{"id":39755,"date":"2021-02-26T15:19:26","date_gmt":"2021-02-26T15:19:26","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/32062\/Old-Foe-Or-New-Enemy-Heres-How-Researchers-Handle-APT-Attribution.html"},"modified":"2021-02-26T15:19:26","modified_gmt":"2021-02-26T15:19:26","slug":"old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/","title":{"rendered":"Old Foe Or New Enemy? Here&#8217;s How Researchers Handle APT Attribution"},"content":{"rendered":"<div class=\"wysiwyg\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"614\" src=\"https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-1024x614.jpg\" alt class=\"wp-image-113390\" srcset=\"https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-1024x614.jpg 1024w, https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-300x180.jpg 300w, https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-768x461.jpg 768w, https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-1536x922.jpg 1536w, https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-860x516.jpg 860w, https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-156x94.jpg 156w, https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-312x187.jpg 312w, https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-640x384.jpg 640w, https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396-1280x768.jpg 1280w, https:\/\/www.scmagazine.com\/wp-content\/uploads\/2021\/02\/3312858421_66f2d11527_o-e1614293545396.jpg 1600w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><figcaption>Malwarebytes\u2019 expos\u00e9 of LazyScripter revealed that the group has operated since at least 2018, targeting International Air Transport Association (IATA) members, airlines and immigrants seeking employment in Canada. (<a href=\"https:\/\/www.flickr.com\/photos\/scazon\/\">Scazon<\/a>\/<a href=\"https:\/\/creativecommons.org\/licenses\/by\/2.0\/\">CC BY 2.0<\/a>)<\/figcaption><\/figure>\n<p>With cybercriminals commonly sharing tactics and techniques on underground forums, and with digital adversaries frequently leveraging many of the same commodity malwares and commercially available tools, it can be difficult to assign attribution to a cyber campaign.<\/p>\n<p>So when researchers claim to uncover that a previously unknown APT group is behind a series of attacks \u2013 as threat hunters from Malwarebytes did this week in&nbsp;<a href=\"https:\/\/resources.malwarebytes.com\/files\/2021\/02\/LazyScripter.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">announcing their discovery<\/a>&nbsp;of a newly observed&nbsp;<a href=\"https:\/\/www.scmagazine.com\/home\/research\/new-hacker-group-targets-airlines-refugees-with-well-worn-tools\/\">actor called LazyScripter<\/a>&nbsp;\u2013 it\u2019s usually an intriguing development.<\/p>\n<p>The emergence of any newly unearthed actor often carries significance, as it is important for observers to understand the group\u2019s motivations so that targeted parties are properly warned of their potential victimization, and are advised of what techniques to watch.<\/p>\n<p>Adam Meyers, senior vice president of intelligence at Crowdstrike, told SC Media that a new cyber adversary emerges from the shadows about once every two weeks, to a month. \u201cI think we had something like 19 new adversaries that we introduced in the last year,\u201d said Meyers, along with 25 malicious \u201cactivity clusters\u201d that could not be designated as a distinct adversary. \u201cThis is an expanding set of problems and we\u2019re seeing more and more threat actors each year.\u201d<\/p>\n<p>But it can take time to classify whether a series of attacks is the work of a genuinely new APT or simply an offshoot of a known group. This determination doesn\u2019t necessarily matter from a tactical standpoint of defending against a specific campaign\u2019s methodology. But from a longer-term strategic perspective, the ability to attribute a campaign to a new group or an established group&nbsp;<em>can<\/em>&nbsp;make a difference \u201cin terms of understanding what adversaries they may potentially be associated with and what their intentions and capabilities commonly are,\u201d said Meyers.<\/p>\n<p>\u201cWhen we attribute a group of activities to a new group, it indicates that the actor has some specific characteristics and TTPs that were not similar to any established actors,\u201d said Hossein Jazi, senior threat intelligence analyst at&nbsp;Malwarebytes.&nbsp;\u201cKnowing these specific characteristics can help security researchers to better detect the future campaigns associated with the actor, as well as develop new rules and mechanisms to detect and prevent them.\u201d<\/p>\n<p>When findings on a specific actor\u2019s TTPs and motivations are made public, potentially vulnerable organizations can then \u201cmake an educated assessment of the risk posed by this group,\u201d&nbsp;and \u201ctest their defensive and detective tooling and processes&nbsp;and make changes where required,\u201d explained Claudiu Teodorescu, director of threat research at&nbsp;BlackBerry.&nbsp;\u201cIf the business becomes a&nbsp;victim,&nbsp;they can likely attribute it to a group based off those indicators and should&nbsp;derive&nbsp;the motivation,&nbsp;reacting accordingly to help their customers.\u201d<\/p>\n<p>Malwarebytes\u2019 expos\u00e9 of LazyScripter revealed that the group has operated since at least 2018, targeting International Air Transport Association (IATA) members, airlines and immigrants seeking employment in Canada. The actors have been infecting victims with the post-exploitation framework PowerShell Empire or the multi-stage remote access trojans Octopus and Koadic. The attack vector: phishing emails, which feature lures related to jobs, the IATA, fake software updates, immigration, tourism and travel, and COVID-19.