Researchers from Kaspersky’s GreAT team are used to observing the most sophisticated groups of cybercriminals, especially in the field of cyber espionage. But if some clues could previously allow to attribute certain cyber attacks to groups, the complexity of the ecosystem and cyber attacks considerably complicate the task of analysts. On the occasion of a review of various APT groups (Advanced Persistent Threat, a term used to designate the most sophisticated groups of cybercriminals), Kaspersky researchers wanted to show how complicated the attribution of a cyber attack to a specific group has been made.
“Previously, we had fairly simple methods of attributing attacks to a group: by identifying the tools used, the operational methods, or even certain metadata, we could identify a group at work. But nowadays, it is increasingly difficult for us to make an attribution, ”explained Pierre Delcher, a Kaspersky researcher on stage.
The limits of attribution
Supporting example: Paul Rascagneres returned to the example of GhostEmperor, an APT group identified by Kaspersky in July 2021. This group primarily targets targets in Southeast Asia and the Middle East. It is distinguished by the use of a rootkit, and especially of methods not publicly documented to load this into the memory of the target devices. “It is a sign of a very sophisticated forward. But, when analyzing the attacks carried out by the group, we found that they shared their infrastructure with another group, known as the Famous Sparrow ”.
Famous Sparrow is the name given to another group of APTs identified and bombed in September 2021 by the cybersecurity firm ESET. The report published by ESET presents a group that mainly targets hotels around the world, but also various government organizations. All this using quite similar operating methods.
ESET already noted in its report that attributing these attacks to a single group was a complex task: while the common denominator of the attacks attributed to Famous Sparrow is the use of group-specific backdoor malware, the cybersecurity company was emphasizing the use of various tools and servers operated by other APT groups. And Kaspersky highlights, for its part, that the GhostEmperor group also uses servers previously used by FamousSparrow in other operations.
True false disappearance
Another example presented by the researchers: the group called Iamtheking, also known as Slothfulmedia. This group, active until the end of 2020, is primarily targeting Russian-based government targets. Then, starting in 2020, the group turns to Asia-based victims. “It is distinguished by the use of unique and highly scalable intrusion tools, as well as by the use of two malware, Shadowpad and Quarium, which are commonly used by APT groups in the Asian region,” the researchers explain.
A publication by the US cybersecurity agency in 2020 sheds light on the group’s activities, which soon after disappears from the radar. “But we see that the infrastructures used by the group are reused by other groups today,” note the Kaspersky researchers, who wonder about the importance of this development. Was it a single group or multiple operators working with the same set of shared tools?
“What we see is that it is now possible to have intrusions using the same operating mode, but that sometimes lead to different malware, attack campaigns led by different actors against the same group, or even players whose capabilities have deviated from their initial use. . “Summary Kaspersky researchers. And this complexity does not suit security researchers: “It has to be said, having multiple attackers on the same system is a nightmare for analysts. So it becomes very complex to know which group is doing what and to understand the true scope of an attack. ”
Woodmart Theme Nulled, WP Reset Pro, Newspaper 11.2, Newspaper – News & WooCommerce WordPress Theme, Premium Addons for Elementor, Rank Math Seo Pro Weadown, WeaPlay, WordPress Theme, Plugins, PHP Script, Jannah Nulled, Elementor Pro Weadown, Woocommerce Custom Product Ad, Business Consulting Nulled, Jnews 8.1.0 Nulled, Avada 7.4 Nulled, Nulledfire, Dokan Pro Nulled, Yoast Nulled, Flatsome Nulled, PW WooCommerce Gift Cards Pro Nulled, Astra Pro Nulled, Woodmart Theme Nulled, Slider Revolution Nulled, Wordfence Premium Nulled, Elementor Pro Weadown, Wpml Nulled, Consulting 6.1.4 Nulled, Fs Poster Plugin Nulled