Presentation Material

Abstract

In recent years, there has been a significant increase in the occurrence of technically sophisticated Advanced Persistent Threats (APTs). These threats have notably impacted various sectors, including industry, governance, and democracy. Security researchers are overwhelmed by the volume and complexity of this diverse threat landscape. Thus far, researchers have primarily relied on manual analysis to study various types of malicious files and discern distinct techniques, custom tools, and behavioral patterns employed by these APTs. For instance, after the SolarWinds breach in December 2020, cybersecurity experts attempted to attribute the attack to its originators. It wasn’t until May 2022 that FireEye found similarities between the SolarWinds malware and the Russia-linked cyberespionage group Turla (APT29), which connected the two.

In this presentation, we explore the challenges of attributing APTs in real-world scenarios. Through case studies, we emphasize how APT groups adapt campaigns based on their objectives, share tooling, and utilize diverse files and platforms. This adaptability and evolution often result in inconsistent or inaccurate attribution claims. To address this, we propose a two-tiered approach to attribution, i.e., at the APT campaign and APT group levels. We present ADAPT, a machine-learning-based pipeline that automates attribution across diverse malicious file types (executables and documents). We apply ADAPT to a newly curated APT dataset comprising 6,134 real-world APT samples from May 2006 to March 2023. We employ a standardization process to ensure consistency in group names and identify 92 unique APT groups. ADAPT utilizes an unsupervised clustering algorithm and effectively identifies samples with similar objectives and those associated with the same APT groups. Finally, through qualitative case studies on APT29, APT32, APT42, and Sidewinder, we demonstrate how our categorization enables the classification of unknown threat campaigns and their associated threat groups, significantly reducing the need for manual analysis.