<\/p>\n<p>\u201cMoving forward, we are trying to look for the actor\u2019s future campaigns and see if the actor changes its victims or not,\u201d said Jazi. \u201cThis can help us understand what the main motive of the actor is. Additionally, we are trying to find sold indicators to help us identify the origin of the actor. This could significantly help us to determine why the actor is targeting the IATA and job seekers.\u201d<\/p>\n<p>Early indications point to a high likelihood that LazyScripter is a Middle Eastern actor, Jazi acknowledged, though this has not been confirmed.<\/p>\n<p>Meanwhile, for the greater security community, the public identification of a new APT group&nbsp;\u201callows&nbsp;for potentially unattributed groups&nbsp;to be compared and&nbsp;potentially matched to a common public name,\u201d said Teodorescu. \u201cResearchers with access to different&nbsp;telemetry&nbsp;may have additional indicators which can enrich the public understanding.\u201d<\/p>\n<p>While findings like those shared by Malwarebytes can prove beneficial to both businesses and the infosec community, there is also a potential downside to exposing a new APT group too early, warned Meyers: \u201cIt\u2026 tips your hand to the adversary,\u201d he said, \u201cand they now understand that you\u2019ve seen these aspects of their campaign, how you\u2019re tracking them, and what they might do to better evade it.\u201d<\/p>\n<p>Meyers was referring to the concept of \u201cintel gain\/loss.\u201d Essentially, \u201cIf you\u2019re going to expose what you know, you have to balance that against what is the potential impact on [intel] collection in the future or changing the adversary behavior,\u201d he explained.<\/p>\n<p>For instance, after observing a cybercriminal gang break off from an older group known as Indrik Spider (commonly referred to as&nbsp;<a href=\"https:\/\/www.scmagazine.com\/home\/security-news\/cybercrime\/u-s-charges-alleged-members-of-evil-corp-cybercrime-group-for-zeus-and-dridex-campaigns\/\">Evil Corp<\/a>), the Crowdstrike research team published research on the new actor, officially naming it \u201cDoppel Spider.\u201d Apparently, the adversaries liked that moniker because they soon after made changes to their payment portal to display the nickname they were given by researchers.<\/p>\n<p>It bears noting that Meyers wasn\u2019t criticizing Malwarebytes for its decision to come forward with its latest report, but he did say that intel gain\/loss is an important factor that must be taken into consideration when a new APT is unveiled to the public.<\/p>\n<p><strong>The attribution process<\/strong><\/p>\n<p>But with so much overlap in TTPs among bad actors, how can researchers even be sure that a campaign is truly a \u201cnew\u201d group bursting onto the scene, vs. an already established simply experimenting with new methodologies?<\/p>\n<p>\u201cWhen we perform attribution, we need to have solid indicators to attribute an actor to a known one,\u201d said Jazi. \u201cFor example: using the same toolsets, sharing the code sections or sharing the infrastructure of an existing group. Based on our comprehensive analysis, we have not found any solid indicators to attribute this actor [LazyScripter] to a known group.\u201d<\/p>\n<p>Granted, Malwarebytes&nbsp;did&nbsp;find some notable similarities to the Iranian APT actor <a href=\"https:\/\/www.scmagazine.com\/home\/security-news\/apts-cyberespionage\/muddywater-fin8-and-platinum-threat-actors-back-in-action\/\">MuddyWater<\/a>. Both groups have used Koadic and PowerShell Empire in their campaigns, both have used GitHub to host malicious payloads and both have abused scheduled tasks and Registry Run Keys\/Startup Folder for persistence.<\/p>\n<p>However, Malwarebytes believes the differences outweigh the common bonds. For instance, the LazyScripter actors have used open-source frameworks and commercial malware that MuddyWater has not, and they also embed their malicious loaders within weaponized documents, while MuddyWater uses malicious macros to trigger the infection chain.<\/p>\n<p>Other similarities to the reputed Iranian group OilRig and Russian APT actor APT28 (aka Fancy Bear) were also dismissed by Malwarebytes as minor overlaps.<\/p>\n<p>Still, there is disagreement over whether Malwarebytes is correct in labeling LazyScripter a new group.<\/p>\n<p>Meyers, for one, isn\u2019t fully convinced. \u201cRight now I would consider this more of an activity cluster,\u201d he said. \u201cThere\u2019s a discrete set of infrastructure that appears to be tied to it, but there\u2019s still enough overlap with Russian and Iranian groups to call into question its full independence.\u201d<\/p>\n<p>On the other hand, Teodorescu thought Malwarebytes has made a \u201cstrong case,\u201d although \u201cwithout taking&nbsp;the time to do&nbsp;proper&nbsp;research ourselves, we cannot give an opinion either way.\u201d<\/p>\n<p>Meyers described Crowdstrike\u2019s general approach toward attribution whenever a new campaign is uncovered: \u201cOur approach is to start a narrow circle around the activity we\u2019re looking at, and then look for overlaps in tactics, techniques and procedures; look for overlaps in infrastructure, look for overlaps in lots of different pieces of the puzzle, in order to determine: Is this new activity? And, if so, can we tie it back to anything that currently exists?\u201d<\/p>\n<p>If Crowdstrike sees no clear connections, the research team will track the campaign as its own distinct cluster. \u201cAnd over time that may evolve to a separate adversary, it may evolve to a known existing adversary, or may dissipate and we lose track of it.\u201d<\/p>\n<p>To remove subjective bias from any attribution investigations, Crowdstrike applies \u201crigorous analytics standards,\u201d Meyers added. \u201cMaking sure this activity conforms to our standards dictates where [the investigation] goes and if it graduates up to an adversary or not.