CHATGPT OSINT SUMMARY QUERY for Network Analysis/Associative entity research and summary – MCYSEKA-Maritime Cyber Security Knowledge Archive

The following OSINT related CHATGPT query approach was posted by a rockstar OSINT analyst on LinkedIn.

In his example he used it to extract information from a regular news article (non APT related). I thought what if I could leverage it to get a quick cheatsheet/summary of a fairly complex APT analysis paper in case I ever needed it.

NOTE: No harming of Mandiant or the Russian GRU took place for constructing this example.

Steps:

1. Find your APT or Technical Report – this example used this one: https://www.mandiant.com/resources/blog/cyber-operations-russian-vulkan

2. Enter the core PROMPT – Example here but you can modify as needed:

Extract named entities from the following text and create a table with columns for the entity name, type, description, TTP’s and a simplified UUID, and a links column for connections between entities. Add a new column with a UUID for each entity, and add an additional column for links between entries in order to form a network analysis – (Paste entire text)

NOTE: You usually can just copy and paste the entire article without trying to clean it up or extract “just the text”)

3. Take the output and dump to either WORD or PDF to create your Summary Quick Cheat Sheet!

Example output from above steps: (NOTE: the format looks much better in PDF/WORD format, Blogger has limitations in this area to say the least)

Entity Name	Type	Description	TTP’s	Simplified UUID	Links
Mandiant	Organization	Cybersecurity firm involved in researching Russian cyber and information operations capabilities.	Research, analysis, threat intelligence	1015f9c5-5a1a-43da-a97f-78e4603871a1
Russian Ministry of Defense	Government Agency	Russian government agency responsible for overseeing and coordinating military activities.	Defense contracting, military operations	3b3d7d73-9dd0-45e9-ae6a-7c1b13a0a8da
NTC Vulkan	Company	Russian IT contractor based in Moscow working on contracts with large companies and government agencies within Russia.	IT contracting, project development	74e5fced-5509-470c-9b76-6b22050f51b5
GRU Unit 74455	Military Unit	Also known as Sandworm Team, a part of the Russian GRU involved in cyber operations.	Cyber espionage, IO, OT attacks	2a9a9a3a-5e5f-4b91-b11b-3ed3b735
Entity Name	Type	Description	TTP’s	Simplified UUID	Links
Sandworm Team	Alias	Alias for GRU Unit 74455	Cyber espionage, IO, OT attacks	2a9a9a3a-5e5f-4b91-b11b-3ed3b735	GRU Unit 74455
Papertrail Media	Media Outlet	Media outlet involved in the research and analysis of documents with Mandiant	Reporting, analysis	a18d4d77-4c3b-4f4d-a9d1-19af8e3f2a62	Mandiant
Der Spiegel	Media Outlet	Media outlet involved in the research and analysis of documents with Mandiant	Reporting, analysis	922fbffb-14a8-4e1e-97fd-9fd2f933569b	Mandiant
Le Monde	Media Outlet	Media outlet involved in the research and analysis of documents with Mandiant	Reporting, analysis	c01bb0d0-7d17-4a66-8cb0-cf65ac9c9e39	Mandiant
Washington Post	Media Outlet	Media outlet involved in the research and analysis of documents with Mandiant	Reporting, analysis	40e9d541-00e8-4f52-96aa-31bde1550f6d	Mandiant
Scan	Project/Tool	A comprehensive framework likely used to enable cyber operations, contracted (at least in part) by GRU Unit 7445 or Sandworm Team.	Large-scale data collection, database structuring	8d2e3a56-8736-42d4-9ab1-4434bc4f70a4	GRU Unit 74455, Sandworm Team
Amesit (Alt: Amezit)	Project/Tool	A framework used to control the online information environment and manipulate public opinion, supporting IO and OT-related operations.	Information confrontation, psychological operations, data storage and organization	6c90e10d-4a4a-4e4a-90db-6ad2a6edc39e	Krystal-2B
Krystal-2B	Project/Tool	A training platform for exercising coordinated IO/OT attacks against transportation and utility industries using Amesit.	Simulation of coordinated IO/OT attacks	f1b83424-5e47-484a-8fc1-50a565df6d34	Amesit (Alt: Amezit)
NTC Vulkan	Russian IT Contractor	A Russian IT contractor based in Moscow, which publicly advertises working on contracts with large companies and government agencies.	Cyber and IO operations, potentially in tandem with cyber operations against OT targets	e56d2c18-3a8e-49a1-98ed-20f0ee788e1c	Russian Ministry of Defense, GRU Unit 74455
Russian Ministry of Defense	Government Agency	The executive body responsible for implementing defense policies and controlling the Russian Armed Forces.	Contracting projects for cyber and information operations	59a9a6c8-6b47-4c42-965b-c1076a8c230e	NTC Vulkan, GRU Unit 74455
INCONTROLLER	Tool/Framework	A tool designed to support parameter changes in OT environments.	Parameter changes in OT environments	2a13cfd0-826c-432c-a87f-8f0f526b23fd	Krystal-2B, Amesit (Alt: Amezit)


