Lab 01 // Profile the Actor

01 // Briefing

You learned the five types. Now profile one.

In yesterday's session you learned the five threat actor categories — nation-state, organised cybercrime, hacktivist, insider, opportunist. Categories are a starting point. The real work is going deeper into specific groups: who they are, what they target, and how they operate.

This is what threat intelligence analysts do most days. Before you can defend against an attacker, you have to understand the attacker. You are going to spend the next two days building a profile of one real, named threat group — using public, open sources.

Two groups to pick from. Each profile will be 1 page, structured the same way, and will feed directly into Lab Task 02 (where you'll take the CVEs you find here into the terminal).

// Objectives

Build a working understanding of one real-world threat group — who they are, why they exist, who they target.

Practice navigating attack.mitre.org properly — yesterday you saw it for 60 seconds, today you live in it.

Identify CVEs your group has exploited in the wild. These CVEs become your input to Task 02.

Produce a one-page actor profile in the format Ubuntu Guard analysts use for client briefings.

02 // Assignments

Your target

Two groups. Discuss as a team and pick one each. The choice matters less than the contrast, when you compare profiles at review, you'll see how differently a financially motivated criminal operation and a nation-state intelligence group operate.

Read both summaries before you decide. Whoever picks the nation-state actor should know upfront: that one is harder in a specific way (see the callout below).

// Option A

LockBit

Organised cybercrime · Ransomware-as-a-Service

The most prolific ransomware operation of the past several years. Operates a true affiliate model - the core team builds and maintains the ransomware, affiliates pay to deploy it against victims. Hit Transnet-adjacent suppliers, NHLS-style victims, and thousands of mid-sized organisations worldwide.

MITRE ATT&CK: G1392

// Option B

APT29

Nation-state · Russian SVR · Cyber espionage

Also known as Cozy Bear, NOBELIUM, Midnight Blizzard. Attributed to Russia's foreign intelligence service. Famous for SolarWinds, the 2016 DNC breach, COVID-19 vaccine research targeting. Patient, stealthy, and increasingly focused on cloud and identity infrastructure rather than commodity CVE exploitation.

MITRE ATT&CK: G0016

Heads up on Option B, APT29 doesn't lean on CVE exploitation the way LockBit does. They prefer supply-chain attacks, identity abuse, and cloud APIs. Whoever picks them will find fewer "their CVEs" entries. That's not a bug in the exercise it's kinda the point. Different actor types have different toolkits. Document what you find honestly.

03 // The work

Twelve steps to a working profile

Click each step to mark it done. Your progress saves to the bar at the top. Order isn't strict, but the steps are roughly the order an analyst would actually work in. Type your notes in a separate doc as you go. The web page is just your task list, it doesn't store your work.

A · Identity

Who is this group, in plain language? Start here before anything technical.

Step 01

Find the MITRE ATT&CK group page for your actor

Go to attack.mitre.org/groups and find the entry. For LockBit, search "LockBit". For APT29, search "APT29" or "G0016". Bookmark the page, you'll be back several times.

MITRE re-organises the URLs occasionally. If the group search doesn't load, try attack.mitre.org/groups/G0016 directly (APT29) or attack.mitre.org/groups/G1392 (LockBit). If a specific group ID doesn't resolve, Google "site:attack.mitre.org [actor name]" - that's the safest way to find the canonical page.

Step 02

Note every alias the group is known by

Threat actors collect names like trophies - different vendors name the same group differently. Note all of them. Microsoft's "Midnight Blizzard" and CrowdStrike's "Cozy Bear" and MITRE's "APT29" are the same group. Knowing the aliases means you can read writeups from any vendor.

Step 03

Write a one-paragraph "who they are" summary

In your own words. Not copy-pasted. The test: could a non-technical client read your paragraph and understand the threat? If yes, you've got it. Use the MITRE page as your starting point, but the summary is yours.

Good summary covers: origin (when first identified), attribution (suspected country or motive), category (one of the five from yesterday), and signature behaviour (one thing they're known for). Four short sentences usually does it.

B · Targets and motive

Who do they hit, and why? Pattern matters more than any single victim.

Step 04

Identify sector and region patterns

What industries does this group hit most? What countries or regions? Are they opportunistic (anyone vulnerable) or targeted (specific sectors)? Note three sectors and two regions where they're active.

Step 05

Name three high-profile victims

Real names, real dates, real impact. For LockBit, pick hits where the consequences were public. For APT29, pick well-documented operations. One sentence per victim describing what happened.

If you picked LockBit: Hits are well-covered on BleepingComputer and TheRecord. Try searches like "LockBit ICBC", "LockBit Royal Mail", or "LockBit Boeing". The CISA #StopRansomware advisory also lists incidents.

If you picked APT29: APT29 has a smaller, more famous victim list - SolarWinds (2020), DNC (2016), COVID-19 vaccine research (2020), Microsoft corporate email (2024). All extensively documented.

Step 06

Could they hit a small South African company? Why or why not?

This is the question that matters for Ubuntu Guard clients. Be specific. "Yes because…" or "Probably not because…" - explain your reasoning. Think about the actor's motive: does a small Durban firm fit their target profile?

C · How they operate

From the MITRE ATT&CK page, pull the techniques. This is the most useful section of the profile.

Step 07

List 5 ATT&CK techniques the group uses

From the "Techniques Used" table on the group's MITRE page. Pick five that span different stages of an attack (initial access, persistence, lateral movement, exfiltration, impact — try to cover variety). Note the technique ID (e.g. T1566) and one sentence on what the group does with it.

