WACCO 2025

TBD

TBD

CTI-HAL: A Human-Annotated Dataset for Cyber Threat Intelligence Analysis

Sofia Della Penna, Roberto Natella, Vittorio Orbinato, Lorenzo Parracino and Luciano Pianese

Organizations are increasingly targeted by Advanced Persistent Threats (APTs), which involve complex, multi-stage tactics and diverse techniques. Cyber Threat Intelligence (CTI) sources, such as incident reports and security blogs, provide valuable insights, but are often unstructured and in natural language, making it difficult to automatically extract information. Recent studies have explored the use of AI to perform automatic extraction from CTI data, leveraging existing CTI datasets for performance evaluation and fine-tuning. However, they present challenges and limitations that impact their effectiveness. To overcome these issues, we introduce a novel dataset manually constructed from CTI reports and structured according to the MITRE ATT&CK framework. To assess its quality, we conducted an inter-annotator agreement study using Krippendorff’s alpha, confirming its reliability. Furthermore, the dataset was used to evaluate a Large Language Model (LLM) in a real-world business context, showing promising generalizability.

The Dark Side of the Web: Towards Understanding Various Data Sources in Cyber Threat Intelligence

Saskia Laura Schröer, Noè Canevascini, Irdin Pekaric, Philine Widmer and Pavel Laskov

Cyber threats have become increasingly prevalent and sophisticated. Prior work has extracted actionable cyber threat intelligence (CTI), such as indicators of compromise, tactics, techniques, and procedures (TTPs), or threat feeds from various sources: open source data (e.g., social networks), internal intelligence (e.g., log data), and “first-hand” communications from cybercriminals (e.g., underground forums, chats, darknet websites). However, “first-hand” data sources remain underutilized because it is extremely difficult to access or scrape their data. In this work, we analyze (i) 6.6 million posts from 22 underground forums, (ii) 3.4 million messages from over 3’000 chat channels (Discord and Telegram), and (iii) 120’000 darknet websites. We combine NLP tools to address several challenges in analyzing such data. First, even on dedicated platforms, only some content may be CTI-relevant, requiring effective filtering. Second, “first-hand” data can be CTI-relevant from a technical or strategic viewpoint. Thus, we demonstrate how to organize content along this distinction. Third, we describe the topics discussed. Thereby, we also highlight how “first-hand” data sources differ from each other. We adapt all our NLP tools to accommodate the domain-specific terminology. According to our filtering, 20% of our sample is CTI-relevant. Most of the CTI-relevant data focuses on strategic rather than technical discussions. Credit card-related cyber-crime is the most prevalent topic on darknet websites. On underground forums and chat channels, account and subscription selling is discussed most. Topic diversity is higher on underground forums and chat channels than on darknet websites. Our analyses suggest that different platforms may be used for activities with varying complexity and risks for criminals. Our primary contribution is a meta-analysis of several “first-hand” data sources based on the NLP pipeline we developed. We provide our NLP pipeline as an open-source tool for future research.

Is this your USB? No, but check this QR code for a free meal! Assessing awareness against dropped USBs and malicious QR codes

Johannes Nordskov, Tyge Tiessen and Emmanouil Vasilomanolakis

Anecdotal and preliminary work suggests that USB dropping attacks can be successful while the misuse of QR codes has been steadily making the news. In this paper, we attempt to shed light into how these two attacks are met in practice by performing a series of experiments against different types of target entities: a large university, governmental agencies, and an NGO. For this we dropped a total of 235 USB drives (that contained harmless honeytokens) and placed 110 posters (with harmless QR codes). Our results suggest that QR codes are superior (680.91% total scan rate) to USB dropping attacks, possibly due to their ability to blend more easily into the attack environment along with social engineering elements. We also notice a strong bias on the public perception with USB drives appearing more dangerous than QR codes. USB drops (8.51% total activation rate) may still work but require precise and limited placement. Furthermore, we analyze the browsers used for scanning QR codes to identify at least 130 devices with critical vulnerabilities. Lastly, we examine how the effectiveness of these attacks depends on the targeted environments.

