#NSBCS.056 - Technical Attribution: A game of Cat-and-Mouse with Threat Actors

Cyber Threat Intelligence
Written By Shane Bell

Source: NSB Cyber

 

Technical Attribution: A game of Cat-and-Mouse with Threat Actors

“Who is it? Are they state-sponsored? Have we seen them before? What is their motivation and objective?”

Attribution of threat actors in cyber operations forms a crucial but challenging aspect for cyber analysts, tasked with uncovering the “who, what, how, why, so what” behind cyberattacks. Establishing the identity or motive of an attacker is not a straightforward process, particularly when adversaries employ tactics designed to obscure their traces. Analysts must then rely on a combination of technical artefacts, patterns, and historical data to piece together the story behind a campaign. The stakes are high, as correctly identifying the attacker can not only assist in defending against future attacks but also provide valuable intelligence for broader geopolitical or corporate decision-making, often described by legal and political attribution.

Technical attribution in this context is defined by the ability to associate an attack with a responsible party through technical means, based on information made available by the cyber operation itself. In other words, the attribution is driven by the artefacts and tactics, techniques and procedures (TTPs) employed by the adversary. Analysts then seek to map out the attacker's infrastructure, detect patterns in their activities, and categorise the Indicators of Compromise (IOCs) left behind. These findings not only provide insights into the nature of the threat but also enable incident response teams to formulate effective countermeasures, and enable the betterment of the decision-making process. However, the complexity of the current cyber threat landscape, with increasingly sophisticated and varied attack strategies, means that such analysis is becoming more time-consuming and intricate, and positioning the analysts in a cat-and-mouse game. This "cat-and-mouse" game in cyber threat intelligence refers to the ongoing battle between adversaries and analysts, where both sides continuously evolve their tactics in an attempt to outmaneuver the other. From the adversary's side, the game involves employing increasingly sophisticated and evasive techniques to bypass detection. Attackers often shift their methods, tools, and infrastructure, using techniques like Living-off-the-Land binaries (LotL), obfuscation, or mimicking the behaviour of other threat groups to confuse analysts and avoid attribution. From the analysts' perspective, the game is about staying ahead by continuously adapting to these changes. Analysts must identify and analyse the IOCs, TTPs, and patterns left behind by attackers, developing attribution models that can discern the tactics and techniques used. They use this information to build defences and develop countermeasures, but their efforts are at best reactive, adjusting to the adversaries’ latest moves.

Additionally, a number of factors render the process — and resulting effect— difficult, if not, incredibly blurry, leaving place for erroneous attribution from the analysts. These factors, include but are not limited to:

  • The evolution and increased in sophistication of threat actors;

  • Tools and malware are increasingly shared between threat actors, making the attribution less accurate, possibly wrongful. This, of course, coupled with the increased usage of open-source software and “as-a-service” products;

  • The increased involvement of multiple threat actors in operations (e.g., IAB, RaaS, State-sponsored ops, etc.), and/or proximity between threat actors (i.e., state-sponsored) targeting different verticals;

  • The fragmentation and/or decentralisation of groups and/or threat actors, and the dissociation of groups following law enforcement operations (i.e., Lockbit, BlackCat, Hive);

  • Threat actors’ obfuscation operations and “false flags”, and;

  • Differences in “labelling/naming” conventions from one organisation to another, often scattering available intelligence.

Technical attribution in and of itself allows for organisations to enhance their security posture, by defending against clear TTPs, Tooling, and methods, forming a accurate picture of what the threat landscape and presenting risks are. While technical attribution serves as a corner stone of cyber threat intelligence, and presents core element of decision-making, it is not without challenge and limitations, which are often exacerbated by the advantageous position of the threat actors. Ultimately, the technical attribution process is not only about identifying the attacker but also about understanding their methods and infrastructure, which are constantly changing and evolving. The ongoing battle involves a continuous feedback loop, where attackers adapt their strategies based on the capabilities and responses of defenders, and defenders respond by implementing new mitigations and detections based on evolving sophistication of adversaries, making it a dynamic and high-stakes game: a cat-and-mouse game.

