With cybercriminals commonly sharing tactics and techniques on underground forums, and with digital adversaries frequently leveraging many of the same commodity malwares and commercially available tools, it can be difficult to assign attribution to a cyber campaign.
So when researchers claim to uncover that a previously unknown APT group is behind a series of attacks – as threat hunters from Malwarebytes did this week in announcing their discovery of a newly observed actor called LazyScripter – it’s usually an intriguing development.
The emergence of any newly unearthed actor often carries significance, as it is important for observers to understand the group’s motivations so that targeted parties are properly warned of their potential victimization, and are advised of what techniques to watch.
Adam Meyers, senior vice president of intelligence at Crowdstrike, told SC Media that a new cyber adversary emerges from the shadows about once every two weeks, to a month. "I think we had something like 19 new adversaries that we introduced in the last year,” said Meyers, along with 25 malicious “activity clusters” that could not be designated as a distinct adversary. “This is an expanding set of problems and we're seeing more and more threat actors each year.”
But it can take time to classify whether a series of attacks is the work of a genuinely new APT or simply an offshoot of a known group. This determination doesn’t necessarily matter from a tactical standpoint of defending against a specific campaign’s methodology. But from a longer-term strategic perspective, the ability to attribute a campaign to a new group or an established group can make a difference “in terms of understanding what adversaries they may potentially be associated with and what their intentions and capabilities commonly are,” said Meyers.
“When we attribute a group of activities to a new group, it indicates that the actor has some specific characteristics and TTPs that were not similar to any established actors,” said Hossein Jazi, senior threat intelligence analyst at Malwarebytes. “Knowing these specific characteristics can help security researchers to better detect the future campaigns associated with the actor, as well as develop new rules and mechanisms to detect and prevent them.”
When findings on a specific actor's TTPs and motivations are made public, potentially vulnerable organizations can then “make an educated assessment of the risk posed by this group,” and “test their defensive and detective tooling and processes and make changes where required,” explained Claudiu Teodorescu, director of threat research at BlackBerry. “If the business becomes a victim, they can likely attribute it to a group based off those indicators and should derive the motivation, reacting accordingly to help their customers.”
Malwarebytes’ exposé of LazyScripter revealed that the group has operated since at least 2018, targeting International Air Transport Association (IATA) members, airlines and immigrants seeking employment in Canada. The actors have been infecting victims with the post-exploitation framework PowerShell Empire or the multi-stage remote access trojans Octopus and Koadic. The attack vector: phishing emails, which feature lures related to jobs, the IATA, fake software updates, immigration, tourism and travel, and COVID-19.
“Moving forward, we are trying to look for the actor’s future campaigns and see if the actor changes its victims or not,” said Jazi. “This can help us understand what the main motive of the actor is. Additionally, we are trying to find sold indicators to help us identify the origin of the actor. This could significantly help us to determine why the actor is targeting the IATA and job seekers.”
Early indications point to a high likelihood that LazyScripter is a Middle Eastern actor, Jazi acknowledged, though this has not been confirmed.
Meanwhile, for the greater security community, the public identification of a new APT group “allows for potentially unattributed groups to be compared and potentially matched to a common public name,” said Teodorescu. “Researchers with access to different telemetry may have additional indicators which can enrich the public understanding.”
While findings like those shared by Malwarebytes can prove beneficial to both businesses and the infosec community, there is also a potential downside to exposing a new APT group too early, warned Meyers: “It… tips your hand to the adversary,” he said, “and they now understand that you've seen these aspects of their campaign, how you're tracking them, and what they might do to better evade it.”
Meyers was referring to the concept of "intel gain/loss." Essentially, “If you're going to expose what you know, you have to balance that against what is the potential impact on [intel] collection in the future or changing the adversary behavior,” he explained.
For instance, after observing a cybercriminal gang break off from an older group known as Indrik Spider (commonly referred to as Evil Corp), the Crowdstrike research team published research on the new actor, officially naming it “Doppel Spider.” Apparently, the adversaries liked that moniker because they soon after made changes to their payment portal to display the nickname they were given by researchers.
