Common Threat Agents

What are Threats?

A threat is a danger that can exploit a vulnerability, resulting in a breach (impact).

Intentional Threat (Hacking)

In the example above, a malicious user is exploiting a vulnerability, which is a lack of input validation
(not preventing users from entering special characters into an input field, such as “/ - = ` ' “) which
allows the attacker to conduct a SQL injection attack, and retrieve data stored in the SQL database
connected to the back-end of the vulnerable website.

 Vulnerability: Lack of input validation

 Threat: Exploiting vulnerability to write a malicious SQL query

 Result: Username and password tables in the database are sent to the attacker

What are Threat Actors

 A threat agent or threat actor in regard to cyber threat intelligence is an actor that
intentionally or unintentionally generates an adverse effect on an organization, such as
conducting a cyberattack or unintentionally leaking information.

 This can be an individual or group of individuals that cause harm in some way.

Actor Categorization

 Cyber Criminals

o This group includes hackers and crackers that are looking to make money from
malicious and illegal activity, such as cyber-attacks, ransomware, and phishing.
 o The skill level can vary dramatically within this group, for example, you could see a
really experienced hacker classed as a cyber criminal threat actor, but you could also
see a “script kiddie” in the same group, which is a term used to describe an
inexperienced individual that is dependent on pre-built tools and scripts, and
generally has a low level of technical knowledge

 Nation-States

o These are hackers or hacking teams that work for governments around the world,
and have a very high level of technical sophistication as well as resources, making
them some of the most advanced adversaries out there.

o They typically conduct prolonged covert cyber operations, staying undetected for
long periods of time whilst they silently complete any objectives they have in the
target network. Nation-States are often referred to as Advanced Persistent Threats
(APTs)

 Hacktivists

o Individuals or groups placed into this category are typically socially or politically
motivated and use cyber attacks as a way to express their views and beliefs.

o Hacktivists usually conduct distributed denial of service (DDoS) attacks that take
systems offline by overloading their resources causing them to crash. Another
common attack conducted by actors in this group is website defacement, the act of
changing the content on a website’s homepage to display a message or image
created by the attack, usually to make a statement related to social or political views

 Insider Threat

o Individuals classed into this group have intentionally or unintentionally abused their
power and knowledge of an organization they work at in order to leak confidential
information.

o Intentional cases can include disgruntled employees that are taking revenge against
the company, and unintentional cases can include employees accidentally emailing
documents to the wrong email address, or falling victim to a social-engineering
attack

Real-World Threat Actors Example

 Nation-States – APT29 (Mandiant), also known as Cozy Bear (CrowdStrike), is a nation-state

hacking group believed to be associated with Russian intelligence. This group is extremely
well resourced and constantly develops its own advanced malware to covertly complete
cyber operations. APT29 was behind a spear-phishing attack against the Pentagon in 2015
that led to the organization shutting down non-classified email and internet access whilst
 they investigated the attack. This group has been compromising diplomatic organizations and
governments since around 2010 and was believed to have been shut down in 2017, however
recent activity shows that they simply developed more advanced tools and malware so that
they haven’t been detected.

 Hacktivists – Most people that are interested in information technology, or cybersecurity,

have heard of the famous hacking group “Anonymous” which conducts attacks based on
social and political motives. On January 19th, 2012, Anonymous conducted “Operation
Megaupload” in response to the shutdown of the file-sharing site Megaupload as well as
anger at the House of Representatives’ Stop Online Piracy Act and the Senate’s Protect
Intellectual Property Act. This operation included sustained distributed denial of service
attacks against high-profile websites including the United States Department of Justice, and
the United States Copyright Office. You can read more about Operation Megaupload in
this Forbes article.

Motivations

Motivations can typically be classed into one of four high-level categories:

1. Financial Motives

Financial motives can be applied in a number of different ways. Whether it’s an individual trying to
make some quick money, a cybercrime syndicate bringing in more funds, or a government team
trying to disrupt the financial operations of hostile countries, money plays a large part in motivating
cyber attacks.

 Individual Financial Motives –

 Corporate espionage is the act of retrieving private information from an organization

and selling it for financial gain, potentially to competitors.

 This could be seen as a good idea by disgruntled employees who are planning on
leaving their current organization soon and want to make a bit of money on the side
before they leave.

 Cyber Crime Financial Motives –

 The theft and sale of confidential and personal information is a very lucrative activity
and is generally the main motive for cybercrime syndicates.

