Enterprise cybersecurity

How to find out who’s behind a cyberattack

Cybercriminals don’t leave a calling card, but they do leave evidence. Threat attribution matches their ‘fingerprints’ to help you respond and defend.

Share article

Knowing who or what has attacked us is critical for survival. In cybersecurity, threat intelligence cuts through the noise to find the poisoned needle in your data stack, letting you act fast before damage spreads. But what if you could also find out who is behind the attack?

Threat attribution looks up attackers’ ‘fingerprints’ to plan your response and defense.

How threat attribution helps if you’ve been targeted by an APT

If you’ve been targeted by an advanced persistent threat (APT), threat attribution helps you understand the attack motive and respond quickly.
The cybercrime groups that carry out APT attacks are often linked to state-sponsored attacks. It’s a costly way to get to their prize. If you have something they want, you could be a target.

They’re advanced. No low-cost software bought on the dark web by do-it-yourself cybercriminals. They build their own sophisticated software for purposeful damage.

They’re persistent. They seek you as their target, hitting you with weeks or months of attacks until they break through your IT security defenses. Or they lie dormant for years until the time to attack. Once in, they conduct secret operations to find critical data. If they’re determined, there’s only so much that cybersecurity software can keep safe.

And they’re a serious threat. Their goals range from espionage to sabotage, to data theft for profit.

Threat attribution wins the threat intelligence race, but it’s not for everyone

Threat attribution is a next-level solution, but it’s not for every business. It’s like choosing a car. What you need depends on your journey. A budget motor is fine for driving from A to B. In cybersecurity, that’s endpoint security. If you’re carrying precious cargo, a limousine may be a worthwhile investment. In cybersecurity, that’s threat intelligence.

If you need speed and the most high-tech engine to win the race, threat attribution is that fast-track race car.

If you hold classified information that’s interesting to a rival state, you’re at greatest risk of an APT attack. National security and law enforcement agencies (like Interpol or the FBI) are most vulnerable. They have much to gain by uncovering who’s hacking them. Sometimes APT attacks also target corporates, other government agencies and critical infrastructure like power plants and manufacturing.

You don’t have to be a big organization to be a target. If you’re making components for a military plane, a less friendly state may want to know how you’re making the rudder for counter-intelligence.

Supply chain attacks are also on the rise. By hitting a laptop manufacturer, hackers can infect everyone in an organization. Then, when the time’s right, they strike, cherry-picking who they spy on by hacking straight into their laptop.

Who are the threat actors?

APTs are a fast-growing ‘industry.’ These threat actors are not amateurs. They’re super-organized crime workers. Some have different units for espionage, counter-intelligence and financial exploitation.

Lazarus was the most significant threat actor in 2019. They attacked Sony Pictures Entertainment with a data-wipe in 2014 and made several attacks on South Korea. APT trends in 2020 predict more sophisticated attacks using artificial intelligence (AI) and deep fakes to access personal data.

How does threat attribution work?

When one of the most damaging ever ransomware attacks WannaCry hit in 2017, a Google researcher tweeted cryptic code showing similarities between WannaCry and 2015 malware attributed to Lazarus. This is threat attribution.

Identifying cybercriminals is forensic. It’s deep detective work.

You need to analyze and find clues that take you back to existing knowledge. By analyzing the attack’s context, and nuances and languages deep in the code, researchers can reveal the threat actor’s origins.

These actors rarely leave a calling card, but they do leave evidence. We can analyze malware samples never seen before to find out if the actor is new, or an existing player in disguise.

Like all forensic analysis, it’s slow and painstaking. With highly sophisticated threats, it means reverse-engineering the attacks. It can take years, even for teams of the most skilled researchers. That’s often enough time for attackers to achieve their goals.

How can we shorten the analysis time?

What if we could speed up the process? Faster attribution can shorten incident response times from hours to minutes, and reduce false positives.

To know what’s bad, you need to know what’s good. But to know what’s good, you need experience.

Kaspersky’s Global Research and Analysis Team (GReAT) tracks over 600 APT actors and campaigns. To help the Information Security (InfoSec) community block APTs, they produce 120 or more subscriber reports each year and share highlights in quarterly APT trends reports. Profiling each threat actor can take years, building a database of everything you need to know about them.

From this insight, Kaspersky developed one of the first solutions for automated threat attribution. It’s like the Shazam app – that can identify the song you’re humming by finding a match – for threat intelligence. By uploading a code sample to Kaspersky’s Threat Attribution Engine, it matches previous attacks and APT groups in seconds. It analyzes the malware’s ‘genetics’ to compare to ‘genotypes:’ known malware linked to a threat actor. This fast analysis can help those facing APT attacks to limit damage.

We can’t stop the flood of threats permeating our world, but we can build our defenses. Threat attribution is a new weapon in the arsenal for tackling organized cybercrime, and it could make it far harder for them to succeed.

Protect from Advanced Persistent Threats

Know the origins of your attack with Kaspersky’s Threat Attribution Engine.

About authors

Jose Alemán is a Global Presales Expert at Kaspersky – he’s worked in cybersecurity for nearly two decades. He presents thought leadership to business around the world at events and works with key regional and global customers.