Page 322 - Cyber Defense eMagazine September 2025
P. 322
Challenges of Profiling Threat Actors? Confusion is one of the most powerful weapons used by
adversaries and threat actors in cyberspace. Many other factors can make analysts feel trapped in a
maze where everything looks the same and there’s no way out. A question arises: Can we track attackers
or a specific group by comparing their code to that of another cybercrime group? Unfortunately, the
answer is often hypothetical rather than definite. Most cyber attack groups tend to copy techniques and
methods from other groups, including coding styles. This makes it harder to attribute attacks with
certainty:
Switching Languages: Adversaries may switch languages when communicating across borders. This
is commonly seen in forums and dark markets during discussions.
Manipulating Timestamps: Attackers can change timestamps and add false information in the metadata
of programs or files. This can be used for a targeted attack.
Mimicking Code: Malicious code for macros or payloads may be designed to look like the behavior of
another group’s code from a different country.
Changing Time Zones: Attackers may adjust time zones to match the local time of another country. This
can confuse analysts about the actual source of the attack.
Using Multiple Proxies: Attackers use several proxies to hide the true source of their attacks. This helps
obscure their location.
Domain Registration: A domain may be registered in someone else’s name or in a different country.
This is done to conceal the attacker’s identity.
What are their techniques? Adversaries use a variety of techniques and operational methods that can
differ greatly from one group to another. For example, financially motivated groups like FIN tend to target
the economic and banking sectors. On the other hand, hacktivist or Leaktivist groups often focus on the
public sector, motivated more by political or ideological reasons than by financial gain. This difference
also applies to Advanced Persistent Threats (APTs). What sets these groups apart is not just their goals
but also their behavior patterns.
Consider cybercriminal factions known as "Spiders." Their main goal is to disrupt or disable systems for
financial gain. One of the biggest challenges for cybersecurity researchers is attribution. As discussed in
the first part of this series, a group can change its identity, tools, and motives over time. When the players
change, even if the techniques and tools stay the same, everything else objectives, motivations, and
incentives can shift dramatically. An APT group might start by trying to extract sensitive intelligence but
later switch to destructive actions. Similarly, a financially motivated group like the Spiders may suddenly
pursue political or ideological aims. In this article, we will examine these patterns with minimal false
positives. Later, we will look at why this approach leads to fewer mistakes.
Cyber Defense eMagazine – September 2025 Edition 322
Copyright © 2025, Cyber Defense Magazine. All rights reserved worldwide.
