A Complex Threat Landscape Muddles Attribution
A Complex Layer: The Threat Landscape
While researchers have often pointed to false flags as a known roadblock in attribution, another layer adds further complexity to the equation: Attacker groups are not static. Kittner said that researchers often see individual operators linked to China, Iran or Russia, who may have been part of one APT, pop up in operations tied to another threat group, for instance.
“That definitely makes it harder,” said Kittner. “We have seen Chinese operators who may have been with APT1 appear in APT10 or APT31, and it’s really confusing at first. But then you understand that it’s not a matter of what they are called, it’s how they reorganized their operations.”
It’s not just individual operators. Entire cybercrime operations have reshuffled after their activities gained too much attention, with researchers previously finding evidence of the DarkSide ransomware being rebranded as BlackMatter. Other threat groups have been splintered out into smaller sub-groups over time. Researchers started to cluster various groups together under the Lazarus APT group, for instance, based on the individual characteristics of each group’s infection schemes for their malware, the development environment of the author and the vicitimology. Other crime syndicates, such as Magecart, consist of dozens of subgroups with similar tactics and purposes (in the case of Magecart, web skimming attacks aimed at stealing credit cards) but unique specializations or characteristics.
Micki Boland, security architect with Check Point Software Technologies, said researchers are “far beyond” focusing on APT groups. Now, they must take into scope the full range of perpetrators including nation-state actors, cybercriminal enterprises, threat actors, malicious actors, and hacking and malware operators, as well as groups that focus on illicit cryptocurrency operations and leased or hosted infrastructure services used by these groups.
“The latest generation V attacks are multilayered, sophisticated and it’s not always known what crimes have been committed,” said Boland. She noted, researchers oftentimes struggle with questions around motivation or goals behind the attacks.
“In the case of ransomware it is totally obvious… because there is extortion for cryptocurrency. In many APTs and nation-state sponsored stealthy attacks, these can be much more lethal to the organization, and even more difficult to detect TTPs when a crime is taking place, identifying what is being taken and who is behind the attack.”
These threat landscape complexities mean that the context of previous pieces of research used for attribution can readily change, said Steffens. With this in consideration, he argued that the analysis community “needs to find some heuristics for when to discard group definitions and redefine attacker groups based on more recent data.”