 Ransomware is an ever-increasing threat where attackers deploy malware that

encrypts any accessible files on the infected system and demands a ransom for the
decryption key so the system owner can get their files back.

 Criminals may also deploy cryptocurrency mining software on compromised systems

in order to collect digital coins and cash these in.
  Another example of financial motives is the use of banking trojans, specialized
malware that is designed to steal credentials to online banking websites to steal
money from victims and transfer it to attacker-owned mule accounts.

 Government Financial Motives –

 A North Korean APT named Lazarus Group is made of two smaller teams,
BlueNorOff, and AndAriel. Whilst AndAriel conducts prolonged and covert cyber
operations against government targets in other countries, BlueNorOff focuses on
hacking financial institutions such as banks, in order to steal funds.

 It is believed that this team is responsible for collecting funds to provide more
resources to the other group within Lazarus. North Korea is subject to a number of
economic sanctions from the US, and the perfect way to bypass these is by
converting any stolen funds into the Monero cryptocurrency, using the dark web as
an unrecorded method of pulling funds into the country.

2. Political Motives
Political motives are typically involved when nation-state teams, controlled and funded by
governments, target governments in hostile nations.

These attacks could be to disrupt operations of other countries, commit espionage and steal
confidential information, send a message to the people of the target country, or other reasons that
give the attacking country an advantage over their target.

 Cyberwar is becoming an ever-more common reality. Not only does this type of warfare not
require the deployment of personnel, there is no geographical barriers, provided the target
systems are connected to the internet in some way, or the air gap can be compromised. An
example of political motives being used in an act of cyber war was the Stuxnet virus, believed
to be developed by the United States and Israel, used to target and degrade Iran’s nuclear
program, using not one, but four zero-day exploits to ensure it could complete its mission.

 Another example of political motivations is when an individual or group (such as hacktivists)

attempts to make a statement or express their political views by defacing government
websites or using distributed denial-of-service attacks to take websites or services offline
temporarily.

 Disinformation campaigns, whilst not technically cyber attacks, are online activities where
governments use bot accounts, dummy accounts, and paid advertising to spread incorrect
information in an attempt to influence viewers. This type of activity is usually observed
around government elections

3. Social Motives

Social motives are associated with self-beliefs.

There are two main social motives associated with cyber-attacks; making a statement and voicing
your opinions on a subject that is important to you, or trying to boost your reputation or social
status
  Script kiddies, the derogatory term used to describe individuals with limited technical
knowledge, are often known for operating with social motives, such as trying to boost their
reputation and “showing off” to their friends, or people on the internet. This typically
involves the script kiddie boasting online about their ability to conduct cyber attacks such as
website defacement or distributed denial of service attacks and then attempting to conduct
these attacks using pre-built tools that require no skills or knowledge, such as online
“stressors” or “booters” which are DDoS-as-a-service platforms, where you enter in your
target and pay to launch attacks without needing any knowledge of botnets or networking.

 It’s not just script kiddies that are looking for fame and attention. A number of hackers love
to show off their illegal activity by posting to social media in order to increase their
following and time in the spotlight. A great example of this is the disbanded group Lizard
Squad, which is known for conducting distributed denial of service attacks against gaming
companies, whilst tweeting on Twitter to gain attention. In August and November 2014 this
group claimed responsibility for DDoSing League of Legends servers, Destiny servers, and
PlayStation Network servers as well as DDoSing Xbox Live and Playstation Network at
Christmas to prevent legitimate access to online features

4. Unknown Motives

In some cases, it may not be immediately clear as to why a cyber attack was attempted or
successfully conducted.

This can make attribution harder as we can’t use patterns to link the actor or actors to an
established and documented threat group.

In some cases, the motives may become clear in the future once more evidence has been collected
and analyzed

Actor Naming Convention

 Different threat intelligence vendors or security firms use their own naming conventions to
track and share intelligence about malicious actors

 Threat actors tend to share tools, so that indicators from one group may be the same as
multiple other groups. Some groups even try to use infrastructure in other countries to
throw security researchers off, as well as copying the tactics and techniques used by other
groups

CrowdStrike

 CrowdStrike likes to categorize APTs based on the countries they operate out of, especially
nation-state hacking teams, by using animals.

For example, “Panda” is the umbrella term for all nation-state activity tied to the People’s Republic of
China.
  Non-nation-state adversaries are categorized by intention not by location; for instance,
activist groups like the Syrian Electronic Army, are categorized as “Jackal,” which expresses
intent and motivation instead of country.

