Three's company: Investigating an Espionage Campaign featuring Multiple Threat Actors

Lior Rochberger, Tom Fakterman

In the realm of threat intelligence, attribution poses significant challenges for researchers engaged in research, investigation, and analysis. What may initially appear as a straightforward operation can quickly evolve into a complex investigation involving multiple threat actors. This session aims to shed light on the intricacies of attribution and provide insights for researchers navigating these challenges. In the presentation, we will present a use case of an investigation involving multiple clusters of activity, targeting South Asian governments. The three clusters of activity analyzed were ultimately attributed to three distinct threat actors suspected to be operating on behalf of China. Through this use case, we will illustrate the need for researchers to look beyond the surface and identify subtle nuances in tactics, techniques, and procedures (TTPs) to draw accurate attribution conclusions.

During the session, each cluster of activity will be examined in detail, offering a comprehensive understanding of the findings associated with each. We will explore the overlaps and differences in TTPs among the clusters, showcasing how these distinctions were leveraged to differentiate between them and ultimately attribute the campaign to three separate threat actors. By the conclusion of the session, participants will gain valuable insights into the complexities of attribution challenges. The methodologies presented, based on real case studies, will equip attendees with practical approaches for addressing similar obstacles in their own research.

Speaker's Bio

Lior Rochberger is a senior threat researcher at Palo Alto Networks, focusing on threat hunting and malware research. Lior began her career as a team leader in the security operations center in the Israeli Air Force, where she mostly focused on incident response and malware analysis.

Tom Fakterman is a Threat Researcher at Palo Alto Networks. On his day to day, Tom focuses on threat hunting, malware research, and threat intelligence. Tom began his career as a security analyst in the security operations center of the Israeli Air Force, where he mostly focused on incident response and malware analysis.