For information on NSB Cyber’s Cyber Threat Intelligence capabilities or to book a meeting with our team, click here.

What we read this week

  • Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product - Ivanti has identified two critical vulnerabilities in its Connect Secure product line: CVE-2025-0282, a stack-based buffer overflow allowing unauthenticated remote code execution, and CVE-2025-0283, which permits local privilege escalation. The company has confirmed that CVE-2025-0282 has been exploited in the wild, affecting a limited number of customers' Connect Secure appliances. Ivanti recommends that customers immediately upgrade to Ivanti Connect Secure 22.7R2.5 and continue to closely monitor internal and external Integrity Checker Tool (ICT) in conjunction with other security tools. A factory reset on appliances with a clean ICT scan is recommended before putting 22.7R2.5 in production out of an abundance of caution. Notably, the company said the Ivanti Policy Secure product is not intended to be internet-facing, which makes the risk of exploitation significantly lower. A fix for Ivanti Policy Secure is planned for release on January 21, 2025.

  • New Details Reveal How Hackers Hijacked 35 Google Chrome Extensions - A recent phishing campaign has compromised at least 35 Google Chrome extensions, affecting approximately 2.6 million users. Attackers sent deceptive emails to extension developers, impersonating Google and alleging policy violations. These emails directed developers to a malicious OAuth application named "Privacy Policy Extension," which, once authorised, granted attackers control over the developers' Chrome Web Store accounts. The compromised extensions were then updated to include data-stealing code aimed at harvesting Facebook account information, including IDs, access tokens, and account information. This attack highlights the vulnerabilities in OAuth authorisation flows and the need for developers to exercise caution when granting permissions.

  • U.S. Sanctions Chinese Cybersecurity Firm for State-Backed Hacking Campaigns - The United States (U.S.) Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned Integrity Technology Group, Incorporated, a Beijing-based cybersecurity firm, for orchestrating cyberattacks against U.S. entities. These attacks have been attributed to Flax Typhoon, a Chinese state-sponsored threat actor active since at least mid-2021, known for leveraging known vulnerabilities and using legitimate remote access software to maintain persistent access. Integrity Technology Group, also known as Yongxin Zhicheng, is accused of providing infrastructure support to Flax Typhoon's cyber campaigns between mid-2022 and late-2023. The U.S. Department of State has classified the firm as a government contractor with ties to China's Ministry of State Security.

  • Exploit Code Published for Potentially Dangerous Windows LDAP Vulnerability - Cybersecurity company SafeBreach, has released a proof-of-concept (PoC) exploit for CVE-2024-49113, a denial-of-service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP). This flaw, assigned a CVSS score of 7.5, was patched by Microsoft on December 10, alongside a critical remote code execution (RCE) vulnerability in LDAP (CVE-2024-49112) with a CVSS score of 9.8. While neither vulnerability has been reported as exploited in the wild, Microsoft advised disconnecting Domain Controllers from the internet to mitigate potential risks associated with the RCE flaw. SafeBreach warns that the DoS vulnerability also warrants serious attention, as it can be exploited to crash unpatched Windows Server deployments if the DNS server of the target Domain Controller is connected to the internet. Administrators are strongly advised to apply the available patches promptly to safeguard their systems.

  • Unconventional Cyberattacks Aim to Take Over PayPal Accounts - A recent phishing campaign exploits Microsoft 365's test domain feature to impersonate PayPal, deceiving users into surrendering their account credentials. Attackers register a free Microsoft 365 test domain and create a distribution list with target emails, enabling them to send seemingly legitimate payment requests that bypass standard email security checks. Exploiting the vendor's feature allows attackers to stealthily evade standard email security measures because the messages originate from a verified source and replicate the exact format of legitimate communications, such as authentic PayPal payment requests. As a result, this similarity makes it challenging for email providers to differentiate them from legitimate emails.

Shane Bell
Previous

#NSBCS.057 - PSA: Turn on your Microsoft 365 Audit Logging!
Next

#NSBCS.055 - From the desk of the CEO | Empowering SMEs to Build Confidence in Cyber Security