In this presentation, we will show relationships between several APT campaigns that were either discussed publicly in security blogs or were reported to CERT-Bund. The identified relationships are based on technical data and are categorised into three levels of confidence. A link between two APT campaigns is considered strong if command-and-control servers are shared or hash sums of involved malware binaries are identical. If the same (rare) malware family is used, a link is considered to be of medium confidence. Other commonalities are considered as weak links. Analyses published on APT campaigns usually focus on the activities of one group of actors only. Some researchers, for example, track the domain names used by the Comment Crew. In our presentation, we provide a more abstract view and look at relationships between different APT campaigns. While some relationships between campaigns such as Aurora and Elderwood or HTran and the Comment Crew have been discussed in blogs already, combining information on many additional other small links results in a much more comprehensive picture.

About the speaker

Dr. Timo Steffens

Dr. Timo Steffens has a background in artificial intelligence and data analysis. After doing projects on early-warning systems, he found his way into the field of IT-security. He is the vice head of the National IT-Situation Center and CERT-Bund at the German Federal Office for Information Security (BSI).
Read more …