Mandiant	Organization	Cybersecurity firm involved in researching Russian cyber and information operations capabilities.	Research, analysis, threat intelligence	1015f9c5-5a1a-43da-a97f-78e4603871a1
Russian Ministry of Defense	Government Agency	Russian government agency responsible for overseeing and coordinating military activities.	Defense contracting, military operations	3b3d7d73-9dd0-45e9-ae6a-7c1b13a0a8da
NTC Vulkan	Company	Russian IT contractor based in Moscow working on contracts with large companies and government agencies within Russia.	IT contracting, project development	74e5fced-5509-470c-9b76-6b22050f51b5
GRU Unit 74455	Military Unit	Also known as Sandworm Team, a part of the Russian GRU involved in cyber operations.	Cyber espionage, IO, OT attacks	2a9a9a3a-5e5f-4b91-b11b-3ed3b735
Entity Name	Type	Description	TTP’s	Simplified UUID	Links
Sandworm Team	Alias	Alias for GRU Unit 74455	Cyber espionage, IO, OT attacks	2a9a9a3a-5e5f-4b91-b11b-3ed3b735	GRU Unit 74455
Papertrail Media	Media Outlet	Media outlet involved in the research and analysis of documents with Mandiant	Reporting, analysis	a18d4d77-4c3b-4f4d-a9d1-19af8e3f2a62	Mandiant
Der Spiegel	Media Outlet	Media outlet involved in the research and analysis of documents with Mandiant	Reporting, analysis	922fbffb-14a8-4e1e-97fd-9fd2f933569b	Mandiant
Le Monde	Media Outlet	Media outlet involved in the research and analysis of documents with Mandiant	Reporting, analysis	c01bb0d0-7d17-4a66-8cb0-cf65ac9c9e39	Mandiant
Washington Post	Media Outlet	Media outlet involved in the research and analysis of documents with Mandiant	Reporting, analysis	40e9d541-00e8-4f52-96aa-31bde1550f6d	Mandiant
Scan	Project/Tool	A comprehensive framework likely used to enable cyber operations, contracted (at least in part) by GRU Unit 7445 or Sandworm Team.	Large-scale data collection, database structuring	8d2e3a56-8736-42d4-9ab1-4434bc4f70a4	GRU Unit 74455, Sandworm Team
Amesit (Alt: Amezit)	Project/Tool	A framework used to control the online information environment and manipulate public opinion, supporting IO and OT-related operations.	Information confrontation, psychological operations, data storage and organization	6c90e10d-4a4a-4e4a-90db-6ad2a6edc39e	Krystal-2B
Krystal-2B	Project/Tool	A training platform for exercising coordinated IO/OT attacks against transportation and utility industries using Amesit.	Simulation of coordinated IO/OT attacks	f1b83424-5e47-484a-8fc1-50a565df6d34	Amesit (Alt: Amezit)
NTC Vulkan	Russian IT Contractor	A Russian IT contractor based in Moscow, which publicly advertises working on contracts with large companies and government agencies.	Cyber and IO operations, potentially in tandem with cyber operations against OT targets	e56d2c18-3a8e-49a1-98ed-20f0ee788e1c	Russian Ministry of Defense, GRU Unit 74455
Russian Ministry of Defense	Government Agency	The executive body responsible for implementing defense policies and controlling the Russian Armed Forces.	Contracting projects for cyber and information operations	59a9a6c8-6b47-4c42-965b-c1076a8c230e	NTC Vulkan, GRU Unit 74455
INCONTROLLER	Tool/Framework	A tool designed to support parameter changes in OT environments.	Parameter changes in OT environments	2a13cfd0-826c-432c-a87f-8f0f526b23fd	Krystal-2B, Amesit (Alt: Amezit)

The projects contracted by NTC Vulkan provide insight into the
investment of Russian intelligence services in developing capabilities to
deploy more efficient operations within the beginning of the attack lifecycle,
a piece of operations often hidden from view. A framework like the one
suggested in the Scan project illustrates how the GRU may be trying to enable
fast-paced operations with high coordination among regional units. A
once-segmented GRU cyber operation may become streamlined and more efficient
using a framework like Scan.

These projects also show interest in holistic operations to conduct
information control and/or confrontation and amplify the psychological effects
of cyber operations. For example, Amesit and Krystal-2B demonstrate a high
value placed on the psychological impact of offensive cyber attacks,
specifically OT operations, by highlighting the role of information operations
in determining the impact of an ICS incident. The combination of different
tactics in cyber operations is familiar to Russian cyber operations: an early
example is the multifaceted BLACKENERGY operation in 2015 leading to disruption
of energy infrastructure in Ukraine. We have also seen the combination of IO
and disruptive cyberattacks throughout the Ukraine war.

The documentation from Krystal-2B and Amesit also displays
interest in critical infrastructure targets, particularly energy utilities and
oil and gas, but also water utilities and transportation systems, including
rail, sea, and air. As we continue to observe the intensification of threat
activity from Russian-sponsored actors in parallel to the invasion in Ukraine,
defenders should remain aware of the capabilities and priorities reflected in
these documents to be prepared for protecting critical infrastructure and
services

Top of Form

Bottom of Form