The Declining Effect of Disclosures on Threat Groups

• In the past, cyber espionage groups were observed to cease activities and shut down following a disclosure.
• However recent observations show that disclosures cause malicious groups to change tactics and not disappear.

Some groups were observed to cover up their tracks better while a few even expressed their displeasure by launching activities targeted at the ones who disclosed the information on them.

The consequences of disclosures

With individuals, organizations, and governments around the world realizing the impact of cyber threats, disclosures are becoming more common.

• Blogs and reports on threat groups have helped in creating a pool of knowledge that entities can use to defend themselves against cyber attacks.
• This has also led to threat groups shutting down in the past. An example of this is when the APT 1 report was published, and the command-and-control servers used by the group immediately became inactive.
• However, researchers have observed that in the current times, malicious groups do not stop their activities following disclosures.

Instead, they lie low for a while to update infrastructure and sometimes retaliate against the disclosers. In certain cases, the information disclosed may be used by other threat groups to improve their techniques.

Changing tactics after disclosures

In the majority of cases, the malicious actors were observed to change their tactics after a disclosure.

• The Stone Panda or APT10 continued its operations despite a disclosure in 2017. However, the group abandoned certain tools and worked on its infrastructure in the attacks following the disclosure. It was also observed that the group covered its trails carefully, making it quite difficult for researchers to track.
• The Russian threat group Turla, also known as APT34, hijacked the attack infrastructure from an Iranian threat group. This is a recent example of threat groups attempting to hide their signatures.

To disclose or not?

Disclosures have their advantages. Information sharing helps many organizations improve their security posture without having large teams or advanced resources. However, some security experts recommend weighing the impact of the disclosures on organizations, researchers, and the behavior of malicious actors before going ahead. Sometimes disclosures on threat groups can make them disappear from the map and much harder to identify again. And in other cases, they might just change their tactics to appear with a different identity.