Pattern of Life and Temporal Signatures of Hacker Organizations
Observing an organization or person by their activities using web intelligence can provide interesting clues about who and where they actually are. These clues can include targets, methods, tools, language, etc. This is true in both the physical and cyber world.
In this post we’ll look at the temporal signature of activities by hacker groups and use those to discern their pattern of life – basically their work week – for matching with national work weeks/schedules.
Top level conclusion?
Different groups have different temporal signatures that could potentially be used to differentiate between those on very regular schedules – i.e. working a desk job (nation state?) – and those on nights/weekend schedules – independent hackers? – as well as to establish their geographic location.
Temporal analysis has long played a part in cyber defense. For example, Bob Gourley, who was the Director of Intelligence for a new (at the time) military unit responsible for defending all DoD networks, indicated in a conversation with me the initial Moonlight Maze intrusion set matched up very well with working hours in Moscow.
This was just one of many other factors that pointed to Russian involvement, but it helped orient analysts.
Another example is how Mandiant used observations of hacker team activity as one signal of indicating a group being Chinese (or in other other countries in same time zone):
“Hacker teams regularly began work, for the most part, at 8 a.m. Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight.”
KPMG calls out in their Cyber threat intelligence and the lessons from law enforcement report:
“Time: Are there any temporal patterns regarding cyber attacks and, similarly, are your information assets more vulnerable at certain times?”
Sample world wide work week patterns
A quick summary of work week data from Wikipedia yields us the following on work week from around the world:
Analyzing hacker groups given work week as baseline
Now given the above temporal signatures – can we say anything about various hacker groups? We’ll find out using the Recorded Future data set, and in particular 250,000 cyber threat events involving various groups and individuals and times of attacks all collected from open web sources ranging from Twitter and other social media to government sites to hacker forums to regular news in seven different languages.
We’ve taken all the time points of the events and transformed them to day of week so that we can determine what days various groups activate and other patterns.
Below we look at a series of hacker groups – Syrian Electronic Army, Anonymous, Al Qassam Cyber Fighters, Lulzsec, Zcompany, and TeaMp0ison – versus a large group of other cyber events that either fall with other groups (Nation states, individuals, and other groups) as well as non-attributed attacks. Our data collection harvests open source data, so obviously, there is potential for skewing towards more media oriented groups (e.g. Anonymous, and yes, we have more data on them), but given that we’re looking at the pattern, not the volume, this should be less of an issue.
The graph above visualizes weekday distribution for each group. A statistical test for non-random distribution is at the very bottom of the post.
- Activates right after Syrian weekend. Between actual name and pattern of life/temporal signature this certainly indicates a group located in Syria that takes time off during the weekend, i.e. potentially a state sponsored group on a paid schedule.
- Anonymous interestingly peaks in activity during the weekend, which indicates that they are mostly students or western people with “normal jobs” that use weekends for hacking. Good example would be how Reuters recently fired an alleged Anonymous member, who probably had a busy regular workweek. We will be back to take apart the temporal signature by various Anonymous groups around the world.
- Al Qassam Cyber Fighters activates on Mondays and Wednesdays. Given their focus on hitting US and European banks this could make a lot of sense: hit them Monday morning when online banking activity peaks up. But you could also argue that the pattern indicates activating after Saturday, i.e. a regular state-employed hacker week in the middle East.
- Lulzsec (the breakout group from Anonymous) is interestingly enough completely inverted in its temporal signature from Anonymous. It peaks on Wednesday (and this is across many observations.) This might just be the peak of internet traffic…
- Fits the “modern Islamic country” calendar perfectly: key activity is Monday-Thursday with little activity Friday-Sunday. The organized work schedule may indicate a state actor/paid schedule. It could also point to Pakistan, which aligns with ZCompany’s targeting of India.
- This rival group to Lulzsec activates Tuesday-Wednesday. It’s targeting is inconsistent but includes anti-Islamic targets.
- There is great potential for cross correlation analysis here:
- Compare activity with temporal signatures other than the work week such as Thanksgiving, Christmas break, Spring break, Ramadan, etc.
- Compare group activity to their Twitter patterns through the use of http://sleepingtime.org/. Potentially a very insightful cross-correlation to be had with this data, for example, TeaMp0ison – http://sleepingtime.org/teamp0ison.
- Correlate with other pattern of life variables: targeting, human language used, people association, etc.
- Correlate/normalize vs. general internet activity per country potentially with Internet Census data. Likewise, the data from HoneyNet would be powerful to mash up and investigate.
- If you had access to proprietary IP level data of attacks by these groups you could obviously cross-correlate those activities in a very powerful way. Unfortunately, such data is less readily available to the public.
Temporal signatures can be helpful in developing pattern of life analysis on groups in cyberspace. Obviously it’s only one signal, but potentially a quite interesting one.
Appendix – comments on data and analysis
- Data is from Recorded Future collection activities, explore interactively at www.recordedfuture.com
- Time stamp is event time, which should be time of event. However, given the nature of cyber attacks it could very well be time of discovery/publication.
- There are multiple normalizations that could be done to this data – both within the domain of cyber events as well normalization vs. a total event metric – and we will be back with that.
- As a statistical test we did a chi squared test on likelihood that day of week is unrelated a cyber attack. Results below – day of week is significant for all groups except for ZCompany.