Robert Lipovsky

Robert Lipovsky is a Principal Threat Intelligence Researcher for ESET, with over 15 years' experience in cybersecurity and a broad spectrum of expertise covering both targeted APTs and crimeware. He is responsible for threat intelligence and malware analysis and leads the Malware Research Team at ESET headquarters in Bratislava.

He is a regular speaker at security conferences, including Black Hat USA, RSA Conference, Virus Bulletin, BlueHat, MITRE ATT&CKcon, Gartner Security & Risk Management Summit, and various NATO-organized conferences. He also teaches reverse engineering at the Slovak University of Technology – his alma mater – and at Comenius University.

When not bound to a keyboard, he enjoys traveling, playing guitar and flying single-engine airplanes.

‍

Talk: You will always remember this as the day you finally caught FamousSparrow

In mid 2024, ESET Research discovered an ongoing compromise affecting one of our EDR customers that operates in the financial sector. After reaching out to the customer to help with the investigation and remediation, we determined that the threat actor behind this attack was FamousSparrow, a cyberespionage group active since at least 2019, known for targeting governments and hotels around the world, and that we believe is aligned with China’s interests – and possibly related to Salt Typhoon. FamousSparrow has flown under the radar since 2022, but is now back with an updated arsenal. In this session, we document the activity we observed, along with the most interesting tools that were used. We also discuss lessons learned from responding to the incident.

We first provide an overview of the whole incident before diving into the details of each step. Using data collected during the incident, we describe how FamousSparrow compromised the target organization, deployed its implants, achieved persistence, and managed to pivot to other machines inside the victim’s network. Then, we analyze some of the tools used, including two new versions of SparrowDoor, the group’s flagship backdoor and cover techniques used by FamousSparrow to avoid detection.

We’ll also tackle the complexitites of attribution and try to answer whether FamousSparrow actually is the notorious Salt Typhoon group.