Who are youƒ OSINT-based Profiling of Infrastructure Honeypot Visitors

Cyber attacks are reported daily and have become a major social issue. However, it is still unclear who the attackers are and their background. In this paper, using OSINT-based profiling, we shed light on the identity of individual attackers visiting honeypots of connected infrastructure. Specifically, focusing on unique hostnames and/or usernames of the connecting client machines in the Telnet negotiations, we found SNS accounts, such as LinkedIn, Twitter, Facebook, and GitHub, which we believe belong to eight individual attackers. According to the information from these SNS accounts, seven were with IT and/or security expertise. Four were employed by security, IT consulting, or IT engineering companies. Two publicized open repositories of vulnerability exploits and malware. After logging into the honeypot, three showed aggressive activities such as installing external tools, escalating privilege, and attempting lateral movement. One visitor accessed the honeypot for over six months, exhibiting a special interest in the system. We conclude that it is possible to identify and profile some of the honeypot visitors who publicize themselves.