Threat Actor and Intrusion-sets

[AAA10CR7]

Have concern about how to best utilize Intrusions sets. Having Russian Cyber Threat LandScape as example, how can we categorize (GRU, SVR, FSB) in one hand and (APT28, APT829, Sandworm) on another hand?

Currently, I use GRU, SVR ... as threat actors and APT28, APT29 .... as Intrusion-sets. Not sure if this is the best practices, but this is what I feel. By applying this, few statistics are not shown like reports and indicators.

Having below attachment, how can we map all Russian Cyber threat LandScape.

[ckane]

One piece of advice I would propose is that SVR, FSB, and GRU are not "exclusively cyber" organizations, but rather organizations which employ specific teams (or contract out the work to other private organizations) to carry out cyber operations. All three of these (FSB, SVR, GRU) do many many other things apart from cyber operations, too, so my read is that the Intrusion Sets would be used for tracking teams or units within these, that have (or will) carry out cyber operations.

Similar to that there are "Countries" under Entities, there are also "Organizations" - and that is where I would recommend you define formally established organizations, such as FSB, SVR, or GRU - and then relate them accordingly to analysis reports and events, similar to how you'd associate countries of origin to those, using the Country entities.

[ckane]

The STIX documentation explains this in further (and more abstract) detail https://oasis-open.github.io/cti-documentation/examples/defining-campaign-ta-is

[AAA10CR7]

Thanks @ckane for sharing your thoughts. Base's on your understanding, what would be the best utilization for threat actors?

You said intrusion said could be a team or a group that carry cyber operations. So who is the threat actor? Can you give example in Russian Cyber Threats as well.

[ckane]

Just referencing the following STIX section, I'd suggest Threat Actors be used for individuals (and perhaps static groups of individuals [or perhaps unidentified ones], but that probably gets confusing or conflicting):

• http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part1-stix-core.html#_Toc496709304 (Section 6.9 from STIX Core documentation)

I'll walk through an example Intrusion Set (the famous APT1/Unit 61398 group) that has already had a number of members revealed. Don't necessarily take my word as gospel on this subject, though, this is just my conclusion of how I interpret the STIX spec to organize these concepts. If you think I've made a mistake, by all means feel free to point it out (and please point me to the info documenting the correct usage).

For this exercise, I will pick from an area I have more expertise with - In 2014, the US Dept. of Justice published an indictment against multiple Chinese nationals alleged to be members of the Second Bureau of the General Staff Department (GSD), Third Department, aka Unit 61938 of the Peoples' Liberation Army (PLA) of The Peoples' Republic of China (PRC).

• https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion

Those named in the indictment were:

• Wang Dong
• Sam Kailiang
• Wen Xinyu
• Huang Zhenyu
• Gu Chunhui

An important note is that, initially, you may not likely have individuals identified so readily. In many cases, you may only have a pseudo-identity (such as a common user name, or some sort of initials, or a nickname/handle they use). In the above, "UglyGorilla", "KandyGoo", "Win XY", and "Jack Sun" were some examples that may even have been identified by others prior to the indictment (such as leaking of usernames from online SaaS services, or clumsy leaking into "Author" fields of documents/files, or leaking of adversary home-folders in Visual Studio PDB path names...stuff like that. Short answer is that, if during an investigation you do identify individuals via some identifier whether name or handle, then you could create a "threat actor" entity to start to track that detail, as your investigation develops.

Further, the indictment goes on to discuss multiple victim companies (ATI, Westinghouse, U.S. Steel, SolarWorld, USW, and Alcoa) - and identifies which victims were targeted by each member of the team during the campaign. According to the indictment, the overarching campaign(s) they're alleged to have carried out did not carry a huge amount of overlap (though there were multiple operators in at least one case [which is identified in the indictment]).

