Tracking threat campaigns is one of the most intellectually demanding and rewarding aspects of cyber threat intelligence. A single intrusion provides a snapshot; campaign tracking connects those snapshots into a coherent narrative of adversary operations over time. This lesson covers the methodologies, tools, and analytical frameworks used to identify, cluster, and track campaigns, along with the pitfalls that can lead analysts astray.
Learning Objectives
- Define what constitutes a campaign and distinguish it from related concepts like intrusion sets and threat actors
- Apply clustering methodologies to link disparate intrusions based on shared attributes
- Use infrastructure analysis tools and techniques to identify campaign connections
- Understand the STIX 2.1 data model for representing campaigns and intrusion sets
- Recognize common pitfalls in campaign attribution, including false flags and shared tooling
What Is a Campaign?
A campaign is a set of adversary behaviors — typically a series of related intrusions — that are grouped together based on shared attributes such as infrastructure, malware, TTPs, targeting, or timing. Campaigns are bounded in time and purpose: they have a start, an objective, and usually an end.
Campaigns sit at a specific level in the threat intelligence hierarchy. A threat actor is a person or group; an intrusion set is a pattern of adversary behavior attributed to an actor over an extended period; and a campaign is a specific operation within that broader pattern. For example, APT29 (threat actor) conducts espionage operations (intrusion set) and executed the SolarWinds supply chain compromise (campaign) in 2020.
Understanding this hierarchy matters because analysts frequently conflate these concepts. You can track a campaign without knowing who is behind it — attribution to a threat actor requires a higher burden of evidence than clustering related intrusions.
Clustering Methodologies
Clustering is the analytical process of determining which intrusions belong together. Analysts evaluate multiple categories of evidence, and the strongest clustering relies on convergence across several independent indicators.
Infrastructure Overlap
Shared command-and-control (C2) infrastructure is one of the most direct links between intrusions. This includes:
- IP addresses: Two intrusions communicating with the same C2 IP address
- Domains: Shared domains, including those registered with the same details or through the same registrar patterns
- SSL/TLS certificates: Reused certificates across C2 servers, including self-signed certificates with distinctive attributes
- Hosting patterns: Consistent use of specific hosting providers, ASNs, or geographic locations
- DNS patterns: Similar domain generation algorithms (DGAs), naming conventions, or DNS record configurations
Infrastructure overlap is strong evidence but not conclusive on its own. Shared hosting, compromised infrastructure, and bulletproof hosting providers can create coincidental overlaps.
Shared TTPs
Tactics, Techniques, and Procedures mapped to MITRE ATT&CK provide behavioral linkage. While individual techniques are too common to be useful (many actors use spearphishing), specific combinations or implementations of techniques can be distinctive:
- A particular sequence of actions during initial access and lateral movement
- Distinctive implementations of persistence (e.g., a specific registry key path or scheduled task naming convention)
- Characteristic exfiltration methods or data staging patterns
- Unique command-and-control protocols or communication patterns
Code Similarity
Malware code reuse is a strong clustering indicator. Analysts assess code similarity through:
- Exact hash matches: The same binary deployed across intrusions
- Fuzzy hashing (ssdeep): Detecting modified versions of the same codebase
- Code-level similarity: Shared functions, algorithms, or string tables (tools like BinDiff or Diaphora compare disassembled binaries)
- Compiler and build artifacts: Consistent PDB paths, compilation timestamps, linker versions, or Rich header data
- Shared unique code: Custom encryption routines, bespoke protocols, or distinctive error handling
Targeting Patterns
Who the adversary targets can help link campaigns:
- Sector focus: Consistent targeting of specific industries (defense, energy, finance)
- Geographic focus: Targeting organizations in specific countries or regions
- Victim selection: Targeting specific types of roles or departments within organizations
- Timing alignment: Campaigns timed to geopolitical events, policy announcements, or industry conferences
Temporal Analysis
The timing of intrusions can reveal patterns:
- Working hours: Consistent activity during specific time zones suggests operator location
- Operational tempo: Similar patterns of rapid initial access followed by slow, methodical lateral movement
- Sequential targeting: Organizations compromised in a sequence that suggests a strategic plan
- Gap analysis: Periods of inactivity may correspond to holidays, geopolitical events, or retooling efforts
Tools and Techniques for Tracking
Maltego
Maltego is a link analysis and data visualization platform that maps relationships between entities (domains, IPs, organizations, people, files). CTI analysts use Maltego transforms to pivot from one indicator to related entities — for example, starting with a C2 domain and discovering registration patterns, related IPs, co-hosted domains, and associated malware samples. Its graph visualization makes it easier to spot clustering patterns visually.
DomainTools
DomainTools provides historical WHOIS, DNS, and domain registration data. Key capabilities for campaign tracking include:
- Reverse WHOIS: Find all domains registered with the same email, name, or organization
- Domain profiles: Historical WHOIS records showing registration changes over time
- Hosting history: Track where a domain has resolved over time
- Domain risk scoring: Identify likely malicious domains based on registration and hosting patterns
PassiveTotal / RiskIQ (now Microsoft Defender Threat Intelligence)
PassiveTotal (acquired by RiskIQ, then by Microsoft) provides passive DNS data, WHOIS history, SSL certificate tracking, and host pair analysis. Passive DNS is particularly valuable — it shows historical domain-to-IP resolution without the adversary knowing you are investigating. Host pair analysis reveals relationships between web infrastructure components, such as redirectors, exploit kit landing pages, and payload servers.
Managing Campaign Data
Effective campaign tracking requires disciplined data management. As you identify indicators and cluster intrusions, maintain:
| Data Element | Purpose | Example |
|---|---|---|
| Campaign ID | Internal tracking identifier | CAMP-2026-003 |
| Timeframe | Active period of the campaign | 2025-11 to 2026-02 |
| Indicators | Network and host IOCs | C2 domains, malware hashes, mutex names |
| TTPs | MITRE ATT&CK mappings | T1566.001, T1059.001, T1071.001 |
| Victims | Targeted sectors/regions | US defense industrial base |
| Confidence | Analytical confidence in clustering | High / Moderate / Low |
| Sources | Where evidence originated | Internal telemetry, partner sharing, OSINT |
| Related campaigns | Links to other tracked campaigns | CAMP-2025-017 (predecessor) |
Threat Intelligence Platforms (TIPs) such as MISP, OpenCTI, and ThreatConnect provide structured databases for this tracking, with STIX-compatible data models.
Intrusion Sets vs. Campaigns in STIX 2.1
STIX 2.1 defines both intrusion-set and campaign as domain objects, and the distinction is important for accurate modeling:
An Intrusion Set in STIX is "a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization." It represents the overall pattern of an adversary's operations and persists over long periods.
A Campaign in STIX is "a grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets." Campaigns are time-bounded and purpose-driven.
An intrusion set is attributed-to a threat actor. A campaign is attributed-to either a threat actor or an intrusion set. Multiple campaigns can belong to the same intrusion set. This hierarchy lets you model situations where you can cluster activity (campaign) and link it to a behavioral pattern (intrusion set) without necessarily attributing it to a named threat actor.
Case Study: SolarWinds / SUNBURST
The SolarWinds compromise, publicly disclosed in December 2020, is one of the best-documented examples of campaign clustering in modern CTI. It illustrates how analysts linked disparate intrusions into a coherent campaign.
Initial discovery: FireEye (now Mandiant) detected unauthorized access to their own network and identified a trojanized SolarWinds Orion update as the initial access vector. They named the backdoor SUNBURST.