Decomposing Culture within Threat Actor Groups – A Case Study of the Conti Ransomware Collective

Konstantinos Mersinas, Aimee Liu and Niki Panteli

Cybercriminal profiling and cyber-attack attribution have been elusive goals world-wide, due to their effects on societal and geopolitical balance and stability. Attributing actions to a group or state is a complex endeavour, with traditional established approaches including cyberthreat intelligence and analysis of technical means such as malware analysis, network forensics, and geopolitical intelligence. In this paper, we propose an additional component for profiling cybercriminal groups through analysing cultural aspects of human behaviors and interactions. We utilize a set of variables which determine characteristics of national and organisational culture to create a “cultural footprint” of threat actors. As a case study, we conduct thematic analysis across the six dimensions of the Hofstede national culture classification and the eight dimensions of the Meyer classification on leaked internal communications of the ransomware group Conti. We advocate that systematic analyses of similar communications can serve as a practical tool for a) understanding the modus operandi of cybercrime and cyberwarfare-related groups, and b) profiling cybercriminal groups and nation-state actors. Our approach can, first, inform a new angle in cybercriminal profiling, second, if combined with additional cyber threat intelligence, can provide a level of confidence in nuanced cyber-attack attribution processes, and, assist with combating cybercrime.

(Research Talk) XP points to level up: gaming as a gateway to cybercrime

Yanna Papadodimitraki

This talk discusses how the gateway hypothesis is turned into a vehicle for the criminalisation of young people and tech communities. It notes a series of methodological and theoretical issues which contribute to the problematisation of the hypothesis in relation to its foundational studies in SUD, but also in relation to gaming and cybercrime. Moreover, it brings forward the position of law enforcement as captured by official law enforcement material and interviews conducted with police professionals. Finally, it relates this to the limitations of previous studies and their implications for young gamers.

An Experimental Design to Investigate Attacker Actions on an Access-as-a-Service `Criminal' Platform

Roy Ricaldi, Yasen Yalamov, Michele Campobasso, Luca Allodi, Hannah Kool, Asier Moneva and Rutger Leukfeldt

Access-as-a-Service (AaaS) has reduced barriers to cybercriminal activity, enabling less skilled offenders to execute sophisticated attacks relying on remote access to compromised systems. Despite the growing accessibility of these services, little is understood about the factors influencing criminal decisions in the selection of their targets and the ensuing attack process. This short paper outlines the design and implementation of a `criminal' AaaS platform aimed at attracting cybercriminal users to study their behavior. The platform, modeled after illicit marketplaces in the dark web, includes various market signals to assess their influence on cybercriminal decision-making and an `honeypot' setup to evaluate attacker actions. In this paper we describe the methodology and infrastructure we are building to this purpose. Our intent is to present our experimental design to the WACCO community to collect feedback on the experiment setup and run, and to foster discussion on the technical and ethical challenges of active attacker measurement.

Port in a Storm: Iranian Cyber Operations and Chinese Strategic Interests in Middle Eastern Maritime Infrastructure

Cosimo Melella, Francesco Ferazza, Konstantinos Mersinas and Ricardo Lugo

This paper examines the strategic implications of Iranian cyber attacks targeting port facilities in the Middle East, focusing on their intersection with China's Belt and Road Initiative (BRI). Analysing six case studies involving Iranian Advanced Persistent Threat (APT) groups between 2022 and 2024, we investigate how these cyber operations reflect broader geopolitical tensions and reveal potential friction between Iranian and Chinese regional objectives. The research demonstrates that Iranian cyber campaigns combine sophisticated technical approaches—including custom malware deployment, spear-phishing, and SCADA system exploitation—with influence operations to achieve immediate disruption and longer-term strategic goals. While Iran and China maintain formal cooperation through their 25-year Comprehensive Cooperation Agreement, their divergent approaches to regional engagement—Iran's confrontational stance versus China's economic p ragmatism—create notable strategic tensions. Our findings suggest that, though technically sophisticated, Iran's cyber operations targeting maritime infrastructure may ultimately undermine China's BRI objectives of stable trade routes and regional economic integration. This research contributes to understanding how state-sponsored cyber operations against critical maritime infrastructure reflect and influence broader geopolitical dynamics while highlighting the complex interplay between physical and digital security in modern conflict.

Yet Another Diminishing Spark: Low-level Cyberattacks in the Israel-Gaza Conflict

Anh V. Vu, Alice Hutchings and Ross Anderson

We report empirical evidence of defacement and DDoS attacks carried out by low-level cybercrime actors in the Israel-Gaza conflict. Our quantitative measurement suggests an outbreak of such attacks following the Hamas-led assault and the subsequent declaration of war. However, the surges waned quickly after a few weeks, with patterns resembling those seen in the aftermath of the Russian invasion of Ukraine. The scale of attacks and discussions within the hacking community this time were both significantly less than those during the early days of the Russia-Ukraine war, and attacks have been mostly one-sided: many pro-Palestinian supporters have targeted Israel, while attacks on Palestine have been much less significant. Beyond targeting these two, attackers also defaced websites of other countries to express their war support. Their wider opinions are also one-sided, with far more support for Palestine and many objections expressed toward Israel.