 If you want to read more about the malicious actors that CrowdStrike tracks, read this blog
post by them, titled “Meet The Adversaries“.

 Nation-State-Based Adversaries

Below listed are countries and their associated animals as stated by CrowdStrike.

Bear = Russia (Such as Fancy Bear)

Buffalo = Vietnam

Chollima = North Korea (Such as Stardust Chollima)

Crane = South Korea

Kitten = Iran (Such as Refined Kitten)

Leopard = Pakistan (Such as Mythic Leopard)

Panda = China (Such as Goblin Panda)

Tiger = India (Such as Viceroy Tiger)

 Non-Nation-State Adversaries

The below names are given to hacktivist groups and groups that conduct eCrime, such as
ransomware attacks and using banking trojans.

Jackal = Activist groups

Spider = Criminal groups, such as Mummy Spider, the actors behind the global malware campaign
Emotet (more on this in the Global Malware Campaigns section at the end of this domain).

Mandiant/ FireEye

 FireEye/Mandiant have taken a different approach and use the term “APTxx” where xx is a
number, such as APT28 or APT39.

 These numbers actually have a meaning behind them – they are taken from internal country
codes, providing a more concise and neat naming convention

 Nation-State-Based Adversaries

China = APT1, APT2, APT3, APT10, APT19, APT20, APT30, APT40, APT41

Iran = APT33, APT34, APT35, APT39

North Korea = APT37, APT38

Russia = APT28, APT29

Vietnam = APT32

 Financially-Motivated Cybercrime Groups

The prefix “FIN” is used, short for “Financial”, referring to the motivation for cybercrime actors. An
example of this naming convention in use is FIN7, a threat group that has primarily targeted the U.S.
retail, restaurant, and hospitality sectors since mid-2015, often utilizing point-of-sale malware to
steal funds.

FIN4

FIN5

FIN6
FIN7

FIN8

FIN10

 Unclassified Groups

Groups that are currently undergoing analysis are referred to as “UNC” or Unclassified under the
FireEye/Mandiant naming convention. Groups that have not been attributed to a country, or their
motives are still unclear, will be placed into this group temporarily.

What are APTs

 APTs include a group of highly skilled attackers, who have a state backing or otherwise
almost unrestricted access to a variety of resources.

 APTs deliver maximum, long-lasting damage and target specific organizations according to
their motives.

 APTs typically use previously unseen malware and exploits (also known as 0-day exploits),
with their own tailored software and frameworks to carry out the attacks

Real-World APTs

 APT28 -

o APT28, also known as Fancy Bear, Sofacy, or Pawn Storm, are Russian-based nation-
state hackers specializing in cyber espionage with political motivations and targets
militaries, security organizations, and governments, especially in the country of
Georgia and Eastern Europe.

o They are infamous for their attack against the Hillary Clinton campaign and attempts
to interfere with the US presidential election.

 Cobalt Group -

o The Cobalt Group, also known as Gold Kingswood, is a financially-motivated group

that targets ATMs, payment systems, and banks. They have targeted banks in
Eastern Europe and Russia, using a series of well-orchestrated spear-phishing attacks
and exploits. Its leader has been arrested in Spain; however, the group has still been
continuing its activities.

o Cobalt Group has been utilizing a malware called SpicyOmelette, which allows the
attackers to gain a strong foothold on the victim system, conduct system
reconnaissance and perform privilege escalation. Cobalt Group is one of the very
successful APTs, causing over a billion Euros in financial loss across more than 40
countries.

 APT32 -
 o APT32 is a threat group that has been active since at least 2014.

o The group has targeted multiple private sector industries as well as foreign
governments, dissidents, and journalists with a strong focus on Southeast Asian
countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively
used strategic web compromises to compromise victims. The group is believed to be
Vietnam-based.

What makes APTs Special?

 The amount of funding and resources APTs receive, typically from nation-states, is
unmeasurably more significant than individuals or small “hacking groups”.

 APTs typically focus on financial, political, or military targets whereas other threat actors
have various goals, from resolving their curiosity to hacktivism.

 APTs have sophisticated and advanced tools, attack frameworks, malware, exploits
(including zero-days) and methodologies to gain and maintain access to networks, which is
comparable to simple scripts, public exploits and commodity malware used by typical
hackers.

