Security Analyst Summit

Security Analyst Summit (SAS) is an annual conference for cybersecurity professionals organized by Kaspersky.

The first conference was held in 2009 as a gathering of the company's own researchers and security analysts, and later speakers and guests from other companies were invited. The conference is held annually in different countries, bringing together industry experts, law enforcement representatives, and journalists. The organizer is Kaspersky Lab's Global Research and Analysis Team (GReAT), and the partners are technology companies and industry media outlets. ^[1]

SAS has regularly featured presentations of important industry research and specialized discussions: research on the Equation Group, Desert Falcons ^[2] , Carbanak, StripedFly, the TetrisPhantom and Operation Triangulation attacks, the exposure of the Carbanak group, and new spyware from Hacking Team.

Conference structure

SAS is a symposium dedicated to discussing current threats in the field of cybersecurity, new research, and emerging defensive technologies. It includes expert presentations, panel discussions, practical training sessions, and Capture the Flag (CTF) competitions. Participation in the conference is by invitation only. Most participants are hands-on security professionals (from cyber threat researchers and security software developers to cybersecurity staff at large companies), law enforcement officials from various countries, and representatives of the academic and non-governmental sectors. For example, the 2018 SAS conference in Cancun was attended by about 320 people from more than 30 countries. ^[3]

The reports and technical studies cover advanced cyber threats, APT group activities, targeted attacks, critical infrastructure and industrial systems (ICS/OT) security, attacks on the Internet of Things (IoT) and their prevention, threats to supply chains and open source software security, incidents involving ransomware and defensive measures, zero-day vulnerabilities and exploits, darknet analysis, and the role of artificial intelligence and machine learning in cybersecurity. ^[4] SAS 2025 featured presentations on automotive cybersecurity, the use of dashcams in cyberattacks, vulnerabilities in the automotive industry, and research on targeted campaigns. ^[5]

SAS traditionally hosts the finals of the Capture the Flag (CTF) international competition for cybersecurity experts. Participants compete in solving applied problems related to vulnerability detection, cryptography, malware analysis, and other aspects of information security. The qualifying round is held online (for example, in Jeopardy format, where participants solve problems from different areas of cybersecurity and receive “flags” for correct answers), and the final round is held directly at SAS with a prize pool (in 2025, $18,000). ^[6]

Key reports and research on SAS

A significant part of the SAS program over the years has been devoted to presenting the results of new investigations into cyberattacks and APT groups.