Don't get overwhelmed by the long list. Look for the most-cited techniques (the ones with multiple sub-procedure entries). For LockBit, T1486 (Data Encrypted for Impact), T1078 (Valid Accounts), T1190 (Exploit Public-Facing Application) are central. For APT29, T1195 (Supply Chain Compromise), T1078 (Valid Accounts), and T1556 (Modify Authentication Process) feature heavily.

Step 08

Identify their preferred initial access method

How do they typically get in? Phishing? Public-facing application exploit? Stolen credentials? Supply chain? Different actors have very different "front doors". Knowing this tells defenders where to spend money.

Step 09

Note one signature tool or malware family

Threat actors have favourite tools. Cobalt Strike comes up everywhere. So do specific malware families - SUNBURST for APT29, custom LockBit Black ransomware variants for LockBit. Pick one and write a sentence on it.

D · The CVE list

This section is the bridge to Task 02. Whatever you find here, you'll be running through searchsploit and KEV next week.

Step 10

Find 3–5 CVEs your group has been documented exploiting

CVE-YYYY-NNNNN format. For each one note: what software it affects, the CVSS score, whether it's on CISA KEV. Best sources: CISA's #StopRansomware advisories (LockBit specifically - search "cisa.gov LockBit advisory"), MITRE ATT&CK group page references, BleepingComputer writeups.

If you picked LockBit: The CISA joint advisory AA23-165A lists specific CVEs. Look for Fortinet (CVE-2018-13379), F5 BIG-IP (CVE-2021-22986), Netlogon Zerologon (CVE-2020-1472), Log4j (CVE-2021-44228), BlueKeep (CVE-2019-0708), PaperCut (CVE-2023-27350).

If you picked APT29: Fewer CVE-driven entries. Look at the CISA advisory on SolarWinds, the Microsoft post on Midnight Blizzard's TeamCity exploitation (CVE-2023-42793), and the 2024 Microsoft corporate email breach analyses. If you find fewer than 3, write that honestly and explain why this actor prefers other entry methods.

Step 11

For each CVE, identify the CWE category

Recall from Module 02 anatomy - CWE is the type of weakness. Look at the NVD entry for each CVE and grab the CWE number. You'll start to see a pattern: certain actors favour certain weakness categories. That's a fingerprint.

Step 12

Write a "so what" paragraph

Pulling it all together: if this group targeted a small SA firm tomorrow, where would they probably come in? What CVE class would they exploit? What's the first thing the firm should patch? This is the part the client cares about. Write it last, after everything else, when you can see the pattern.

04 // Deliverable

What to hand in

One-page actor profile Due // Day 3

Format your findings as a single-page document. Word, markdown, or Google Docs - whatever you're comfortable with. Imagine you're handing it to a colleague who has never heard of your actor and has 5 minutes to get up to speed. Structure should be:

Header: Group name, aliases, type, attributed country/motive

Who they are: one paragraph, plain English

Who they target: sectors, regions, 3 named victims with one-line descriptions

How they operate: 5 ATT&CK techniques (IDs + descriptions), initial access method, signature tool

Known CVEs: 3-5 CVE IDs in a small table - CVE, software, CVSS, CWE, KEV status

So what for SA SMEs: one paragraph - would they hit a Durban firm, and where would they come in?

Sources: bottom of page, list every URL you used

Drop the document into the shared folder named UGLabs / Lab 01 Submissions / [your-name]-actor-profile.docx. Don't message it. Don't email it. Drop it.

05 // How it's marked

What good looks like

This isn't graded out of 100. It's reviewed by Sudo and you get verbal feedback before Lab 02 deploys. But here's how it'll be assessed - same lens an Ubuntu Guard senior would apply to a real analyst's first draft.

30%

Accuracy. Is what you wrote factually correct? Are the CVEs really associated with this group? Are the ATT&CK technique IDs right? Did you cite real victims, not made-up ones?

25%

Source quality. CISA, MITRE, original vendor writeups, BleepingComputer, KrebsOnSecurity, Mandiant blog. Not Wikipedia. Not random Medium posts. Not AI-generated summaries on SEO blogs.

20%

Plain-English writing. Could a non-technical client read this? No unexplained acronyms. No jargon for jargon's sake. Concise. If a sentence does no work, cut it.

15%

The "so what" paragraph. Did you bridge from the global actor to the local context? This is what differentiates a researcher from an analyst.

10%

Honesty about gaps. If you couldn't find something, say so. "APT29 is not heavily documented as a CVE-exploitation actor; below are the few mapped exploits I could find" is much better than padding the section with weak finds.

06 // Starting points

Where to look first

Don't start with Google. Start with the canonical sources. Search-engine results for threat actor names are full of marketing content from security vendors trying to sell you their EDR. Go to the primary sources first.

For both:

attack.mitre.org/groups - MITRE ATT&CK group catalogue, your primary reference

cisa.gov/news-events/cybersecurity-advisories - CISA joint advisories, often have detailed actor breakdowns with CVE lists

nvd.nist.gov - for any CVE detail you find

bleepingcomputer.com - accessible news writeups with technical depth

If you picked LockBit:

Search CISA for AA23-165A - the joint LockBit advisory with CVE list

Search CISA for AA23-075A - the LockBit 3.0 advisory

If you picked APT29:

Microsoft Threat Intelligence blog - search "Midnight Blizzard"

Mandiant blog (now part of Google) - long-form APT29 analyses

UK NCSC advisories - APT29 has been attributed by UK government

Avoid: any "Top 10 Things to Know About [Actor]" listicle. Avoid LLM-generated content farms. If a page has no author, no date, and no citations, close the tab.