Executive Summary
Threat actors often react to public disclosure and this post attempts to provide at least four different examples of those likely reactions:
APT39: A case of reacting with plausible deniability;
Evil Corp: A case of the individual reacting;
Ryuk Ransomware: A case of reacting to others; and
Sandworm: A case of close associates reacting.
There is still a lack of empirical research about actual and measurable reactions by threat actors, as pointed out in Attribution of Advanced Persistence Threats by Timo Steffens. While this post is an attempt to fill that void, this is not a grand attempt to create a model or provide quantitative data, but only simple observations of likely reactions by cyber threat actors being exposed publicly.
Introduction
I finally got around to reading Attribution of Advanced Persistence Threats. Let me just say, it is a great read for anyone in cyber threat intelligence, or a closely related field dealing with cyber security and/or intelligence. The book left me with a lot to think about, but the section called Reaction to Disclosure is one that inspired this blog post. In Reaction to Disclosure, it is mentions there is a lack of empirical research about actual and measurable reactions by adversaries. This post sets out to provide four different examples that can begin to fill that void.
I have picked cases that show how different cyber threat actors react to public disclosure. These threat actors vary according to country, motivations, and organizational structures. The naming conventions and ultimate motivation may differ according to visibility and attribution standards, but the observed reactions still stand. There is no universal framework for measuring reactions to public disclosure, which is a topic that warrants further discussion. The following is an overview of the threat actors and case studies chosen for analysis:
APT39: A case of reacting with plausible deniability
In September 2020, the US Government (USG) sanctioned Iran-based threat actor, popularly known as APT39 (a.k.a. Chafer, Remix Kitten). The USG attributed APT39 to Iran’s Ministry of Intelligence and Security (MOIS) and reported that at least 45 individual and one company are also associated with the cyber threat actor. According to the sanctions announcement, APT39 operates behind a front company called Rana Intelligence Computing Company (a.k.a. Rana, Rana Institute, Rana Smart Computing Company). There are other instances of Iran-based threat actors using front companies, such as the Mabna Institute and Net Peygard Samavat Company. A front company in all of the mentioned cases are a form of operational security (OPSEC) because they provide plausible deniability for the government and generate a seemingly legitimate cover for clandestine or illicit activities. The sanctions announcement briefly describes Rana Intelligence Computing Company, but details are rather limited to describing it as "a front company camouflaged as the MOIS". Open source research identified Rana’s incorporation records, which show it was established on 24 January 2016. Both these observations are relevant context for a threat actor affiliated with a government’s intelligence apparatus and their reaction to public disclosure.
Figure 1 - Rana's company logo (left) and MOIS' insignia (right).
On 7 December 2015, Symantec released the first public report on APT39, which Symantec tracks as Chafer. The public report documented the group’s victimology, malware capabilities, working hours and more. Symantec assesses that the group began operation as early as July 2014; however, it is likely that activity began well before this date. Therefore, APT39 operated without the use of Rana Intelligence Computing Company for at least 18 months, and only after the group’s activity were exposed publicly in December 2015, did the incorporation of Rana occur the following month.
There are likely several factors that spurred entities behind APT39 to use a front company in late January 2016. The short lapse in time from Symantec’s public exposure of the group and the establishment of Rana is a highly plausible factor. The release of the report in December 2015 could also be a coincidence. However, assuming the public exposure is at least one factor for creating Rana, the use of a front company indicates MOIS likely intended to create plausible deniability for their cyber network operations. The legitimizing of operations via a company could also be considered a method for attracting talent that would not otherwise pursue a career in government. This notion assumes new hires are unaware of the ultimate beneficiaries and their end goals.
The reaction took approximately six weeks, and makes sense within the context of a large organization, such as MOIS attempting to implement new procedural measures in a fashion that maintains discretion while balancing legitimacy. Of course, there could be other factors that play into the reaction time, such as failure to see the report until weeks after its release or the type of information included in the report. For example, no personal details of the group were exposed in the report, which could be a factor in the response time rather than chalking it up to bureaucracy. In the end, APT39 increased OPSEC after public disclosure of their tradecraft, which seemingly allowed the threat actor to operate as Rana Intelligence Computing Company for nearly five years, before the USG outed them as a front company camouflaged as the MOIS.
Evil Corp: A case of the individual reacting
I recently wrote a post on tracking Evil Corp and their cars. In the collection phase of my research, I identified a VK profile containing a picture of FBI Most Wanted suspect, Maksim Yakubets. The VK profile was listed as ‘Kirill’ and subsequently, ‘Kirill Vsevyshny’, who silently deleted their profile on 6 December 2019. According to the USG, a core member of Evil Corp is Kirill Slobodskoy, which matches the first name of the now deleted profile. The last name observed on the profile could be an alias, however the profile at some point, contained a photo of Maksim Yakubets.
Figure 2 - Picture of Maksim Yakubets from the Kirill profile (left) and date the profile was deleted (right).
The USG indicted and sanctioned Evil Corp members on 5 December 2019 or one day before the observed VK profile was deleted. The VK profile presumably corresponds to a single individual, who is with reasonable certainty affiliated with Evil Corp or at the very least with Maksim Yakubets. Assuming the sanctions and indictments motivated the deletion of the VK profile, it is plausible to assume that single individuals react quickly to public disclosure; and the exposure of personal details could be a motivating factor for the extent and quickness of the reaction. Further supporting this notion that an individual reacts differently than a collective is the still active VK profile for Evil Corp member Andrey Plotnitsky. The response by two people with at least associations to Maksim Yakubets, and possibly Evil Corp, show there isn't a collective response to public disclosure. It is worth noting that motivation, country origin, or culture could be a determining factor in reactions. Cybercrime members are more likely to be in fear of imprisonment or lack state backing compared to espionage focused threat actors, ultimately causing both to behave differently.
