Guerrero-Saade-Raiu-VB2017.pdf (2 MB)

Guerrero-Saade and Raiu examine how fourth-party collection complicates cyber-espionage attribution when one intelligence or threat actor compromises another and reuses its access, tools, or infrastructure. The excerpt describes attacker-on-attacker operations, proprietary toolkit reuse, exploit repurposing, and C2 infrastructure piggybacking as situations that can make activity clusters appear to belong to the wrong actor. It argues that public reporting and expected TTP profiles can themselves be manipulated, with actors adopting another group’s tradecraft to blend into established attribution narratives. The material is relevant for CTI workflows because it cautions analysts to separate observed evidence from actor labels, especially when overlaps may reflect tool theft, shared victims, or compromised infrastructure rather than a single operator.