New APT attribution framework links campaigns through evidence layers instead of group labels
7 min. read 
Published on
A new campaign-based attribution framework argues that security teams should stop treating APT groups as fixed identities and start linking threat activity through evidence-based campaign relationships.
The model, published by DarkAtlas, focuses on time-bound campaigns rather than static threat actor labels. Each campaign is analyzed through its goals, targets, infrastructure, tools, technical traits, and operator behavior.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The main idea is simple. APT groups change over time, but related campaigns can still share enough evidence across different layers to show continuity.
Why traditional APT attribution is under pressure
APT attribution has long relied on matching observed behavior to known groups. Analysts compare malware, infrastructure, tactics, techniques, and procedures to decide whether new activity resembles past operations.
That approach still has value, but it can break down when attackers change tools, rotate infrastructure, reuse public malware, hire different operators, or copy another group’s behavior.
DarkAtlas frames the problem through the Ship of Theseus paradox. If every visible part of a threat operation changes over time, analysts need a better way to decide whether the campaign still connects to earlier activity.
| Old attribution model | Campaign-linkage model |
|---|---|
| Starts with a fixed APT group label | Starts with a specific campaign |
| Looks for matching TTPs | Looks for overlap across several evidence layers |
| Can overvalue reused tools or IPs | Treats single indicators as weak evidence |
| Can struggle when adversaries change behavior | Allows campaigns to evolve while preserving links |
| Often produces rigid group mapping | Produces confidence-based relationships |
The framework starts with campaigns, not names
In this model, a campaign is a defined cluster of activity with a timeframe, objective, victim profile, infrastructure pattern, and execution style.
This gives analysts a more stable unit of study. Instead of asking whether a new intrusion matches a famous APT name, analysts ask how strongly it connects to earlier campaigns.
That shift reduces the risk of overconfident attribution. It also makes room for adversary evolution, shared tooling, contractor involvement, and collaboration between related teams.
How the overlap model works
The core of the framework is the overlap model. It rejects the idea that one artifact can prove attribution on its own.
A reused IP address, a known malware loader, a familiar phishing style, or a matching MITRE ATT&CK technique can all help an investigation. None of them should carry the attribution by itself.
Confidence grows when several independent layers point in the same direction. The more layers that align, the stronger the campaign relationship becomes.
- One shared tool may show access to the same malware family.
- One reused IP address may show infrastructure overlap.
- One matching TTP may show a similar technique.
- Several matching layers can support a stronger attribution claim.
- Conflicting evidence should lower confidence or trigger more review.
The six layers of evidence
DarkAtlas divides attribution evidence into several analytical layers. Each layer looks at a different part of the campaign, from strategic intent to operator habits.
The strategic layer looks at motivation and geopolitical alignment. This can remain stable even when tools and infrastructure change.
The technical and infrastructure layers look at malware, code, encryption, domains, hosting behavior, TLS certificates, and DNS patterns. These clues can connect campaigns when attackers reuse development or setup habits.
| Evidence layer | What analysts examine |
|---|---|
| Strategic | Geopolitical alignment, target value, and likely mission goals |
| Operational | Victim sequencing, timing, campaign duration, and regional focus |
| Tactical | Initial access, persistence, lateral movement, and exfiltration methods |
| Technical | Malware families, loaders, encryption routines, build artifacts, and code traits |
| Infrastructure | Domains, IPs, hosting providers, TLS reuse, DNS behavior, and setup patterns |
| Human | Language artifacts, coding style, mistakes, work habits, and OPSEC patterns |
Why TTPs are signals, not fingerprints
TTPs remain useful because they help analysts describe how an attacker works. They also help defenders map intrusions to detection logic and response playbooks.
The problem is that TTPs are not unique. Attackers can copy them, buy them, borrow them, automate them, or deliberately use them to create false trails.
The new framework treats TTPs as one layer of evidence. That makes them useful, but not decisive.
The Campaign Linkage Graph makes attribution easier to explain
DarkAtlas also proposes a Campaign Linkage Graph. In this structure, each campaign becomes a node, and each connection between campaigns becomes a weighted relationship.
A strong link means several layers overlap. A medium link means there is partial alignment, but alternative explanations remain possible. A weak link means the relationship needs more evidence before analysts make a firm call.
This graph approach helps teams track how adversaries evolve. Tool changes become new nodes, infrastructure rotation creates weaker links, and group fragmentation can appear as branching paths.
| Link strength | What it means |
|---|---|
| Strong link | Multiple independent layers overlap across campaigns |
| Medium link | Several clues align, but the evidence still allows other explanations |
| Weak link | Only limited evidence connects the campaigns |
| No clear link | Evidence does not support a meaningful relationship yet |
Confidence levels make attribution more honest
Attribution rarely gives defenders absolute certainty. Visibility is incomplete, attackers hide their tracks, and multiple groups can use similar tools.
The framework handles that reality by using high, medium, and low confidence levels. This makes conclusions easier to defend and easier to revise when new evidence appears.
High confidence requires strong overlap across several evidence layers. Medium confidence reflects partial alignment. Low confidence applies when the data is limited or only one layer appears similar.
- Use high confidence only when several independent layers converge.
- Use medium confidence when meaningful clues align but gaps remain.
- Use low confidence when the link is only a working hypothesis.
- Review older attribution when new infrastructure or tooling resurfaces.
- Avoid strong public claims based on one artifact.
Why this matters for defenders
A campaign-based model gives security teams a more practical way to track changing adversaries. It also helps them avoid overreacting to weak indicators or missing related activity because a tool changed.
For threat intelligence teams, the model supports clearer reporting. Analysts can explain which campaigns connect, which layers support the link, and how confident the assessment is.
For security operations teams, this can improve detection planning. If related campaigns share victimology, timing, or infrastructure habits, defenders can monitor those stable signals even when malware changes.
| Team | How the framework helps |
|---|---|
| Threat intelligence | Builds clearer campaign relationships and confidence levels |
| SOC teams | Prioritizes recurring behaviors instead of isolated indicators |
| Incident response | Connects current intrusions to earlier campaign patterns |
| Executives | Receives less speculative attribution and clearer risk context |
| Policy teams | Gets better-supported claims before strategic decisions |
How organizations can apply the model
Security teams can start by recording intrusions as campaigns rather than forcing every event under a fixed group label.
Each campaign record should include timing, targets, initial access, malware, infrastructure, operator behavior, likely objective, and confidence level. This turns attribution into a structured evidence problem rather than a naming exercise.
Teams should also update earlier assessments as new evidence appears. A weak link today can become stronger if a later campaign repeats the same targeting logic, coding pattern, infrastructure habit, and operational timing.
- Log each operation as a campaign with a clear timeframe.
- Separate evidence into strategic, operational, tactical, technical, infrastructure, and human layers.
- Record confidence levels for every attribution claim.
- Do not treat reused tools or IPs as proof by themselves.
- Use graphs to show how campaigns connect over time.
- Revisit old conclusions when new campaign data appears.
FAQ
It is a graph where each node represents a campaign and each edge represents the strength of the relationship between campaigns.
The overlap model compares campaigns across multiple evidence layers, including strategy, operations, tactics, technical traits, infrastructure, and human behavior.
APT groups change tools, infrastructure, operators, and techniques. A fixed label can hide that evolution or create false certainty when evidence is weak.
It is a campaign-based attribution model that links threat activity through overlapping evidence layers instead of relying only on fixed APT group labels.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages