Cybercriminal profiling and cyber-attack attribution have been elusive goals world-wide, due to their effects on societal and geopolitical balance and stability. Attributing actions to a group or state is a complex endeavour, with traditional established approaches including cyber threat intelligence and analysis of technical means such as malware analysis, network forensics, and geopolitical intelligence. However, we propose an additional component for profiling threat actor groups through analysing cultural aspects of human behaviours and interactions. We utilise a set of variables which determine characteristics of national and organisational culture to create a cultural "footprint" of cybercriminal groups. As a case study, we conduct thematic analysis across the six dimensions of the Hofstede national culture classification and the eight dimensions of the Meyer classification on leaked internal communications of the ransomware group Conti. We propose that a systematic analysis of similar communications can serve as a practical tool for a) understanding the modus operandi of cybercrime and cyberwarfare-related groups, and b) profiling cybercriminal groups and/or nation-state actors. Insights from such applications can, first, assist in combating cybercrime and, second, if combined with additional cyber threat intelligence, can provide a level of confidence in nuanced cyber-attack attribution processes.

翻译：网络犯罪画像与网络攻击归因因其对社会及地缘政治平衡与稳定的影响，始终是全球范围内难以实现的目标。将攻击行为归因于特定组织或国家是一项复杂的任务，传统成熟方法包括网络威胁情报分析以及对技术手段（如恶意软件分析、网络取证和地缘政治情报）的研判。然而，我们提出一种通过分析人类行为与互动的文化特征来刻画威胁行为体群体的补充性方法。我们采用一组决定国家和组织文化特征的变量，构建网络犯罪团伙的文化“足迹”。作为案例研究，我们运用主题分析法，基于霍夫斯泰德国家文化分类的六个维度和迈耶分类的八个维度，对勒索软件团伙Conti泄露的内部通信资料进行分析。我们认为，对此类通信进行系统分析可作为一种实用工具，用于：a) 理解网络犯罪及网络战相关组织的作案手法；b) 刻画网络犯罪团伙和/或国家行为体特征。此类应用产生的洞见，首先有助于打击网络犯罪；其次，若结合其他网络威胁情报，可为精细化的网络攻击归因过程提供一定程度的可信度支撑。