OD1.9 Team Structures and Attacker Roles

Operational Objective

During an investigation, you notice a skill discontinuity: sophisticated initial access followed by crude post-exploitation. You're not looking at one inconsistent attacker. You're looking at a handoff between a skilled access broker and a less-skilled affiliate who purchased their work. The broker may have sold access to fifty other organisations using the same method. Your incident isn't isolated — it's one sale in a marketplace.

Understanding attacker team structures tells you how many actors are involved, where the handoff happened, and what that means for your threat assessment and investigation scope.

Learning Objectives

By the end of this sub you will be able to:

• Identify the handoff signature — the skill discontinuity between attack phases that indicates multiple independent actors — in investigation telemetry. The LockBit ecosystem's separation between IABs (initial access brokers) and affiliates produces exactly this signature: high-skill access establishment followed by variable-skill post-exploitation. This matters because identifying a handoff expands your investigation scope — the broker's access method may be active against other accounts in your environment, and the broker may have sold access to other organisations.

• Classify the attacker team structure (supply-chain criminal, unified state team, lone insider, recruited insider) from tradecraft consistency across campaign phases. This matters because the structure predicts the threat profile: a unified team has consistent capability throughout; a supply-chain operation has variable capability and the broker's initial access method is the shared vulnerability across all their customers.

• Use AI to detect handoff signatures by comparing tooling, skill level, temporal gaps, and operational security across investigation phases. This matters because handoff detection requires comparing tradecraft across dozens of events — AI accelerates the comparison from hours to minutes during time-critical investigations.

Cybercrime is a supply chain, not a single actor

The attacker who compromised your VPN credentials is probably not the same person who deployed the ransomware. They've never met.

Modern cybercrime involves multiple independent actors connected by criminal marketplaces. The access broker compromises your VPN, verifies the access works, lists it for sale with your industry, revenue, endpoint count, and security stack. The affiliate purchases the listing and executes their objective. The RaaS operator built the platform and manages the leak site. None of them work for the same organization.

Understanding this changes your investigation. If you see a skill discontinuity — sophisticated initial access followed by crude post-exploitation — that's not one inconsistent attacker. It's a handoff. The broker may have sold access to fifty other organizations. Your incident is one sale in a marketplace.

The access broker economy

IABs are the upstream providers. Their business model is volume: compromise as many organizations as possible, establish persistent access, sell it.

IABs specialize in initial access — phishing, vulnerability exploitation, credential stuffing, VPN/RDP compromise. Their capability is generally high. Once access is established, they create a marketplace listing. A typical listing on a criminal forum looks like this:

Typical IAB marketplace listing:

[SELL] US | Engineering company | $35B revenue | 865 endpoints
Access type: Domain user VPN credentials (Cisco AnyConnect)
Domain: northgateeng.com
Security: CrowdStrike Falcon on endpoints, Microsoft Sentinel SIEM
Notes: VPN does not require MFA on legacy client. Tested 04/15.
       Access verified clean — no IR activity observed.
Price: $5,000

The listing includes your industry, revenue, endpoint count, access type, and security stack — everything a buyer needs to assess the opportunity and plan their post-exploitation. The "security" field is the most operationally dangerous: the buyer knows your EDR and SIEM before they've touched your environment, so they can pre-test their tools against your exact stack.

The IAB then moves on. They don't deploy ransomware, steal data, or conduct post-exploitation beyond what's needed for the listing. Their profile is distinctive: sophisticated initial access, minimal post-compromise activity, then silence. The access sits dormant until a buyer activates it — which may be days, weeks, or months later.

You can detect dormant broker access by querying for accounts or persistence mechanisms that were established and then went silent:

// Detect dormant VPN accounts — authenticated once, then silent
SigninLogs
| where TimeGenerated > ago(90d)
| where AppDisplayName has "VPN" or AppDisplayName has "AnyConnect"
    or AppDisplayName has "GlobalProtect"
| summarize
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    AuthCount = count(),
    DistinctIPs = dcount(IPAddress)
    by UserPrincipalName
| where AuthCount <= 3 and datetime_diff('day', now(), LastSeen) > 14
| order by LastSeen asc
// Accounts that authenticated 1-3 times via VPN more than 14 days ago
// and haven't returned — potential broker access waiting for a buyer.

Defensive translation: dormant persistence — a web shell with no recent callbacks, a VPN account with minimal activity then silence, a scheduled task that was created but never executed — may be broker-established access waiting for a buyer. The dormancy is the indicator. Run the query above weekly.

The affiliate — variable skill, high noise

The execution layer. Skill varies from sophisticated operators to beginners following step-by-step RaaS documentation.

Low-skill affiliates copy commands from documentation (sometimes with the documentation's example hostnames still in the command), use default tool configurations, and don't adapt when blocked. They're actually more dangerous in one sense: they're less predictable. A skilled attacker follows logical operational flow. A low-skill attacker runs commands out of order because they're following a generic playbook rather than adapting to what they find.

The handoff signature

The skill discontinuity between phases that tells you multiple actors are involved.

