An Objective Framework for Subjective Data: Inside Unit 42’s Attribution Methodology

Dr. Victor Monga

Published Jan 17, 2026

Threat actor attribution has traditionally been considered more art than science. This subjective approach often contributes to naming confusion (is it APTx or GroupY?) and makes it difficult for security teams to prioritize real risks.

To address this, Unit 42 has formalized an Attribution Framework that moves away from ad hoc assessments toward a data-driven progression. By leveraging the Diamond Model of Intrusion Analysis and an intelligence-community standard scoring system, they ensure every claim is backed by high-confidence evidence.

Unit 42’s Attribution Framework — Unit42 Attribution Framework

The Three Levels of Attribution

The framework tracks threats through a lifecycle that rewards observation over time:

Activity Clusters (CL): Groups of related events (e.g., shared IP addresses or phishing tactics) where the full objective or actor identity is still unknown.
Temporary Threat Groups (TGR): Clusters elevated once analysts are confident a single actor is involved. Unit 42 typically observes these for at least six months to confirm persistent behavior.
Named Threat Actors: The final stage, reached only with high-visibility across all vertices of the Diamond Model: Adversary, Infrastructure, Capability, and Victim.

Standardizing Trust with the Admiralty System

To keep findings objective, Unit 42 uses the NATO-standard Admiralty System to grade every piece of evidence. This removes analyst bias by scoring data on two distinct axes:

Source Reliability (A–F): How trustworthy is the source? (e.g., internal telemetry vs. unverified OSINT).
Information Credibility (1–6): Is the data logical and corroborated by others?

Case Study: Connecting Bookworm to Stately Taurus

A prime example of this framework in action is the September 2025 link between the Bookworm Trojan and Stately Taurus (a China-nexus espionage group).

By applying the framework's rigorous standards, researchers were able to link modular malware artifacts from 2015 to modern infrastructure. Through shared PDB paths and custom tools like ToneShell, they proved that years of "subjective" data could be resolved into an "objective" named actor.

Stay tuned for my next article about Global Incident response and hopefully Fuel User Group SoCal event around this topic with Kyle Wilhoit .

Kyle Wilhoit 3mo

It was great having you, Victor! I’m looking forward to working together more closely in the future.

4 Reactions

To view or add a comment, sign in

More articles by Dr. Victor Monga

The Cost of "No Human in the Loop"

Mar 9, 2026

The Cost of "No Human in the Loop"

AI is a powerful engine for productivity, but it is a terrible unsupervised employee. The pressure to cut costs…

9 Comments
Beyond the Checkbox: Why Risk and Governance Professionals are the New Architects of Digital Trust

Mar 4, 2026

Beyond the Checkbox: Why Risk and Governance Professionals are the New Architects of Digital Trust

For years, IT audit, risk, and security teams have unfairly worn the badge of "The Department of No." We were the…
From Theory to Operations: A Professional’s Playbook for the TAISE Prompt Library

Feb 18, 2026

From Theory to Operations: A Professional’s Playbook for the TAISE Prompt Library

https://files.cloudsecurityalliance.
Why we are no longer waiting for the wave—we are underwater.

Feb 17, 2026

Why we are no longer waiting for the wave—we are underwater.

The consensus among the world’s top offensive researchers—from Meta, Anthropic, MITRE, and leading government…

1 Comment
The Trojan Horse is No Longer Wood—It’s Just a Prompt

Feb 4, 2026

The Trojan Horse is No Longer Wood—It’s Just a Prompt

Download full report: https://unit42.paloaltonetworks.
Stop Dreading Mondays. Start Dominating Them. Introducing M³

Jan 21, 2026

Stop Dreading Mondays. Start Dominating Them. Introducing M³

We all know the feeling. It’s Sunday night.

1 Comment
Categorization vs. Prioritization: Solving the SOC Alert Crisis

Jan 1, 2026

Categorization vs. Prioritization: Solving the SOC Alert Crisis

If you’ve spent any time in a Security Operations Center, you know the feeling of staring at a dashboard glowing red…

2 Comments
Moving Beyond the Firewall: Why Zero Trust is a People Problem, Not a Tech Fix

Oct 15, 2025

Moving Beyond the Firewall: Why Zero Trust is a People Problem, Not a Tech Fix

The cybersecurity industry has a persistent, costly misunderstanding: we treat security as a purely technical problem…

4 Comments
My AI Won't Listen: Where Do You File a Complaint Against a Rogue LLM?

Sep 15, 2025

My AI Won't Listen: Where Do You File a Complaint Against a Rogue LLM?

It’s been a little over a year since the world collectively discovered a new superpower. With the explosion of Large…

1 Comment
The Sneaky @ Symbol That Can Empty Your Bank Account

Sep 9, 2025

The Sneaky @ Symbol That Can Empty Your Bank Account

Phishing Alert: Don’t Get Fooled by URLs That Look Legit I recently came across a phishing attempt that pretended to be…

2 Comments

See all articles

The Three Levels of Attribution

Standardizing Trust with the Admiralty System

Case Study: Connecting Bookworm to Stately Taurus

More articles by Dr. Victor Monga

The Cost of "No Human in the Loop"

Beyond the Checkbox: Why Risk and Governance Professionals are the New Architects of Digital Trust

From Theory to Operations: A Professional’s Playbook for the TAISE Prompt Library

Why we are no longer waiting for the wave—we are underwater.

The Trojan Horse is No Longer Wood—It’s Just a Prompt

Stop Dreading Mondays. Start Dominating Them. Introducing M³

Categorization vs. Prioritization: Solving the SOC Alert Crisis

Moving Beyond the Firewall: Why Zero Trust is a People Problem, Not a Tech Fix

My AI Won't Listen: Where Do You File a Complaint Against a Rogue LLM?

The Sneaky @ Symbol That Can Empty Your Bank Account

Explore content categories