Kudelski Security Research recently published an article detailing advanced methods for tracking and analyzing threat actor infrastructure, providing valuable insights into cyber attack patterns and attribution techniques.
Decoding Threat Actor Infrastructure: A Case Study
The research team demonstrated their approach using a phishing campaign targeting U.S. and Israeli government officials, attributed to the Iranian group Pioneer Kitten (UNC757).
By mapping and enriching IP addresses associated with the attack, researchers identified connections to a specific hosting provider and established links to campaigns dating back to 2017.
A key finding emerged when investigating historical DNS data.
The team discovered a potential overlap with the Gamaredon group, as both Pioneer Kitten and Gamaredon had utilized the same IP address (206.71.148[.]78) for different domains in their respective attacks.
This discovery highlights the importance of tracking historical data to identify operational connections between threat actors.
Advanced Infrastructure Analysis Techniques
The article emphasizes the significance of meticulous documentation and clustering of infrastructure data, even when malicious intent is not immediately apparent.
Threat actors often reuse networks, tools, and operational patterns, making historical records invaluable for tracking evolving tactics.
To illustrate this process, the researchers presented a two-step approach to clustering different infrastructures, using intelligence gathered from a leak related to North Korean IT workers.
By reconstructing a complete infrastructure from a PuTTY configuration file, the team demonstrated how to tag and categorize unknown infrastructures for future reference.
The researchers stress the importance of secure data storage and easy accessibility, as new findings may reveal overlaps with previously identified infrastructure months or even years later, providing crucial context for long-term threat analysis.
The article addresses the lack of standardized naming conventions in threat intelligence, attributing it to various factors such as unique perspectives from different intelligence providers, shifting alliances, and evolving adversary behaviors.
This inconsistency can lead to discrepancies in how different intelligence teams classify and track threats.
To navigate these challenges, analysts are advised to consider multiple perspectives when analyzing infrastructure based on open-source data.
This includes evaluating the geopolitical context of the attributed adversary, comparing data from multiple intelligence providers, and independently validating attribution claims.
The research concludes by presenting an activity matrix for the Lazarus group, demonstrating how structured approaches can help analysts map attacker organizations, identify operational hierarchies, and detect patterns within their tactics.
This comprehensive methodology showcases the power of thorough infrastructure analysis in unraveling the complex web of cyber threats and enhancing overall cybersecurity posture.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free