Mandiant, reported on this Unit 61398 to be a group they have been tracking as APT1:

• https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf

And, for the distinct campaigns, I will pull the Wikipedia page - and for the sake of this exercise, take as fact everything documented here, including aspects that are un-cited:

• https://en.wikipedia.org/wiki/PLA_Unit_61398

The above page lists the following as "engagements" attributed to Unit 61398:

• Operation ShadyRAT
• Operation Aurat
• Operation GhostNet

So, from the above, my read on how to organize all of this could be:

• Countries:
  • United States
  • China (or Peoples' Republic of China, if you prefer)
• Organizations:
  • US Department of Justice
  • Peoples' Liberation Army (feel free to be as detailed as you want - in OpenCTI, you should be able to relate organizations to other organizations, and add a note to document the nature of the relationship)
    • General Staff Department
      • Second Bureau
        • Third Department
  • Alcoa
  • ATI
  • SolarWorld
  • U.S. Steel
  • USW
  • Westinghouse
• Intrusion Sets:
  • Unit 61396 (or APT1, or Comment Panda - but document the aliases as much as possible)
• Threat Actors:
  • Wang Dong
  • Sam Kailiang
  • Wen Xinyu
  • Huang Zhenyu
  • Gu Chunhui
• Campaigns:
  • Operation ShadyRAT
  • Operation Aurat
  • Operation GhostNet

Additionally, though it is kind of difficult to track down now since so much time has passed (which is a great reason to use the PDF importer in OpenCTI, to permanently store web-hosted reports after you Print-to-PDF them), but Mandiant at the time also published details on numerous tools that the Intrusion Set had used during one or more of the above Campaigns:

• https://cybersecurity.att.com/blogs/labs-research/yara-rules-for-apt1-comment-crew-malware-arsenal

Tool names such as the following were documented: AURIGA, BISCUIT, HACKSFACE, GETMAIL, LIGHTBOLT, TARSIP, WARP - which would, as well, be suitable candidates for the "Arsenal - Malware" section.

[AAA10CR7]

Thanks, it is clear now. For me it is all seems reasonable, even for Threat Actor. On same example, I would use Individuals rather than threat actor. Then I will link it to intrusion set.

By doing this, threat actor will act as container for multiple intrusion-sets. This will help organising things and make it more clear. Then it would be easy to include all (Russian) intrusion-sets into single Threat actor. Then statistics and country profile can be build/tracked easily.

Thanks for sharing your thoughts. It is all valid, as long as we maintain it properly.

[ckane]

My big distinction between Threat Actor and Individuals is that I'd reserve Individuals to be victims/targets/authors, while Threat Actors is an entity that has additional fields to describe "threat type" as well as level of confidence in the assessment. It could very well be a subclass of Individuals, but that's not how the tool (or STIX) was designed, so I chose to draw the distinction as described.

[ckane]

Your proposed usage of threat actor for FSB, GRU, etc... (if I understood correctly) would also match the STIX-defined usage based on https://docs.oasis-open.org/cti/stix/v2.1/cs01/stix-v2.1-cs01.html#_k017w16zutw

So I don't see this conflicting with how others will be tracking it, either.

[rabbipigeon]

Based on this

4.16 Threat Actor

Type Name: threat-actor

Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent. A Threat Actor is not an Intrusion Set but may support or be affiliated with various Intrusion Sets, groups, or organizations over time.

Threat Actors leverage their resources, and possibly the resources of an Intrusion Set, to conduct attacks and run Campaigns against targets.

Threat actors can range from whole organizations, like one mentioned above GRU, FSB and can be Individuals. Nesting Threat Actors acomplishs both of the issued mentioned above it would seem. You can attribute more "malicious" attributes to a threat actors that you cant with an individual.

I would see a good use case would be having an organization as a threat actor and then having Threat actors(personnel perhaps) and Intrustion Sets(apt groups) attributed/part of the over arching organization so on and so forth.

[ckane]

Yep, this was the point I was making with my last comment too - the entity type can be used for groups/organizations, so choosing to do it this way shouldn't conflict with others. You can also "nest" threat actors using relationships, I think, so you could capture a malicious organization like that, if you want, as well as relate to it individuals within it that have been identified.

For the example presented, GRU, SVR, and FSB are agencies within the Russian government that are tasked with carrying out statutory duties (many of them benign or typical of any government entity) not unlike parts of the CIA, NSA, DHS, FBI, and DoD, in the United States. This is why I feel it can lead to conflicting or confusing reporting, depending upon the context.

An example with a defined group that might fit better into "threat actor" could be the late Iranian hacker community Ashiyane Digital Security Team: https://www.securityweek.com/rise-and-fall-ashiyane-irans-foremost-hacker-forum

In the above article, at least one individual is also identified as well: Behrooz Kamalian. The article goes on to discuss motivation, intent, and also some technical details.