Phase 1 (broker): Three weeks before the ransomware, someone compromised a VPN account using breached credentials. One authentication, one persistence mechanism, zero noise. Clean and professional.

Phase 2 (affiliate): Three weeks later, a different actor logs in via the VPN. Within two hours: BloodHound with default settings (SharpHound visible in Sysmon), LSASS dump using comsvcs.dll (exact command from a public blog post), PsExec lateral movement to six systems simultaneously (three failed). Noisy, scripted, crude.

The skill discontinuity is stark. Phase 1 was professional. Phase 2 was copy-paste. If you assess the threat based only on Phase 2, you conclude "low-skill attacker." If you identify the handoff, you realize the initial access was conducted by a high-capability broker who may have sold access to other organizations — and whose credential-stuffing method might be active against other accounts in your environment.

State-sponsored team structures

Coordinated under unified command. Same coding style, same operational tempo, same infrastructure patterns from initial access through objective execution.

State programs have separate teams for access development (researching and weaponizing vulnerabilities), initial operations (establishing access in target networks), sustained operations (conducting intelligence collection over months), infrastructure management (maintaining C2, proxy chains, and exfiltration channels), and intelligence analysis (processing collected data into finished intelligence products).

The coordination means campaigns show consistency across phases — unlike the criminal supply chain's skill discontinuities. Here's the telltale comparison during an investigation:

Criminal supply chain (handoff visible):

Phase 1 evidence (broker):
  - Custom exploit against Citrix CVE (not publicly known at time)
  - Single authentication, single web shell, zero noise
  - 5-week silence

Phase 2 evidence (affiliate):
  - AsyncRAT deployed via web shell (free, publicly available)
  - SharpHound with default collection method
  - Mimikatz with default arguments (sekurlsa::logonpasswords)
  - PsExec to 6 systems simultaneously, 3 failed
  → SKILL DISCONTINUITY: sophisticated access, crude post-exploitation.
    Two different actors.

State-sponsored team (unified):

Phase 1 evidence:
  - Custom implant with novel communication protocol
  - Careful staging: 12-day dormancy before first C2 callback
  - Certificate pinning in the implant binary

Phase 2 evidence:
  - Same communication protocol for lateral movement tool
  - Same coding patterns (custom string obfuscation, same compiler)
  - Same operational tempo (one action per day, business hours only)
  - Same infrastructure pattern (CDN-fronted, same domain registrar)
  → CONSISTENT TRADECRAFT: same team, same tools, same doctrine
    throughout. Unified command structure.

Defensive translation: consistency in tradecraft across phases = unified team (state-sponsored or well-resourced corporate espionage). Discontinuity = supply-chain model (criminal). This affects your threat assessment: a unified team has consistent capability throughout — if the initial access was sophisticated, expect the post-exploitation to be equally sophisticated. You won't catch them with commodity-tool detection rules. A supply-chain operation has variable capability — the affiliate may be catchable even if the broker wasn't.

Insider threat structures

Lone insider. Uses legitimate access for unauthorized purposes. No external tools, no C2. Detection is anomalous data handling — unusual volume, destinations, timing — not technique signatures.

Recruited insider. External handler provides instructions and possibly tools. Mix of handler's tradecraft (external communication channels) + insider's legitimate access. The combination is the detection surface.

Compromised insider. Stolen credentials without the employee's knowledge. Same profile as an external attacker with stolen credentials. Unfamiliar device + legitimate credentials + unusual behavior = compromised account.

STEP 1 — Select a report with a detailed timeline
   The report must describe multiple phases of attacker activity
   (initial access through objective execution) with enough detail
   to assess tooling, timing, and operational security at each phase.

STEP 2 — Assess tradecraft consistency across phases
   For each phase of the attack, note:
   a. Tools used (commodity/custom, which specific tools)
   b. Skill indicators (command accuracy, adaptation when blocked,
      OPSEC discipline)
   c. Timing (pace between events, time of day)
   d. Operational security (evidence cleanup, stealth effort)

STEP 3 — Look for discontinuities
   Compare your Phase 1 assessment to Phase 2, Phase 2 to Phase 3,
   etc. Look for:
   - Tool changes (different C2 framework, different discovery tools)
   - Skill drops (sophisticated access → crude post-exploitation)
   - Temporal gaps (days/weeks of silence between phases)
   - OPSEC changes (careful → careless, or vice versa)

STEP 4 — Classify
   Single actor: consistent tradecraft throughout.
   Multiple actors (handoff): skill discontinuity at a specific point.
   If multiple: identify the handoff point and classify each actor
   (IAB, affiliate, state team, insider).

STEP 5 — AI validation
   Paste the event timeline into Claude:

   "Analyse this timeline for evidence of actor handoff:
    [paste chronological events with tools, techniques, timing]

    1. Is tooling consistent across phases or does it change?
    2. Does skill level remain consistent or shift?
    3. Are there temporal gaps indicating access sale/transfer?
    4. Does operational tempo change between phases?
    5. Single actor or multiple? Where is the handoff?"