Chapter 22 Quiz: Threat Actor Encyclopedia¶

B — Russia's GRU (Military Intelligence) — political and military intelligence collection, election interference, and supporting Russian state objectives

APT28 (also known as Fancy Bear, STRONTIUM, Sofacy) is attributed with high confidence to Russia's General Staff Main Intelligence Directorate (GRU). They are known for targeting NATO governments, political organizations (DNC breach 2016), defense contractors, and media organizations. Their operations align with Russian strategic military intelligence requirements.

B — Video game currency fraud — manipulating in-game economies to steal virtual goods for resale

DOJ indictments against APT41 members specifically alleged that the operators conducted video game fraud as a side business — stealing in-game currencies, items, and source code for personal financial gain. This "moonlighting" distinction is why APT41 is categorized as a "dual nexus" actor: when not conducting state-directed espionage, the same individuals conduct financially motivated cybercrime.

B — Bangladesh Bank SWIFT heist — $81 million stolen via fraudulent SWIFT interbank transfers

In 2016, Lazarus Group compromised the Bangladesh Bank's SWIFT terminal and issued fraudulent transfer requests to the Federal Reserve Bank of New York. $81 million was successfully transferred before the scheme was detected ($951 million in additional transfers was stopped due to a spelling error). This operation exemplifies Lazarus's mission: generating hard currency for the sanctions-isolated DPRK regime.

B — They rely almost entirely on living-off-the-land (LOTL) techniques — using native OS tools like netsh, wmic, and PowerShell — to blend with normal system administration activity and pre-position on critical US infrastructure

Volt Typhoon's defining characteristic is minimal malware footprint: they use built-in system tools, proxy traffic through compromised SOHO routers, and focus on pre-positioning in US critical infrastructure (power, water, transportation) sectors — assessed by CISA/NSA as preparation for potential disruptive attacks during a future conflict rather than immediate espionage.

B — Targeting point-of-sale (POS) systems and restaurant/hospitality chains to harvest payment card data at scale, later sold on criminal markets

FIN7 (also known as Carbanak, Navigator Group) specialized in targeting restaurant, hospitality, and retail chains via spear-phishing, gaining access to POS environments, and deploying custom POS malware (Carbanak, GRIFFON) to harvest credit card data. They compromised hundreds of restaurant chains including Chipotle and Arby's, stealing tens of millions of payment cards over multiple years.

B — Vishing (voice phishing) attacks on IT helpdesks — impersonating employees to convince helpdesk staff to reset MFA, issue new credentials, or enroll new devices

Scattered Spider's defining technique is social engineering IT helpdesks. They research target employees on LinkedIn, use publicly available information to convincingly impersonate them, and call helpdesks requesting MFA resets or new SIM enrollments. This technique bypasses technical controls entirely and exploited helpdesk processes at MGM Resorts and Caesars Entertainment in 2023 breaches.

B — Profiles represent historically observed TTPs and may not reflect a group's current capabilities or techniques — actors evolve their tradecraft, especially after public disclosure of their methods

ATT&CK Group profiles are built from public reporting of past incidents. A sophisticated threat actor who reads their own ATT&CK profile will change their tooling, infrastructure, and techniques to avoid those specific detections. This is the "observer effect" in threat intelligence — publishing attribution data simultaneously enables defense and forces actors to adapt.

C — UNC (Uncategorized)

Mandiant's naming convention: APT (nation-state or advanced actor), FIN (financially motivated), and UNC (uncategorized clusters that share some characteristics but lack sufficient evidence for formal grouping). UNC clusters may eventually be merged into existing groups or elevated to named designations as evidence accumulates. Microsoft uses a different convention (weather/element themed names like MIDNIGHT BLIZZARD).

C — Behavioral TTPs — the specific sequence of tools, techniques, and procedures used by the actor during their operations

The Pyramid of Pain (David Bianco) ranks indicators by attacker cost to change: hash values are trivial to change (recompile), IPs and domains are easy to rotate, but TTPs represent the actor's operational habits — how they move laterally, how they maintain persistence, how they exfiltrate data. Changing TTPs requires retraining and restructuring operations, making behavioral indicators the most durable for attribution and detection.

B — The evidence supports the attribution finding but does not definitively rule out an alternative explanation — key gaps exist (e.g., possible false flag use of known APT28 tooling by a different actor)

Intelligence confidence levels communicate analytical uncertainty, not probability percentages. "Moderate confidence" means the evidence is credible and consistent with the attribution but there are gaps — perhaps the malware used is known to be APT28's but has been leaked or sold, or the infrastructure overlaps are strong but not unique. High-confidence attribution requires multiple independent, corroborating evidence streams that collectively eliminate other plausible explanations.