Kaspersky launched its new intelligence solution that will help the Security Operation Center (SOC) analysts and incident responders assign samples of malware to previously disclosed Advanced Persistent Threat (APT) groups. The Kaspersky Threat Attribution Engine uses its patented tool to compare a discovered malicious code to one of the industry’s largest malware databases and connects it to a particular APT community or program based on the code similarities.

This information proved helpful for security experts to overcome high-risk threats.

By getting to know, who is attacking their company, and the reason behind the attack, security teams, can plan to take the necessary steps. Unveiling the perpetrator behind an attack, however, is a difficult job, involving not only a vast volume of gathered threat information (TI) but also the proper skills to analyze it. Kaspersky has unveiled its latest Kaspersky Threat Attribution Engine intending to automate the classification and identification of standard malware.

“There are several ways to reveal who is behind an attack. For example, analysts can rely on artifacts in the malware, which can determine attackers’ native language, or IP addresses that suggest where they might be located. However, it’s not a problem for a skilled attacker to manipulate these, leading a researcher to become bogged down in an investigation, as we have already seen in many cases,” said Costin Raiu, Director, Global Research and Analysis Team at Kaspersky.

Internal tool

The approach originated from an internal method adopted by the Global Research and Analysis Team (GReAT) at Kaspersky, a group of professional risk hunters. The Kaspersky Threat Identification System, for example, was leveraged in investigating campaigns for the iOS implant LightSpy, TajMahal, ShadowHammer, ShadowPad, and Dtrack.

To find whether the threat is about a known APT group or campaign and identify which one, Kaspersky Threat Attribution Engine performs automatic decomposition of newly found malicious files into small binary parts. Further, these parts are compared with those from Kaspersky’s collection, which includes more than 60,000 APT-related data. The solution also incorporates an extensive database of whitelisted files for more precise attribution. This significantly improves the quality of triage and identification of malware and attack and facilitates response to incidents.

Based on how close the analyzed file is to the samples in the archive, Kaspersky Threat Attribution Algorithm measures its reputational score. It identifies its potential origin and author with a concise summary and connections to both private and public services, highlighting previous campaigns. Kaspersky APT Intelligence Monitoring subscribers can see the identified threat actor’s dedicated report on strategies, methods, and procedures, as well as further measures to react.


The Kaspersky Threat Attribution Engine is designed to be deployed “on-premise” on a customer’s network, rather than in a cloud environment of third parties. This approach assures customer control over the sharing of data.

Apart from the “out of the ha” available threat intelligence, consumers will build their archive and fill it with examples of malware discovered by in-house analysts. That way, while keeping this information confidential, Kaspersky Threat Attribution Engine will learn to attribute malware analogous to those in a customer database.

“Our experience shows that the best way is to look for the shared code that the samples have in common with others identified in previous incidents or campaigns,” said Raiu. “Unfortunately, such a manual investigation may take days or even months. To automate and speed up this task, we created Kaspersky Threat Attribution Engine, which is now available for the company’s customers,” he added.

Kaspersky Threat Attribution Engine is available worldwide for commercial use.