It sounds like these hack groups apparently use certain tactics and software that form a unique "signature" for their work. For example, the use of certain toolkits/rootkits for Russia's "Fancy Bear" and "Cozy Bear" hackers was discovered back in 2016 -
Cozy Bear and Fancy Bear: did Russians hack Democratic party and if so, why?
Sam Thielman and Spencer Ackerman
Fri 29 Jul 2016 06.00 EDT
Last modified on Fri 14 Jul 2017 14.58 EDT
/snip
A key characteristic of Bear attacks – and high-quality attacks from many seasoned intruders – appears to be its adroit disguise of malicious files. In another operation, a group Kaspersky believes to be Cozy Bear sent “highly relevant and well-crafted content” – such as PDFs about Ukraine possibly joining Nato – to people who would open them and find them interesting without becoming suspicious. Sophisticated users who would spot a “YovTube.com” address or an amateurish website inviting them to type in a login might eagerly open an official-seeming white paper.
Fancy Bear has its own signatures: its identifiable suite of tools has, since 2007 or perhaps even 2004, been updated with the frequency of a software company, according to security firm FireEye. FireEye gave all the tools names – Sourface, Chopstick and Eviltoss, among others – and described them as demonstrating “formal coding practices indicative of methodical, diligent programmers”.
Rather than send its malware broadly, a pattern used by hackers who hope a fraction of their recipients will click on a dubious link, Fancy Bear sends them to specific users, in a pattern Gidwani said indicates reconnaissance on its targets. Microsoft reported that Fancy Bear finds unsuspecting users both by sifting through social media and other online data for associations with its target – say, a LinkedIn page that lists the DNC as an employer – and also by meticulously cataloging the data it has stolen in previous hacks.
“They customize their attack to thrive in that environment,” said Gidwani. “Somebody who could do that has resources, has time and a test environment to try all the stuff out to make sure they’ve got the right package they’re going to deploy. Those are hallmarks of nation-state operations. Criminals are going to hit a million people in the hope that they get a hundred.”
https://www.theguardian.com/technology/2016/jul/29/cozy-bear-fancy-bear-russia-hack-dnc
If you know some other group's tactics and have their software, you can mimic how they operate as disguise and deflection.
= new reply since forum marked as read