It bears noting that Meyers wasn’t criticizing Malwarebytes for its decision to come forward with its latest report, but he did say that intel gain/loss is an important factor that must be taken into consideration when a new APT is unveiled to the public.
The attribution process
But with so much overlap in TTPs among bad actors, how can researchers even be sure that a campaign is truly a “new” group bursting onto the scene, vs. an already established simply experimenting with new methodologies?
“When we perform attribution, we need to have solid indicators to attribute an actor to a known one,” said Jazi. “For example: using the same toolsets, sharing the code sections or sharing the infrastructure of an existing group. Based on our comprehensive analysis, we have not found any solid indicators to attribute this actor [LazyScripter] to a known group.”
Granted, Malwarebytes did find some notable similarities to the Iranian APT actor MuddyWater. Both groups have used Koadic and PowerShell Empire in their campaigns, both have used GitHub to host malicious payloads and both have abused scheduled tasks and Registry Run Keys/Startup Folder for persistence.
However, Malwarebytes believes the differences outweigh the common bonds. For instance, the LazyScripter actors have used open-source frameworks and commercial malware that MuddyWater has not, and they also embed their malicious loaders within weaponized documents, while MuddyWater uses malicious macros to trigger the infection chain.
Other similarities to the reputed Iranian group OilRig and Russian APT actor APT28 (aka Fancy Bear) were also dismissed by Malwarebytes as minor overlaps.
Still, there is disagreement over whether Malwarebytes is correct in labeling LazyScripter a new group.
Meyers, for one, isn’t fully convinced. “Right now I would consider this more of an activity cluster,” he said. “There’s a discrete set of infrastructure that appears to be tied to it, but there’s still enough overlap with Russian and Iranian groups to call into question its full independence.”
On the other hand, Teodorescu thought Malwarebytes has made a “strong case,” although “without taking the time to do proper research ourselves, we cannot give an opinion either way.”
Meyers described Crowdstrike’s general approach toward attribution whenever a new campaign is uncovered: “Our approach is to start a narrow circle around the activity we're looking at, and then look for overlaps in tactics, techniques and procedures; look for overlaps in infrastructure, look for overlaps in lots of different pieces of the puzzle, in order to determine: Is this new activity? And, if so, can we tie it back to anything that currently exists?”
If Crowdstrike sees no clear connections, the research team will track the campaign as its own distinct cluster. “And over time that may evolve to a separate adversary, it may evolve to a known existing adversary, or may dissipate and we lose track of it.”
To remove subjective bias from any attribution investigations, Crowdstrike applies “rigorous analytics standards,” Meyers added. “Making sure this activity conforms to our standards dictates where [the investigation] goes and if it graduates up to an adversary or not.”
One of the biggest challenges surrounding attribution is the wide availability of common, off-the-shelf or open-source tools at the disposal of threat actors. The less customized the toolset, the harder it is to identify the unique hallmarks of the APT group – which helps give the nation-state behind any attack plausible deniability.
“Attribution is based on a collection of data points so a general similarity is likely not enough to reach a conclusion," said Teodorescu. "Usually, correlation for attribution based on open-source tools used or well-known persistence mechanisms is not recommended given that the whole purpose of using such tools or techniques by a threat actor is to avoid being named.”
“It is common for threat actor groups to use similar techniques and toolsets," said Teodorescu added. "General availability, documentation, and the ability to modify projects that have source code available has led to many cases of off-the-shelf or patched security tools being used for nefarious reasons." But that does mean threat analysts have no recourse: “How a tool is configured or utilized for a specific campaign is an example of how a researcher might work towards being able to differentiate between threat actor groups,” he continued.
To their credit, Teodorescu noted that Malwarebytes' researchers "used not only specific tooling and TTPs, but also underlying infrastructure as a differentiator between other known APT groups. Compounding evidence shows proof of work and increases the community’s confidence of the report.”