The sheer fluidity of the threat landscape is making the challenging process of attribution even more difficult for researchers.
Threat actors are partnering together through affiliate models and branching out with malware-as-a-service offerings. Malware developers and operators sometimes change their roles. Some ransomware groups have rebranded their operations. All of these moves further complicate analysis of the breadcrumbs left behind by threat actors - including those in the malware’s code and the infrastructure - that researchers look at during attack attribution.
“There are many documented cases where malware developers, infrastructure teams, and operators work together very loosely and flexibly,” said Timo Steffens, private security researcher and author of Attribution of Advanced Persistent Threats. “That makes the clustering phase very challenging and is likely one of the reasons why the group definitions of security companies and agencies differ often.”
For the security research community, attribution is a significant part of analysis that is often an ongoing process rather than an end goal. Joshua Miller, senior threat researcher at Proofpoint, said that when hunting in Proofpoint telemetry, he looks at who received the initial phishing message, their vertical and their work; all of which provide important clues of the motives behind the threat actor’s targeting.
“Attribution is a process that often evolves over time as we better understand the threats we’re investigating,” said Miller. “When we attribute, we consider a variety of factors, both technical indicators and victimology. At a technical level, we look for similarities in the malware’s code or overlap in infrastructure.”
Cristiana Kittner, principal analyst with Mandiant, said that there are three broad levels that researchers look at during the process of attribution: The tactical level, which consists of IoCs, domains, URLs and IP addresses, CVEs exploited and more; the operational level, which investigates patterns in behavior such as the preferred malware and malware packaging the actor may like to use; and the strategic level, which involves the motives and goals of the threat actor, as well as potential sponsors and associates.
During attribution, “we take all of those and we then query it against our existing database to see if we have existing observables from it, whether it’s an IoC or malware signature,” said Kittner.
Attribution: Previous Challenges
In a well-known challenge to attribution, threat actors are getting better at hiding evidence in and around their operations. Pieces of data that are used as clues in attribution, such as language strings in malware or registration details in the domain registration, can easily be faked, researchers said.
Attackers associated with the Iran-linked MuddyWater APT have attempted to throw researchers off by incorporating different languages into their coding, such as including Chinese strings in some payloads and a series of Russian words in another PowerShell RAT sample. In another infamous example, the Russia-linked cyberespionage group Turla in 2019 masqueraded as an Iranian hacking group by literally hijacking the other group’s infrastructure and using it to deliver malware. Miller also noted that he has seen Russia-aligned threats using Cobalt Strike to obfuscate and complicate attribution attempts during incident response.
While these false flags can temporarily complicate the process of attribution, Steffen said “the pattern of life” is almost impossible to fake. Because individuals associated with threat groups are working normal day jobs and have their own personal time off at night, long-term data collected in system clocks and log files point to broader patterns.
“Many attacker groups have been observed to fake one or more evidence types, like planting a string of a foreign language in their malware,” he said. “But there are no documented cases of attacker groups that took the effort to plant false flags consistently in all aspects of their attacks and in all evidence types.”
A Complex Layer: The Threat Landscape
While researchers have often pointed to false flags as a known roadblock in attribution, another layer adds further complexity to the equation: Attacker groups are not static. Kittner said that researchers often see individual operators linked to China, Iran or Russia, who may have been part of one APT, pop up in operations tied to another threat group, for instance.
“That definitely makes it harder,” said Kittner. “We have seen Chinese operators who may have been with APT1 appear in APT10 or APT31, and it’s really confusing at first. But then you understand that it’s not a matter of what they are called, it’s how they reorganized their operations.”
It's not just individual operators. Entire cybercrime operations have reshuffled after their activities gained too much attention, with researchers previously finding evidence of the DarkSide ransomware being rebranded as BlackMatter. Other threat groups have been splintered out into smaller sub-groups over time. Researchers started to cluster various groups together under the Lazarus APT group, for instance, based on the individual characteristics of each group's infection schemes for their malware, the development environment of the author and the vicitimology. Other crime syndicates, such as Magecart, consist of dozens of subgroups with similar tactics and purposes (in the case of Magecart, web skimming attacks aimed at stealing credit cards) but unique specializations or characteristics.
Micki Boland, security architect with Check Point Software Technologies, said researchers are “far beyond” focusing on APT groups. Now, they must take into scope the full range of perpetrators including nation-state actors, cybercriminal enterprises, threat actors, malicious actors, and hacking and malware operators, as well as groups that focus on illicit cryptocurrency operations and leased or hosted infrastructure services used by these groups.
“The latest generation V attacks are multilayered, sophisticated and it’s not always known what crimes have been committed," said Boland. She noted, researchers oftentimes struggle with questions around motivation or goals behind the attacks.
“In the case of ransomware it is totally obvious... because there is extortion for cryptocurrency. In many APTs and nation-state sponsored stealthy attacks, these can be much more lethal to the organization, and even more difficult to detect TTPs when a crime is taking place, identifying what is being taken and who is behind the attack.”
These threat landscape complexities mean that the context of previous pieces of research used for attribution can readily change, said Steffens. With this in consideration, he argued that the analysis community “needs to find some heuristics for when to discard group definitions and redefine attacker groups based on more recent data.”
Information Sharing: A Critical Piece
Despite these challenges, the continually increasing level of data and research that has been collected over time has helped attribution, with previous data being readily available as a shortcut for researchers. Miller, with Proofpoint, said that “intelligence sharing amongst trusted peers is important to provide additional context to the research you’re conducting,” especially given the unique telemetry that each organization can bring to the table.
Private companies and government agencies both have a part to play in information sharing, though their approaches to attribution are very different, both in their processes and end goals. Private companies carry out attribution as an ongoing process that is part of their analysis, with the purpose of clustering specific malicious activity. Government entities meanwhile have the ability to pin attributions on sponsoring organizations or intelligence services - and they’re doing it in some cases to shape indictments and sanctions. The government’s public sharing of attributions and data supporting those attributions is significant to the security community because government entities have the ability to “get more granular,” said Miller.
The U.S. Cyber Command’s official attribution of the MuddyWater APT threat actor to Iran's intelligence agency this week, for instance, was applauded by security researchers who said the information helped set the record straight when it comes to attribution.
“The US government attribution is consistent with the targeting we’ve seen from [MuddyWater,] specifically government orgs, NGOs and telecommunication companies in countries of intelligence interest to Iran,” said Miller. “There does seem to be a trend of more governments publishing public attribution for different cyber operations in support of national objectives.”
Overall, more data means more accuracy in identifying the different patterns used by different actors, said Steffens. For instance, as part of the pieces of the attribution puzzle, researchers need to look at many timestamps in order to identify a timezone pointing to the potential origin of attackers.
“The most important development is that attribution usually does not start from scratch anymore,” said Steffens. “There is a large corpus of previous research that attributes certain malware families, or groups, or strategic patterns.”