash Archive

The Italian Connection: An analysis of exploit supply chains and digital quartermasters

by Ned Moran and Ben Koehl

On July 5, 2015 an unknown hacker publicly announced on Twitter that he had breached the internal network of Hacking Team – an Italian pentesting company known to purchase 0-day exploits and produce their own trojans. The hacker proceeded to leak archives of internal Hacking Team tools and communications. A number of tools and previously unknown exploits were discovered in the trove of data posted online.

In the attached paper we will focus on two exploits which at the time of discovery in the Hacking Team archives were unpatched. The two 0-days in question targeted Adobe Flash and were subsequently labeled CVE-2015-5119 and CVE-2015-5122.

The goal of this research is to demonstrate how quickly these exploits spread and were used by multiple independent cyber espionage operators. Via the evidence presented within this paper we will demonstrate that at least two different exploit kits, or generators, were constructed by an unknown entity and shared amongst multiple operators believed to be located in China. We believe the following is a clear example of yet another ‘digital quartermaster’ of cyber espionage tools.

To read the full report click here.

Download the IOCs here.