Cyber attackers: BSI names active perpetrator groups

Contents

BSI / CERT-Bund have published lists of APT and cybercrime groups whose activities they actually observe in Germany and describe their main areas of focus. These are therefore actors that pose a real threat to local companies and organizations.

The data used for this primarily comes from incidents within the company's own area of responsibility, i.e. in particular from incidents relating to public sector IT. However, reliable reports from external partners are also included in the compilation, explained the authors of these lists, Alexander Härtel and Timo Steffens, in a Pro-Talk with members of heise security Pro.

With a government background

The BSI's APT list contains all perpetrator groups that are suspected of having a state actor in the background and that have been "active against targets in Germany" in the last two years. It also includes attackers against targets in other European countries "that could have been attacked in Germany in the same or a similar way". The list includes old acquaintances such as APT28 aka Sofacy and Fancy Bear, who broke into the Bundestag back then, but also rather unknown actors such as "Bitter / Hazy Tiger".

The list does not assign the individual groups to states or even their services, although the German government has already publicly attributed APT28, for example, to the Russian military intelligence service GRU. This is probably mainly due to the regulations governing responsibilities. This is because the attribution of cyberattacks to a state is not the responsibility of the BSI in Germany, but rather the cyber defense of the Federal Office for the Protection of the Constitution (BfV). Nevertheless, the BSI could have dared to at least list the officially confirmed associations.

Organized crime

The same applies to the list of active crime groups in Germany, except that here the attackers are primarily attributed financial motives. It should be noted that the BSI makes a strict distinction here between the groups and the software used or distributed. For example, the group that develops and distributes the Lockbit encryption software is called "Bitwise Spider". On the one hand, this makes sense for systematic recording, as so-called affiliates do not have their own ransomware software or switch between different ransomware-as-a-service providers. On the other hand, it makes classification somewhat more difficult because almost everyone only talks about the Lockbit gang, or Lockbit for short, and therefore hardly anyone makes the right associations with "Bitwise Spider".

Concrete benefits

These lists are by no means just theoretical, but have very concrete, practical benefits, emphasize their authors. The incident response teams at CERT-Bund, for example, systematically collect information on known procedures - their tactics, techniques and procedures (TTPs)- in order to prepare for further incidents and save valuable time in an emergency. For example, if they receive a ransom demand from a known group, they can immediately search for the typical legacies of this gang. In view of the large number of groups active worldwide, this would hardly be possible without limiting the list to relevant players.

This list also helps to create a more realistic threat situation and prioritize defensive measures appropriately. For example, spectacular sabotage actions by the APT group Sandworm are repeatedly reported in the media. It did not initially appear on the BSI list because there had been no confirmed attacks by Sandworm in Germany in the past two years. In heise security's Pro-Talk, however, the panelists agreed that, in view of the ongoing war in Ukraine, this group nevertheless poses a latent threat, as a result of which Sandworm is now listed in the "under observation" section.

If you are also interested in such pro-talks on current topics, please take a look at heise Security Pro:

(ju)