No matter how confusing it is to refer to the same group of Russian hackers by a handful of different names – Cozy Bear, Nobelium, APT29 and so on – don’t expect the private companies behind those monikers to drop them. anytime soon.
The big picture: Naming conventions for state-backed hacking groups vary from technical Advanced Persistent Threat (APT) group numbers to fancy animal-based names, making it difficult for people outside of cybersecurity research to understand. which pirates do what.
- Consider a well-known Russian cyber-espionage group: Mandiant researchers call it APT29, CrowdStrike researchers call it Cozy Bear, and Microsoft calls it Nobelium.
Driving the news: Several cyber threat intelligence firms published research on Iran’s Charming Kitten group earlier this month, but each firm used a different name to identify the group, renewing questions about why researchers don’t standardize conventions of denomination.
Between the lines: Part of that is due to marketing, cyber researchers tell Axios.
- It’s a reputational win if a cyber threat intelligence firm is able to generalize its naming convention.
Yes, but: Five major threat intelligence firms tell Axios that even if their marketing teams weren’t involved, they would still have these different names because they all have varying visibility into hacker activity.
- “There won’t always be a one-on-one match between how they see the threat and how I see the threat,” says Jeremy Dallman, senior director of the Microsoft Threat Intelligence Center.
At Mandiant, Cyber espionage researcher Benjamin Read told Axios that they are sticking to APT technical numbers to allow for more precision in their naming conventions.
- The company has a list of over 4,000 hacking group names.
- Mandiant also has a core team of three or four employees who review these naming conventions as they learn about the tools and tactics used by these groups.
- Having ultra-accurate identifications also helps Mandiant in his work with government investigators, Read says.
Other companies choose to create unique products, memorable names for each group.
- Microsoft picks names from the periodic table.
- CrowdStrike gives Chinese state groups a name containing “Panda”, Russian state groups are given a “Bear” name, Iranian groups are given “Kitten” names, and North Korean groups are “Chollima”.
- Broadcom’s Symantec uses bug names.
- Palo Alto Networks names groups after constellations.
While these naming conventions may seem silly, companies have increasingly started relying on their own naming conventions to differentiate what they are able to confirm for themselves.
- Palo Alto Networks unveiled its own naming conventions in July to better highlight the infrastructure, techniques and tools they may see hackers using, said Ryan Olson, the company’s vice president of security intelligence. the threats.
The plot: Each company says standardization would be impossible due to the variability in their visibility and the complexity of the threat landscape.
- Olson relates the issue to the old story of a group of visually impaired people trying to identify an elephant: Everyone thinks the animal is a different thing because they can only touch part of it, like its ear. or its tail.
- “Because the universe is constantly changing and our views are constantly changing, it would be really difficult to constantly try to scale this across multiple vendors,” Dallman says.
Sign up for the Axios Codebook cybersecurity newsletter here.