\u201d<\/p>\n<p>One of the biggest challenges surrounding attribution is the wide availability of common, off-the-shelf or open-source tools at the disposal of threat actors. The less customized the toolset, the harder it is to identify the unique hallmarks of the APT group \u2013 which helps give the nation-state behind any attack plausible deniability.<\/p>\n<p>\u201cAttribution is&nbsp;based on a collection of data points&nbsp;so a general similarity is likely not enough to reach a conclusion,\u201d said Teodorescu. \u201cUsually, correlation for attribution based on open-source tools&nbsp;used or well-known persistence mechanisms&nbsp;is&nbsp;not recommended given that the whole purpose of using such tools&nbsp;or techniques&nbsp;by&nbsp;a&nbsp;threat actor is to avoid being named.\u201d<\/p>\n<p>\u201cIt is common for threat actor groups to use similar techniques and toolsets,\u201d said Teodorescu added. \u201cGeneral availability, documentation, and the ability to modify&nbsp;projects that&nbsp;have source code available&nbsp;has led&nbsp;to&nbsp;many cases of&nbsp;off-the-shelf or patched&nbsp;security tools&nbsp;being&nbsp;used for nefarious&nbsp;reasons.\u201d But that does mean threat analysts have no recourse: \u201cHow a tool is configured or utilized for&nbsp;a&nbsp;specific campaign is an example of how a researcher might&nbsp;work towards&nbsp;being&nbsp;able to differentiate between threat actor groups,\u201d he continued.<\/p>\n<p>To their credit, Teodorescu noted that&nbsp;Malwarebytes\u2019 researchers \u201cused not only&nbsp;specific tooling and TTPs, but also underlying infrastructure as a differentiator between other known APT groups. Compounding evidence shows proof of work and increases&nbsp;the&nbsp;community\u2019s&nbsp;confidence of the report.\u201d<\/p>\n<\/p><\/div>\n<section class=\"post-tags\">\n<h2>Topics:<\/h2>\n<p> <a href=\"https:\/\/www.scmagazine.com\/tag\/apt\/\" class=\"button -secondary\">APT<\/a> <a href=\"https:\/\/www.scmagazine.com\/tag\/phishing\/\" class=\"button -secondary\">Phishing<\/a> <a href=\"https:\/\/www.scmagazine.com\/tag\/threat-intelligence\/\" class=\"button -secondary\">Threat intelligence<\/a> <\/section>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/32062\/Old-Foe-Or-New-Enemy-Heres-How-Researchers-Handle-APT-Attribution.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":39756,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[5312],"class_list":["post-39755","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackermalware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Old Foe Or New Enemy? Here&#039;s How Researchers Handle APT Attribution 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Old Foe Or New Enemy? Here&#039;s How Researchers Handle APT Attribution 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-02-26T15:19:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"614\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Old Foe Or New Enemy? Here&#8217;s How Researchers Handle APT Attribution\",\"datePublished\":\"2021-02-26T15:19:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/\"},\"wordCount\":1691,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg\",\"keywords\":[\"headline,hacker,malware\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/\",\"name\":\"Old Foe Or New Enemy? Here's How Researchers Handle APT Attribution 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg\",\"datePublished\":\"2021-02-26T15:19:26+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/02\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg\",\"width\":1024,\"height\":614},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,malware\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackermalware\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Old Foe Or New Enemy? Here&#8217;s How Researchers Handle APT Attribution\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Old Foe Or New Enemy? Here's How Researchers Handle APT Attribution 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/","og_locale":"en_US","og_type":"article","og_title":"Old Foe Or New Enemy? Here's How Researchers Handle APT Attribution 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-02-26T15:19:26+00:00","og_image":[{"width":1024,"height":614,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg","type":"image\/jpeg"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Old Foe Or New Enemy? Here&#8217;s How Researchers Handle APT Attribution","datePublished":"2021-02-26T15:19:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/"},"wordCount":1691,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg","keywords":["headline,hacker,malware"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/","url":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/","name":"Old Foe Or New Enemy? Here's How Researchers Handle APT Attribution 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg","datePublished":"2021-02-26T15:19:26+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/02\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution.jpg","width":1024,"height":614},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/old-foe-or-new-enemy-heres-how-researchers-handle-apt-attribution\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,malware","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackermalware\/"},{"@type":"ListItem","position":3,"name":"Old Foe Or New Enemy? Here&#8217;s How Researchers Handle APT Attribution"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39755","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=39755"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39755\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/39756"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=39755"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=39755"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=39755"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}