The Attribution Story of WhisperGate: An Academic Perspective

TL;DR

This paper examines the attribution process of the WhisperGate cyberattack, demonstrating how AI and large language models can enhance attribution accuracy by analyzing threat indicators and linking them to specific threat actors.

Contribution

It introduces a novel approach combining traditional classifiers and large language models for cyberattack attribution, highlighting AI's potential in solving attribution challenges.

Findings

LLMs improve attribution accuracy when fine-tuned.

Overlap in indicators with known groups like Sandworm.

AI techniques can distinguish between closely related threat actors.

Abstract

This paper explores the challenges of cyberattack attribution, specifically APTs, applying the case study approach for the WhisperGate cyber operation of January 2022 executed by the Russian military intelligence service (GRU) and targeting Ukrainian government entities. The study provides a detailed review of the threat actor identifiers and taxonomies used by leading cybersecurity vendors, focusing on the evolving attribution from Microsoft, ESET, and CrowdStrike researchers. Once the attribution to Ember Bear (GRU Unit 29155) is established through technical and intelligence reports, we use both traditional machine learning classifiers and a large language model (ChatGPT) to analyze the indicators of compromise (IoCs), tactics, and techniques to statistically and semantically attribute the WhisperGate attack. Our findings reveal overlapping indicators with the Sandworm group (GRU Unit 74455) but also strong evidence pointing to Ember Bear, especially when the LLM is fine-tuned or contextually augmented with additional intelligence. Thus, showing how AI/GenAI with proper fine-tuning are capable of solving the attribution challenge.