Clustering evidence that linked intrusions:
- Shared malware: All victims received the same trojanized SolarWinds update containing SUNBURST, which used a distinctive DGA for C2 communication through DNS queries to avsvmcloud[.]com
- Infrastructure: The C2 infrastructure followed a consistent pattern — initial DNS-based C2, followed by HTTPS-based communication to dedicated C2 servers
- Code characteristics: SUNBURST contained sophisticated anti-analysis and victim-selection logic, including a 12-14 day dormancy period and checks for specific security tools before activating
- TTP consistency: Post-exploitation activity across victims showed consistent patterns — SAML token forging (dubbed "Golden SAML"), use of the TEARDROP and RAINDROP loaders, and distinctive lateral movement patterns
- Targeting pattern: Victims were concentrated in government agencies and technology companies, consistent with an espionage-focused campaign
Attribution complexity: The U.S. government attributed the campaign to Russia's SVR (Foreign Intelligence Service), designating the activity as APT29 / Cozy Bear. Multiple independent analyses converged on this attribution through a combination of targeting patterns, operational security practices, code analysis, and intelligence sources.
This case demonstrates several key principles: strong clustering relies on multiple independent indicators converging, infrastructure and malware analysis alone are insufficient for attribution, and the scale of a campaign may only become apparent after the initial discovery triggers broader investigation.
Pitfalls in Campaign Tracking
False Flags
Sophisticated adversaries may deliberately plant indicators to mislead analysts. The Olympic Destroyer malware (targeting the 2018 PyeongChang Olympics) contained code fragments and metadata designed to implicate multiple threat actors, including Lazarus Group. Analysts who relied on any single indicator type would have been misled.
Shared Tooling
Many threat actors use the same publicly available tools — Cobalt Strike, Metasploit, Mimikatz, PowerShell Empire. Clustering based on the use of common tools will produce false linkages. Focus on how tools are configured and deployed, not merely which tools are present.
Contractor and Vendor Overlap
In some cases, different threat actors may share infrastructure or tools because they use the same contractors, tool developers, or service providers. This is particularly relevant for state-sponsored operations where multiple units may share quartermaster functions.
Confirmation Bias
Analysts who expect to find a connection may interpret ambiguous evidence as confirming their hypothesis. Use structured analytic techniques (covered in Lesson 19) to challenge your clustering assumptions. Always ask: "What evidence would disprove this linkage?"
Key Takeaways
- Campaigns are time-bounded groupings of related adversary activity; they sit below intrusion sets and threat actors in the intelligence hierarchy
- Strong clustering requires convergence across multiple independent indicator types — infrastructure, TTPs, code, targeting, and timing
- Infrastructure analysis tools (Maltego, DomainTools, PassiveTotal) enable pivoting from known indicators to discover campaign scope
- STIX 2.1 provides formal data models for campaigns and intrusion sets, enabling structured tracking and sharing
- False flags, shared tooling, and confirmation bias are real threats to accurate campaign analysis — always seek disconfirming evidence
Practical Exercise
Using publicly available threat intelligence reporting, reconstruct the clustering of a well-documented campaign:
- Select a campaign documented by multiple vendors (e.g., search for "APT campaign report" on a vendor blog such as Mandiant, CrowdStrike, or Cisco Talos).
- From the report, extract and categorize the clustering evidence into the five categories covered in this lesson: infrastructure overlap, shared TTPs, code similarity, targeting patterns, and temporal analysis.
- Create a simple link chart (on paper or using a tool like draw.io) showing the relationships between indicators, malware samples, infrastructure, and victims.
- Identify which clustering category provided the strongest evidence in this case and which provided the weakest. Document your reasoning.
- List at least two alternative hypotheses for the clustering (e.g., "Could this be two separate actors sharing a tool?" or "Could the infrastructure overlap be coincidental?") and note what evidence supports or refutes each.
Further Reading
- MITRE ATT&CK Groups: https://attack.mitre.org/groups/
- STIX 2.1 Specification — Campaign and Intrusion Set objects: https://docs.oasis-open.org/cti/stix/v2.1/stix-v2.1.html
- Mandiant (2020). Highly Evasive Attacker Leverages SolarWinds Supply Chain: https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
- Kaspersky (2018). Olympic Destroyer is Here to Trick the Industry: https://securelist.com/olympic-destroyer-is-still-alive/86169/