How shape-shifting threat actors complicate attack attribution

Researchers explain how they identified—or failed to identify—the threat actors behind three high-profile incidents and why attribution is so difficult.

The already difficult task of attributing a cybersecurity attack to a particular threat actor is made harder by the shape-shifting nature of threat groups. Despite the best efforts of researchers, some attackers may never be identified.

At last week’s VB2021 conference, cybersecurity analysts and researchers walked through the breadcrumbs they followed to identify the malicious actors behind the Colonial Pipeline, Sony Pictures, and Iran railway system attacks. These examples show why attribution is complicated and sometimes impossible.

From Carbanak to BlackMatter

CrowdStrike researchers quickly attributed the Colonial Pipeline attack this past May to a group known as Carbon Spider, likely an Eastern European or Russia-based threat group. But as Josh Reynolds, a senior security researcher at CrowdStrike, and Eric Lou, a senior intelligence analyst at CrowdStrike, spelled out at VB2021, the group wasn’t always a “big game” ransomware threat.

Carbon Spider started in 2013 using Carbanak malware to target financial institutions before moving on in 2015 to target restaurants and the hospitality industry with point-of-sale (POS) malware to collect payment card data. In 2016, Cobalt Spider broke off from Carbon Spider to handle the card data thefts while Carbon Spider continued to target financial entities.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Christina Kirschnerova on Unsplash