HF 2022 - Call for Papers

Clustering Malware Activity: How We Do Attribution
10-29, 17:30–17:50 (Canada/Eastern), Track 1
Language: English

Attributing a new campaign or malware to a known group is not an exact science. The skills it requires and the considerations surrounding it aren't given nearly as much importance as the technical aspects of malware analysis in training and discussions. Yet, it is often the part that will garner the most attention from journalists and the general public. Proper attribution can add great value to a report; helping organizations relate new activity to their threat model and providing researchers and law enforcement with the means to link clusters of activity. When done wrong, however, it can undermine the credibility of the field and generate undue alarm. Since researchers base their attribution on available material, incorrect links can lead future efforts astray and create lasting confusion.


In this presentation, we will first explain how we do attribution using technical artifacts -- such as code similarity and tool reuse --, infrastructure, TTPs, and socio-political factors like victimology. We will use concrete examples from previous research to illustrate how these indicators can be used, or misused, to cluster activity. We will discuss the relative merits and reliability of these indicators along with how they can be combined to arrive at a more accurate conclusion.

As we go along, we'll cover the pitfalls associated with each of them, with examples of how we can get it wrong. We'll also bring up other obstacles encountered when doing attribution including the varying definitions of certain groups between various researchers, along with tool sharing and so-called "umbrella groups" that encapsulate multiple sub-groups.

The presentation will conclude with a discussion of the importance of documenting the reasons and confidence level associated with such claims. We will briefly touch on the larger ethical and social considerations that surround this issue to encourage researchers to be rigorous when attributing threats and evaluating claims from external reporting.


Are you releasing a tool? – no Was this talk already given? – yes

Alexandre Côté Cyr is a malware researcher at ESET in Montreal with a focus on APTs. He also contributes to WeLiveSecurity where he has written about TA410 and Mustang Panda.

He completed his Bachelor's degree in computer science at UQAM in 2021. Alexandre has previously presented at Botconf and CARO Workshop. He is an active member of Montreal's Infosec community and is involved in mentoring students getting started in the security field.

His interests include operating systems fundamentals and writing shell scripts to automate tasks that don't always need to be automated.


Alexandre Côté Cyr est chercheur en logiciel malveillant chez ESET à Montréal où il travaille principalement sur les APTs. Il contribue aussi à WeLiveSecurity où il a écrit à propos de TA410 et Mustang Panda.

Alexandre a terminé son baccalauréat en informatique à l'UQAM en 2021. Il a précédemment présenté à Botconf et CARO. Il est un membre actif de la communauté Infosec de Montréal and s'implique à mentorer des étudiant.e.s qui débutent dans le domaine de la sécurité informatique.

Il s'intéresse aux principes des systèmes d'exploitation et aime écrire des scripts shell pour automatiser toute sorte de tâches (qui n'ont pas nécessairement besoin d'être automatisées).