Hackers don’t usually identify themselves, most individuals and groups thrive on anonymity. The one notable exception is lulzsec/anonymous who you’ve probably heard a lot about considering they have claimed responsibility for a few high profile incidents and have been the target of many FBI arrests. As far as we can tell the remainder of the group has either disbanded or moved on.
Mitre is a non-profit organization best known for running the Common Vulnerabilities and Exposures (CVE) Program with the stated goal of making the world safer. They are succeeding in their goal by raising awareness of software vulnerabilities and pressuring vendors to fix problems.
Though their original mission hasn’t changed, they have begun including information on documented attacks’ modus operandi and their functional appearance. This, in turn, creates a fingerprint for various advanced persistent threat (APT) groups which helps identify them. A growing directory of these groups is available from Mitre.
Many hacking groups get their names from security professionals, the majority are just tagged “advanced persistent threat” APT#. The first five on the list hail from China but there’s also a North Korean and Russian presence along with many Middle Eastern actors. Surprisingly there is not much representation from USA, European, Israeli, or Canada. Don’t be fooled though, there are certainly hackers operating in these regions, they have just managed to avoid being identified.
Hacker identification How to
Strings of text are often visible inside binaries when software is written. For example the Blaster worm’s executable contained two messages: "I just want to say LOVE YOU SAN!!" and "billy gates why do you make this possible ? Stop making money and fix your software!!" These snips of text reveal information about the author. A Chinese hacking group is likely to insert Chinese text into their code.
There’s also useful identification that can be gathered from the malware’s target. It may seem cliche but traditionally opposed social groups tend to target each other with malware. Stealth Falcon, for example, seems to target Emirati journalists, activists, and dissidents which strongly suggests it was, directly or indirectly, created by the UAE government.
Unfortunately these trends make it difficult to attribute malware with English text or global targets to a specific group.
How many are there?
Leave a comment with your guess. Mitre has identified 91 groups but that number seems rather small.