• Careto (“The Mask”). In 2014, Kaspersky reported on the Careto campaign (also known as The Mask), which targeted Spanish-speaking countries. Kaspersky first publicly presented information about Careto at the SAS conference in Punta Cana. ^[7] The attack reportedly lasted for many years and affected government and energy structures in more than 30 countries. Researchers noted that Careto was one of the most sophisticated cyber espionage operations. ^[8]
• Equation Group . In 2015, the GReAT team presented an analysis of the attacks and malware used by the Equation Group, one of the most advanced APTs. Equation used malware at the hard drive firmware level and attacked hundreds of computers in dozens of countries. The report on Equation caused significant attention in the professional community and the media. ^[9]
• Carbanak . In 2015, Kaspersky researchers, in collaboration with law enforcement agencies, uncovered the Carbanak cybercriminal group, which defrauded about 100 banks around the world. Information about the attacks was presented at SAS in Cancun in 2015, including details of theft operations totaling up to $1 billion. It was proven that the attackers infected corporate bank networks and made unauthorized money transfers. ^[10]
• De-anonymization of hackers. In 2015, research was presented at SAS on the de-anonymization of cybercriminals through analysis of their online behavior. Recorded Future showed how attackers, even those using Tor, left so many traces on the internet that they could be linked to real people. In particular, by analyzing common data leaks from attackers, Recorded Future showed that information about former hackers, including email addresses and passwords, was easily found in open sources. ^[11]
• Moonlight Maze. The historic Moonlight Maze operation (late 1990s) was again the subject of analysis at SAS in 2016. A new investigation presented by Professor Thomas Reed linked the well-known Moonlight Maze operation to modern attacks by the Turla group. ^[12] Moonlight Maze was one of the first identified cyber campaigns, likely sponsored at the state level (it attacked the Pentagon, NASA, and U.S. energy facilities), and its study served as the basis for understanding modern threats. ^[13]
• Attack via CCleaner. In 2018, the Avast team presented a report at SAS on the results of its investigation into the compromise of the CCleaner utility. Experts discovered the ShadowPad backdoor in the CCleaner developers' infrastructure and presented details in a report at SAS in Cancun. The attack affected millions of users, and the report revealed technical details of the campaign, including links to the Axiom group (presumably associated with APT17). ^[14]
• Data leaks via multi-scanning services. Representatives of Swisscom AG spoke about security threats arising from the fact that confidential data (personal, government, official, commercial) ends up in malware scanning services. Such services have effectively become repositories of sensitive business data, creating a new class of risks for corporate security. ^[15]
• Vulnerabilities in robotics. Research by the MalCrawler team at SAS 2018 demonstrated security issues in industrial robotic systems: many industrial robots use outdated operating systems (e.g., Windows XP) and control systems that are accessible by default without a password, and robot control programs remain “open” to hacking. As a result, industrial facilities are vulnerable to “emergency shutdown” attacks (e.g., Triconex/Triton). ^[16]
• ShadowHammer. In 2019, Kaspersky Lab uncovered the ShadowHammer supply chain attack: malicious code was embedded in official ASUS Live Update updates and delivered to 500,000–1,000,000 computers, with the attack specifically targeting approximately 600 systems. Analysis showed a high level of preparation for the operation using compromised ASUS digital certificates. ^[17] Kaspersky's findings were also confirmed by Symantec.
• Operation Triangulation. A sophisticated spy attack on iOS devices using multiple zero-day vulnerabilities. Known cases of compromise cover the period from 2019 to 2024. Triangulation software allowed spies to gain complete control over victims' iPhones without interacting with the user. A description of this scheme and the hardware vulnerabilities used appeared in reports by Kaspersky and a review by Dark Reading. Journalists noted that Triangulation bypassed most of the iPhone's security mechanisms by relying on undocumented OS and hardware features. The research was presented at SAS in Thailand in 2023. ^[18]
• Malware disguised as crypto games. In 2024, Kaspersky GReAT experts uncovered a sophisticated campaign by the Lazarus group, in which malware was distributed under the guise of a crypto game. According to the study, the attackers exploited users' interest in crypto assets and gaming projects to infect systems and subsequently conduct surveillance. Analysts noted the high level of concealment and the multi-stage nature of the attack. ^[19]
• New spyware from Hacking Team. In 2025, researchers recorded the use of Dante spyware tools linked to the Italian company Memento Labs, which emerged during the reorganization of Hacking Team. The campaign exploited a zero-day vulnerability in Chrome. ^[20]

Notable participants and speakers

Charlie Miller & Chris Valasek

Renowned automotive security researchers. They spoke at the Kaspersky Security Analyst Summit in 2016. ^[21] Their presentation focused on vulnerabilities in the Jeep Cherokee's Uconnect system that allowed researchers to remotely hack into the vehicle.

Katie Moussouris

American computer security researcher, creator of Microsoft's bug bounty program, founder of Luta Security. She spoke at SAS about the right ways to build the bug bounty program. ^[22]

Bruce Schneier

Internationally recognized cryptography, cybersecurity and public policy expert. He gave a keynote speech at SAS and participated in a discussion with Baroness Pauline Neville-Jones, former Minister of State for Security of the United Kingdom, on civil liberties and government cyber intelligence. ^[23]

Eva Galperin

Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation (EFF), spoke at the Kaspersky Security Analyst Summit (SAS) in 2018. Her presentation focused on research into a suspected state-sponsored Lebanese hacking group known as Dark Caracal. ^[24]

Matt Tait

A researcher in the field of cyber threats and malware analysis, former GCHQ employee, and Google hacker. In 2018, he gave a keynote speech on the topic of disinformation in the general cyber threat landscape. ^[3]