 APTs are most interested in acquiring persistent access and control over target systems for
espionage, monitoring, surveillance, and other purposes that require uninterrupted access
to ensure their goal is achieved. Contrary to this, conventional hackers tend to perform short
and typically unsophisticated attacks and stop once they have completed their goal, not
focusing on persistence and access.

Case Study: Cobalt Group

1. Phase 0: In the very first stage, Cobalt Group sends targeted spear-phishing emails with
malicious PDFs, Word documents or RTF files attached or linked, which will trigger the
‘exploit chain’ to start. The email can be personalized or broad enough to be sent to a whole
mailing list.

2. Phase 1: Once the user downloads the malicious attached file, such as a PDF file, they may
be asked to click on a URL in order to view the file. However, the link actually leads to a Word
document that contains a malicious Visual Basic for Applications code. This phase lights the
end of the fuse leading to total compromise of the system.

3. Phase 2: Cobalt Group uses an exploit kit called Threadkit to create malicious documents
which can exploit several critical vulnerabilities in Microsoft Office or Internet Explorer and
launch batch files that assist with the exploitation process.

4. Phase 3: In order to bypass AppLocker and execute scripts or remote code, Cobalt Group
utilizes legitimate Microsoft applications that are allowed by AppLocker. One method
involves using CMSTP (Microsoft Connection Manager Profile Installer) to run a malicious INF
file or execute a script using XML tags in scriptlets. Eventually, a DLL dropper is written to disk
to launch PowerShell or CMSTP for the next phase.
 5. Phase 4: The launched PowerShell stage downloads the next one, which is obfuscated in
layers, with the final layer being shellcode which is loaded into memory. The shellcode
decrypts the remaining code to ultimately download, decrypt and launch an encrypted
Cobalt Strike beacon payload. Alternatively, a JScript downloader is used to download and
run a JScript backdoor payload.

6. Phase 5: The Cobalt Strike beacon allows a very wide range of backdoor options and a full
system compromise. If the JScript backdoor has been installed, it allows encrypted remote
command & control and sends system information including antimalware programs and the
IP address. At this point, Cobalt Group has successfully penetrated the target system and
may proceed to pivot into other systems, maintain persistence or move on to achieve their
final goal.

Tools, Techniques, Procedures

 TTPS - Tools, Techniques and Procedures or Tactics, Techniques, and Procedures

 TTPs are the actions that threat actors take when conducting cyber attacks.
They’re used by defenders to track the tactics that different threat groups use, and let us
gather intelligence to aid security operations teams.
By understanding how malicious actors perform attacks, we can implement defenses to stop
or slow them down.

MITRE’s ATT&CK Framework has over 260 different techniques mapped and split into 12 different
categories:

 Initial Access

 Execution

 Persistence

 Privilege Escalation

 Defense Evasion

 Credential Access

 Discovery

 Lateral Movement

 Collection

 Command and Control

 Exfiltration

 Impact

Example Walkthrough
If security analysts at Organization A discover a script that is exfiltrating data, this will be mapped to a
TTP. In this case, it is T1020.

Now the security analysts and incident response team can use this to work backward, identifying
how the attackers gained initial access and conducted other activities such as privilege escalation and
lateral movement. All of this information can be mapped as an attack path and used to fully
understand cyberattacks, how successful cyber-attacks have occurred, and how to prevent a similar
attack in the future.

Each TTP in the MITRE ATT&CK Framework also has mitigations and detection advice. If we look at
this information for T1020, we’re provided with the following:

Over time, defenders are able to build up attack paths for different incidents, and this process can
potentially provide attribution for certain groups. If security analysts at Organization A observe a
threat actor following a specific TTP path, they can see if any known APTs follow the same or a
similar path, and then to a reasonable degree can attribute that group to the observed attack. The
organization can then start implementing defenses against other tactics and malware this group uses
as a proactive measure.

Proactive Defence

 Instead of waiting for attacks to happen and recording the TTPs that were used, security
teams could take a proactive approach and go through different TTPs looking to see if the
organization has appropriate security controls and monitoring capabilities to detect and stop
attackers using these known techniques.

 Penetration tests could be conducted with specific attack paths to see if they are effective, or
if the company’s defenses work to detect and defend against them.

 MITRE has a page dedicated to listing the TTPs used by certain threat groups (
https://attack.mitre.org/groups/) so if an organization determined that APT30 is likely to get
them, they could go through APT30’s TTPs and ensure that defenses and monitoring
capabilities are put in place