“Attribution of Advanced Persistent Threats” Notes

Chad Warner
5 min readJun 6, 2022

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage by Timo Steffens is a useful, informative resource on APT group attribution, covering the process, reasons, and considerations. It includes plenty of examples.

My notes follow.

Attribution of Advanced Persistent Threats: How to Identify the Actors Behind Cyber-Espionage by Timo Steffens

This page contains one or more affiliate links. As an Amazon Associate, I earn from qualifying purchases.

Advanced Persistent Threats

APT attack phases

  1. Reconnaissance
  2. Delivery
  3. Installation
  4. Lateral Movement (loop of repeated or ongoing activity)
  5. Exfiltration (loop of repeated or ongoing activity)
  6. Erase Evidence

APT groups usually target domain controllers first, to grab user credentials, create new accounts, grant themselves privileges, or wreak havoc.

A Golden Ticket on a domain controller is like an all-access pass.

Many APT groups develop their own encryption algorithms, which aids attribution.

APT malware often exfiltrates via HTTP or HTTPS because these are usually not blocked by firewalls and don’t look suspicious in logs. In networks where HTTP and HTTPS is uncommon, prohibited, or heavily monitored, malware exfiltrates via email.

APT groups don’t exfiltrate directly to their own servers, but pass the data through intermediate servers.

Groups often delete their tools as soon as they no longer need them, rather than waiting until the end of the entire operation to delete.

Many groups practice poor OpSec and leave evidence.

The Attribution Process

Differences between attribution by governments and by infosec companies

  1. Government indictments and official statements cover specific attacks or incidents, whereas infosec industry attribution focuses on APT groups and their activity over longer periods.
  2. Government indictments need to name legal persons and official statements usually name a foreign government, whereas reports by infosec companies come in different flavors and may be no more granular than a country of origin.
  3. Government attribution is often based on data from intelligence agencies, which can’t be disclosed, whereas infosec companies are often transparent in their sources and methods (to increase trust in their assessments).

Reasons for attribution

  • People want to know the culprits.
  • Organizations can prioritize defenses that apply to threats relevant to them.
  • It allows governments to pressure governments using APTs against them.
  • It deters governments from using APTs, because they risk sanctions if detected.
  • The public can view leaked info more skeptically if they know it’s from a foreign APT than from altruistic actors.

Intrusion set: IoCs and TTPs repeatedly observed being used together.

Attribution phases

  1. Collect data (via security software telemetry, on-site investigations)
  2. Clustering: partition data into intrusion sets
  3. State-sponsored versus criminal activity: determine motivation behind campaign
  4. Attribution to a country of origin
  5. Attribution to organizations and persons
  6. Assessing confidence and communicating hypotheses: check for plausibility and consistency, evidence backed by multiple sources, compatibility with the data, likelihood of false flags

Attribution is based on abductive reasoning (logical inference that attempts to find most likely explanation for observations), not deductive reasoning (where conclusions strictly follow from facts).

Not all APT groups work for a single government. Some contractors offer their services to several governments. Also, governments cooperate (e.g., Five Eyes members).

Many APT actors work regular office hours (8 or 9 AM to 5 PM in their time zone on workdays in their country), but some freelancers work outside those hours. Generally, government employees don’t work weekends.

When malware from one APT group is found on a machine, it’s assumed that other malware on that machine was also installed by the same group, but that’s not necessarily true.

MICTIC Framework (technical process for attribution)

  • Malware (e.g., language settings, timestamps, strings, date formats, PDB paths, Rich headers, control server addresses)
  • Infrastructure (e.g., WHOIS data, links to private websites, TLS certificates)
  • Control server (e.g., network traffic, source code or logs on seized hard drives)
  • Telemetry (e.g., working hours, source IPs, malware generation, TTPs, C2 addresses)
  • Intelligence (use of OSINT, SIGINT, HUMINT, offensive operations, requests to providers)
  • Cui bono (analysis of political news, economic news, agency missions to determine group’s sponsor and motivation)

The number of aspects on which attribution is based is indicated as a number (e.g., MICTIC-2 means attribution is based on 2 aspects).

Analysis of Malware

Technically advanced groups prefer to develop their own malware or hire professional contractors, though they also use existing malware and tools. Less-savvy groups generally use existing malware and tools.

If groups can avoid using malware and instead use tools built into OSes, they will, to minimize risk of detection.

Attack Infrastructure

Malware can encrypt C2 traffic to servers using duplicate TLS certificates because malware ignores mismatch between Common Name in certificate and domain name of control server.

Geopolitical Analysis

Forms of government tasking of contractors (proxies)

  • Delegate: perfect alignment between government’s intelligence requirements and proxy’s activities.
  • Orchestrate: government provides ideological or religious direction for proxy to pursue political goals.
  • Sanction: government tolerates proxy’s activities.

If a group’s infrastructure or malware is used for criminal activities, it indicates that the group doesn’t work directly in government institutions.

Methods of Intelligence Agencies

APT groups recruit members based on MICE: money, ideology, coercion, ego.

4th party collection: intelligence agencies monitoring C2 traffic of foreign APT groups and collecting data they exfiltrate.

False Flags

To generate most probable hypothesis

  • Assess validity: check validity of each piece of evidence
  • Check consistency: check consistency of pieces of evidence
  • Weight evidence types: weight pieces of evidence by effort required to fake

Analysis of Competing Hypotheses (ACH) is used to evaluate incomplete and contradictory information, to keep analysis as free of cognitive bias and assumptions as possible.

Group Set-Ups

APT group members

  • Malware developers
  • Procurement managers, infrastructure quartermasters (handle infrastructure)
  • Admins (handle control servers)
  • Operators (handle telemetry)
  • Orchestrators (oversee contractors)

Supra Threat Actors: organizations that cooperate on malware source code internationally (believed to be limited to Western countries, e.g., NSA, GCHQ).

Access teams: teams that specialize in getting foothold in target network.

Marauders: teams that take over from the access team, being given credentials or backdoor access.


Reasons for publicly attributing

  • Network defense: provide details (IoCs, TTPs) for network defenders
  • Court proceedings: convict perpetrators
  • Diplomacy: apply political pressure or sanctions to accused government
  • Reputation for security companies: marketing and reputation-building

Attribution statement features

  • Object of attribution (data that was analyzed)
  • Level of attribution (e.g., country, organization, person)
  • Level of detail
  • Diversity of evidence
  • Premises and assumptions
    Inconsistent evidence (evidence that doesn’t support resulting hypothesis)
  • Potential false flags
  • Alternative hypotheses
  • Confidence level
  • Audience



Chad Warner

Web Strategist at OptimWise. Cybersecurity & privacy enthusiast. Bookworm. Fan of Tolkien & LEGO.