References

1. Namunwa, Kevin (2023-10-26). "Kaspersky's SAS Returns After Four-Year Interlude". CIO Africa. Retrieved 2026-01-22.
2. Lennon, Mike (2015-02-17). "Arabic Threat Group Attacking Thousands of Victims Globally". SecurityWeek. Retrieved 2026-01-22.
3. "Who's Afraid of Kaspersky?". VICE. 2018-05-22. Retrieved 2026-01-22.
4. "Kaspersky and SecurityWeek Present SAS@home Virtual Event — April 28-30". SecurityWeek. 2020-04-27. Retrieved 2026-01-22.
5. "Kaspersky SAS 2025 - Sergey Anufrienko talks about the risks of vehicle cyberattacks | Hitech Century". 2025-11-03. Retrieved 2026-01-22.
6. "SAS CTF 2025 Finals". ctftime.org. Retrieved 2026-01-22.
7. "Spanish-language cyber espionage campaign unveiled - The Last Watchdog — The Last Watchdog". 2014-02-10. Retrieved 2026-01-22.
8. Menn, Joseph; Finkle, Jim (February 11, 2014). "Researchers uncover cyber spying campaign dubbed 'The Mask'". Reuters.
9. Zetter, Kim. "Suite of Sophisticated Nation-State Attack Tools Found With Connection to Stuxnet". Wired. ISSN   1059-1028 . Retrieved 2026-01-22.
10. Lennon, Mike (2015-02-15). "Hackers Hit 100 Banks in 'Unprecedented' $1 Billion Cyber Heist: Kaspersky Lab". SecurityWeek. Retrieved 2026-01-22.
11. Franceschi-Bicchierai, Lorenzo (2015-04-22). "Small-Time Hackers Can Be Deanonymized Even When Using Tor". VICE. Retrieved 2026-01-22.
12. Greenberg, Andy. "Russian Hackers Are Still Using a Backdoor From the 90s". Wired. ISSN   1059-1028 . Retrieved 2026-01-22.
13. Paganini, Pierluigi (2017-04-04). "Joining the dots between the ancient Moonlight Maze and the Turla APT". Security Affairs. Retrieved 2026-01-22.
14. "Chinese APT Backdoor Found in CCleaner Supply Chain Attack". Dark Reading. Archived from the original on 2026-01-07. Retrieved 2026-01-22.
15. "Malware Scanning Services Containers for Sensitive Business Information". Threatpost. 2017-04-05. Retrieved 2026-01-22.
16. "Programs Controlling ICS Robotics Are 'Wide Open' to Vulnerabilities". Threatpost. 2018-03-20. Retrieved 2026-01-22.
17. Uchill, Joe (2019-03-25). "Hacker group invades ASUS computers through official updates". Axios. Retrieved 2026-01-22.
18. "'Operation Triangulation' Spyware Attackers Bypass iPhone Memory Protections". Dark Reading. Archived from the original on 2025-11-27. Retrieved 2026-01-22.
19. Vijayan, Jai (October 23, 2024). "Lazarus Group Exploits Chrome Zero-Day in Latest Campaign". Darkreading.
20. "Memento Spyware Tied to Chrome Zero-Day Attacks". Dark Reading. Archived from the original on 2025-11-23. Retrieved 2026-01-22.
21. "U.S. Gives Cybersecurity Advice to Critical Infrastructure Operators—But No Rules - IEEE Spectrum". spectrum.ieee.org. Retrieved 2026-01-22.
22. "Katie Moussouris on Starting a Bug Bounty Program". Threatpost. 2015-02-23. Retrieved 2026-01-22.
23. "Kaspersky Lab Announces Establishment of International Advisory Board". Bdaily Business News. 2014-02-10. Retrieved 2026-01-22.
24. Greenberg, Andy. "Hacker Eva Galperin Has a Plan to Eradicate Stalkerware". Wired. ISSN   1059-1028 . Retrieved 2026-01-22.