Ryuk Ransomware: A case of reacting to others
In 2018, I presented at EUROPOL on the use of cryptocurrencies and cyber threat actors. Naturally, ransomware took central focus, and specifically Ryuk ransomware. One intriguing observation of Ryuk is their response not to public disclosure of their own operations, but of another ransomware outfit. On 28 November 2018, the USG indicted and sanctioned SamSam ransomware operators and financial facilitators. All entities indicted and sanctioned are Iran-based and do not have any known affiliations with Ryuk ransomware or its affiliated entities. The indictments focused on the creators and/or operators of SamSam, while the sanctions focused on the financial facilitators. The sanctions included Bitcoin addresses used by the financial facilitators and set a precedence by marking the first sanctions against cryptocurrencies.
Figure 3 - FBI Most Wanted Suspects behind SamSam ransomware.
An open source report by CrowdStrike states that on 29 November 2018, ransomware operators behind Ryuk changed how they communicated with victims. Prior to 29 November 2018, the actors included their Bitcoin address and email addresses in the ransom note, but the new notes on 29 November 2018 and after, no longer contain the Bitcoin address. The ransom notes state that the victim will receive the Bitcoin address after a reply from the threat actors. The assumption is that threat actors behind Ryuk changed their OPSEC in one day, in accordance with sanctions enacted against SamSam financial facilitators.
This case is unique relative to the other examples, as the threat actor is reacting to public disclosure of another group, although both involved in ransomware, the reaction is to money laundering rather than computer network operations. The response to increase OPSEC related to Bitcoin addresses indicates the operators behind Ryuk control the laundering of ransom payments in addition to their cyber network operations. However, it almost certainly shows the actors consider the financial side of their operations important, given it is their ultimate motivation, and protecting that with better OPSEC is deemed essential.
Sandworm: A case of close associates reacting
I briefly mentioned in Fancy Bear’s New Faces: Revisited that there is a deleted VK account linked to Anatoliy Sergeyevich Kovalev, a member of Russia-based threat actor, Sandworm (a.k.a. Voodoo Bear, Unit 74455). It is unknown when the account was deleted, but it almost certainly occurred sometime between June 2019 and September 2020 – these dates are based on my research activity. This time frame is after the USG indictment against Anatoliy Sergeyevich Kovalev for interfering in the 2016 US Presidential Elections. It is also after two blog posts publicly disclosing his linked VK profiles, which could also be a motivating factor.
One of those profiles is not deleted and another one has since been identified, both of which, contain personally identifiable information (PII). Since only one of the two old profiles is deleted, it is unlikely the blog posts are a motivating factor. The profile did not contain much PII and many of the pictures can be found on the other profiles, further supporting the blog posts with the deleted account is not a primary cause. A noteworthy observation after searching on members of Sandworm and Fancy Bear (a.k.a. APT28, GRU Unit 26165) is that members of both groups have had their online presence exposed from close associates (e.g., family, friends, etc.)
There are several pictures, including some on Sandworm’s FBI Most Wanted posters, which are likely taken from VK profiles of close associates, as reported by Bellingcat contributor Aric Toler and corroborated from firsthand research. This is also the case for some Fancy Bear members, as discussed in an OSINT piece from December 2019. In Hiding in Plain Sight by Sancho Villa, there is a VK profile of a Fancy Bear member’s wife using an alias and containing images of her husband, a GRU officer in Unit 26165. The wife’s profile now uses a different alias and all the pictures of her husband are deleted, as seen in Figure 4. These changes occurred sometime between December 2019 and October 2020, but more importantly, indicate that close associates of cyber threat actors also react to public disclosures.
Figure 4 - Wife's VK profiles of the GRU officer in Unit 26165. Left is most recent and Right is prior to December 2019.
Close associates of cyber threat actors and their subsequent reaction to public disclosure might not seem important on the surface. However, such a reaction can result in future loss of intelligence collection. As the FBI Most Wanted pictures show, poor OPSEC of close associates can be highly valuable for attributing an adversary.
Figure 5 - FBI Most Wanted picture (right) compared to VK profile of a close associate (left)
Scratching the surface
The above observations and analysis are just a few examples of how actors react to public disclosure. Attribution of Advanced Persistent Threats is critical in pointing out a lack of frameworks and academic style research in determining cyber threat actor’s behavior to public disclosure. For example, how does culture, age, gender, or organizational structure effect a threat actor’s reaction? Does exposure of technical details change an actor’s reaction compared to exposure of personal details? A more in-depth analysis is necessary to answer these questions and something I plan to look at closer in upcoming research.
Another topic that I have briefly hinted at within this post is the distinction between public and non-public disclosure. Non-public disclosure is very much related to espionage focused threat actors and their closed-door reaction to knowing their adversaries have compromised them. I would assume that examples of non-public disclosure are difficult to discover given their inherent secrecy. However, one example that comes to mind which could be a representation of an espionage threat actor reacting to non-public disclosure is Turla’s fourth party collection of OilRig. At least one if not multiple forthcoming post will cover these two topics (inshallah).
Conclusion
Attribution is a complex and exciting topic within the cyber threat intelligence field. The cases provided above are an attempt to scratch the surface of how threat actors deal with having their identities, operations and strategies exposed. At a glance, there are many variables that could influence a cyber threat actor's reaction, much of which require further examination. However, the four different cases show that reaction times vary, likely reasoning vary and the outcome of the reaction is likely to impact future tracking and/or attribution of a threat actor.
