Attribution of Detections to Threat Actors

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


With only 129 identified threat actors in the MITRE ATT&CK List https://attack.mitre.org/groups/ you would think it should not be hard to identify the particular nation state or criminal syndicate performing an attack.  Unfortunately almost every defined Tactic and Technique is used by multiple threat actors and almost all of them use similar techniques. 

To demonstrate attribution of observed detections to threat actors required requires few steps to be performed in the query.

First we need to build the data base table of all the threat actors and the TTPs they have performed in the past.  With that data we can then look at the detections in the system and create a map between the detection and the threat actors that have used the given technique.

The query below supports a few variables to make the exploration easier.  With these you can look for particular threat actors by name.  Check out the MITRE link above for the list of all threat actors. You can also set a filter by the device name, risk score and time range.  What you are likely to discover is that each detection is attributed to multiple threat actors.  In addition not all techniques used by a given threat actor have been attributed to them.  For that to happen MITRE would require a reference document that identifies them. 

In a real world attack from a given threat actor you will see that most of the observed techniques include attribution to that threat actor.  Seeing a detection that does not have attribution to a threat actor does not mean that it was not performed by that actor so please use this attribution data with a grain of salt. 

VARIABLES

Variable Type Value
Device name
DEVICE NAME %
Risk >=
STRING 6
Technique ID
STRING %
Threat Actor
STRING %
from date
DATE 12/01/2021 15:00:00
to date
DATE 12/08/2021 15:00:00

SQL

Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
-- MAP the Techniqe detection to the threat actors that it has been attributed to
-- VARIABLE $$Device name$$ DEVICE NAME
-- VARIABLE $$Risk >=$$ STRING
-- VARIABLE $$Technique ID$$ STRING
-- VARIABLE $$Threat Actor$$ STRING
-- VARIABLE $$from date$$ DATE
-- VARIABLE $$to date$$ DATE
--Attribution Map
WITH
-- Create some counters for unnesting the Tactic and Technique information in the detections xdr_ti_data table
Max_Tactics(x) AS ( VALUES ('0'),('1'),('2'),('3'),('4'),('5') ),
Max_Techniques(y) AS ( VALUES ('0'),('1'),('2'),('3'),('4'),('5') ),
-- Load the condensed list of TTPs by threat actor
TTP_Group_Map (Id, Name, Related_groups, TTPs) AS (
VALUES
('G0018','admin@338','','T1087.001T1059.003T1203T1083T1036.005T1069.001T1566.001T1082T1016T1049T1007T1204.002'),
('G0130','Ajax Security Team','Operation Woolen-Goldfish,AjaxTM,Rocket Kitten,Flying Kitten,Operation Saffron Rose','T1555.003T1105T1056.001T1566.001T1566.003T1204.002'),
('G0138','Andariel','Silent Chollima','T1005T1189T1203T1592.002T1590.005T1105T1027.003T1588.001T1566.001T1057T1049'),
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Example output

Threat Actor Details

The query below provides the public description from the MITRE ATT&CK website for the threat actor. Most current information would be available directly from the MTIRE Site.

 

VARIABLES

Variable Type Value
Threat Actor name
STRING %

SQL

Fullscreen
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
-- Threat Actor Details
-- VARIABLE $$Threat Actor name$$ STRING
WITH Threat_Group_Info(ID, Name, Related_Groups, Description) AS ( VALUES
('G0018','admin@338','','admin@338·is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as·PoisonIvy, as well as some non-public backdoors.'),
('G0130','Ajax Security Team','Operation Woolen-Goldfish, AjaxTM, Rocket Kitten, Flying Kitten, Operation Saffron Rose','Ajax Security Team·is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014·Ajax Security Team·transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.'),
('G0138','Andariel','Silent Chollima','Andariel·is a North Korean state-sponsored threat group that has been active since at least 2009.·Andariel·has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges.·Andariels notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle. Andariel·is considered a sub-set of·Lazarus Group, and has been attributed to North Koreas Reconnaissance General Bureau. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name·Lazarus Group·instead of tracking clusters or subgroups.'),
('G0099','APT-C-36','Blind Eagle','APT-C-36·is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.'),
('G0006','APT1','Comment Crew, Comment Group, Comment Panda','APT1·is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.'),
('G0005','APT12','IXESHE, DynCalc, Numbered Panda, DNSCALC','APT12·is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.'),
('G0023','APT16','','APT16·is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations.'),
('G0025','APT17','Deputy Dog','APT17·is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'),
('G0026','APT18','TG-0416, Dynamite Panda, Threat Group-0416','APT18·is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical.'),
('G0073','APT19','Codoso, C0d0so0, Codoso Team, Sunshop Group','APT19·is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. Some analysts track·APT19·and·Deep Panda·as the same group, but it is unclear from open source information if the groups are the same.'),
('G0007','APT28','SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127','APT28·is a threat group that has been attributed to Russias General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. APT28·reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. In 2018, the US indicted five GRU Unit 26165 officers associated with·APT28·for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations. Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as·Sandworm Team.'),
('G0016','APT29','NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke','APT29·is threat group that has been attributed to Russias Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks.·APT29·reportedly compromised the Democratic National Committee starting in the summer of 2015. In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to·APT29, Cozy Bear, and The Dukes. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.'),
('G0022','APT3','Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110','APT3·is a China-based threat group that researchers have attributed to Chinas Ministry of State Security. This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. In 2017, MITRE developed an APT3 Adversary Emulation Plan.'),
('G0013','APT30','','APT30·is a threat group suspected to be associated with the Chinese government. While·Naikon·shares some characteristics with·APT30, the two groups do not appear to be exact matches.'),
('G0050','APT32','SeaLotus, OceanLotus, APT-C-00','APT32·is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.'),
('G0064','APT33','HOLMIUM, Elfin','APT33·is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.'),
('G0067','APT37','Richochet Chollima, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper','APT37·is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.·APT37·has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018. North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name·Lazarus Group·instead of tracking clusters or subgroups.'),
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

EXAMPLE Output



Updated disclaimer
[edited by: Qoosh at 9:45 PM (GMT -7) on 31 Mar 2023]
  • I will also work on a query to show the aggregate classification to each threat actor over time so that we can detect when we have an increase in activity for any threat actor. My hope is that by creating the baseline count for threat actor attribution in an estate we can detect an attributable increase that would provide a signal for a specific threat actor if a breach occurs.  We can then set this to run as a nightly scheduled query to alert when we have a change of 2 standard deviation over baseline. 

    That query should be a few days away, and If I get something working I will provide an additional post.