How Does One Find out If a Cyber Attack Is a State-sponsored or a Private Attempt?


  • Cyberspace is widely considered to be the fifth domain of modern warfare, which also includes space, air, ground, and sea.
  • Cyber warfare allows countries that do not have the capability to launch a traditional kinetic attack against a stronger foe, the ability to level the playing field, as cyber warfare is relatively inexpensive when compared to the cost associated with traditional military campaigns.
  • State sponsored cyber-attacks can disrupt our way of life. Cyber weapons have been used to shut down a country’s electric grid, as well as to disrupt a country’s nuclear weapons program.

This Ask the Experts session stems from a question originally posted on Quora regarding how one can go about identifying if a cyber attack was state sponsored or a private attempt.

Typically, the origin of a cyber-attack, or a crime, can be determined by the tactics, techniques, and procedures (TTPs) utilized by an attacker, and their intended targets. The cyber kill chain, a series of steps that traverse the various stages of a cyber-attack (reconnaissance, weaponization, delivery, etc…), is predictable, given that it is an established framework. This allows an analyst the ability to correlate TTPs utilized by an attacker and map it to a stage in the cyber kill chain, or other attack frameworks.

It is customary for humans to develop a routine when engaging in an activity. Cyber actors, both malicious and benevolent, are not immune to this fact. While top tier cyber actors are better at hiding their tracks than “script kiddies” (people who utilize existing scripts and codes to compromise devices), even the “pros,” are guilty of reusing the same tried and true procedures to compromise a target. Let us look at an example.

Advanced Persistent Threat (APT) 28, also known as Fancy Bear, the Sofacy Group by Kaspersky Lab, and STRONTIUM by Microsoft, is a popular Russian based threat group with direct ties to The Main Directorate of the General Staff of the Armed Forces of the Russian Federation. Abbreviated as G.U., but still referred to by its previous abbreviation of GRU, APT 28 typically uses the following methods to attack a target:

  1. Spear phishing – The attacker will likely create a malicious website, and or email/email address, with the goal of inducing the victim to divulge their credentials. APT 28 puts a strong emphasis on registering domains that closely resemble the domains of their target.
  2. Hacking legitimate adversarial websites and inserting malicious code, typically an iFrame. Once the target navigates the website, their machine becomes infected with the malicious code, if the victim meets a set of requirements (not a Russian citizen, for example).
  3. Scanning computer networks and exploiting known and unknown (zero day) software and hardware vulnerabilities.
  4. Deploying custom malware.

Now, being a Socio-Political group, the goal of APT 28 is to further the strategic foreign policy objectives of the Russian Federation. Recognizing the attackers’ TTPs and goals allows us to paint a better picture of the identity of an attacker, when investigating an incident. While this is not a fool proof method (is anything really fool proof when it comes to information security?), it is often one of the inimitable and guaranteed approaches for identifying the origins of an attack.

Interested in learning more about the different approaches taken by state sponsored and private cyber actors? Contact us and we will be glad continue the dialog! Do not forget to click here to subscribe to our weekly newsletter for more information security related tips and tricks.

Additional Resources

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.