[BreachExchange] What's in a Threat Group Name? An Inside Look at the Intricacies of Nation-State Attribution

[Inga Goddijn]

https://www.securityweek.com/whats-threat-group-name-inside-look-intricacies-nation-state-attribution

Understanding the naming conventions of various threat groups can help us
better understand the overall threat landscape

Threat group names are an inescapable consequence of cybersecurity malware
research. How to name the group is a problem. Why there are so many
different names for what may appear to be the same threat group is a
related problem.

We’ve all seen “Strontium (APT28, Fancy Bear)”; and sometimes with many
more names in parentheses. But what does this tell us? Possibly more than
we realize, but probably less than we believe. What, exactly, goes into
naming these APT actors, and how are they related?

The three names above come from Microsoft, Mandiant and CrowdStrike. Within
each company’s naming conventions, we know that all three research
companies believe the threat group to be nation-state affiliated. And from
the last, the suffix ‘Bear’ associates that nation state with Russia.

But we know nothing for certain. All we know Is that the researchers have
seen something in the malware campaign they are analyzing that has
similarities with a threat group given a different name by different
researchers. These different names are a blessing, a necessity, and a curse
-‒ and understanding how and why researchers name the different threat
groups can help us better understand the overall threat landscape.

The need for a name

A name is a label that is used to formalize ideas into an entity. It
provides form and limits the form of the ideas. Nothing really exists
without a name.

Researchers will first detect what looks like malicious behavior happening
to one of their customers. They may detect other very similar examples with
other customers. This becomes a cluster of activity – but it is still
basically an idea. As they dig deeper, the idea of a single entity behind
the cluster may become more formalized until the reality of specific group
activity cannot be denied. At this point, the group must be named so that
the idea has shape.

Threat group names are an inescapable consequence of cybersecurity malware
research. How to name the group is a problem. Why there are so many
different names for what may appear to be the same threat group is a
related problem.

To understand how this happens we need to consider how the threat groups
are discovered – but we should also accept that the researchers who
discover a new group have both the right and a responsibility to give it a
name.

>From cluster to group

Most security product vendors have their own research teams. These teams
are continuously analyzing the telemetry gathered by their product from
their customers. That’s the first point to realize – each research team has
only a limited view of the overall threat landscape based on their own
customers. Depending on the product concerned, that view might be good in
certain geographical regions (or vertical industries), and weaker in others
– but it will effectively never be identical to the view of any other
research team.

    Microsoft describes it as looking at the universe through a telescope.
Each team has a different telescope that can see different parts of the
universe”

This process has been described as different teams looking at a single
elephant through different holes in a fence. Each team will see a different
part of the elephant. Microsoft describes it as looking at the universe
through a telescope. Each team has a different telescope that can see
different parts of the universe. Microsoft believes it has one of the more
powerful telescopes, but still cannot see the entire universe.

Threat groups, however, operate across product boundary lines. It follows
that multiple research teams will detect new activity clusters effectively
simultaneously – but will only have a partial view of that activity. If the
cluster evolves into a new group, there will be no existing published
research that will give the group a name – so, each research team has the
right and responsibility to provide a label for the threat activity it has
discovered.

Different researchers may see similar activity clusters at the same time,
but because of their limited visibility, may be unaware that other
researchers are going through the same process. The result is that new and
different attack group names may appear within a short time frame. It may
be one group with three separate names, or it may be three separate groups
attacking similar targets with similar malware or via the same newly
discovered vulnerability.

Attribution and marketing

“Any company that claims marketing is not important in threat group naming
is being disingenuous,” Juan Andrés Guerrero-Saade told SecurityWeek.
Research reports about new attack groups or new campaigns from existing
groups are primarily published for public consumption – so each attack
group should ideally be given a label that will be both memorable and
forever associated with the vendor publishing the report.

Diamond ModelHowever, at the same time, the researchers need to protect
their reputation. This requires confidence in the ability to attribute
certain activities to a certain group. The first step is to be able to
classify a ‘cluster of activity’ as the work of a single entity. This is
frequently done by applying the activity to the Diamond Model to see if the
activity is related. Different researchers may use different models or
different methods.

In many cases there may be a similarity in the activity with other groups
already named by other researchers – but remember that the limited
visibility of each research team means there will never be a complete
parallel between what is seen by different researchers.

Think of it like a Venn diagram of three circles representing what three
different researchers can see. There may be overlaps. There may be one area
of activity that is common to all three circles. But there will be other
areas that are visible to just one researcher. For this reason, it is
almost impossible for a researcher to say with certainty that the activity
cluster he has discovered belongs to a threat group already named by a
different research group.

However, to avoid criticism of plagiarizing other researchers, together
with a genuine desire to recognize their work, the new name is often
published with the overlaps to other groups indicated by their names in
parentheses.

Attributing activity to a specific named or yet-unnamed threat actor is a
major problem. Firstly, the increased use of commodity malware even by
nation-state attack groups means it is less easy – not impossible – to
ascribe attribution using specific malware. Secondly, attackers use false
flags to confuse the researchers.

In 2016, a destructive attack against the French television company
TV5Monde was blamed on a group known as CyberCaliphate that first appeared
in 2014 and was assumed to be linked to ISIS. A few months after the
TV5Monde attack, new research from FireEye/Mandiant found links to Sofacy,
an actor linked to Russia.

“It is believed,” wrote researchers Guerrero-Saade and Brian Bartholomew at
the time, “that CyberCaliphate was created to provide the Sofacy actors a
way to conduct psychological operations against certain targets of interest
while providing a level of plausible deniability.”

    It’s as if a criminal had stolen someone else’s DNA and left it at a
crime scene instead of their own,” - Vitaly Kamluk, Kaspersky

More recently, destructive malware known as Olympic Destroyer was used
against Winter Olympic systems in South Korea in 2018. The easiest
assumption was that North Korea was launching attacks against South Korea –
and Kaspersky even found a 100% fingerprint match to known North Korean
malware components. But other clues were also discovered pointing in
different directions.

“It’s as if a criminal had stolen someone else’s DNA and left it at a crime
scene instead of their own,” commented Vitaly Kamluk, head of the APAC
research team at Kaspersky. Eventually, both the U.K. and U.S. governments
attributed the Olympic Destroyer campaign to GRU, the  Russian military
intelligence service.

The marketing incentive combined with great difficulties in definitive
attribution makes threat group naming simultaneously important and
difficult. Many researchers have developed their own naming conventions,
and the task of naming is given an important role. Microsoft calls their
person in charge, ‘the mystic librarian’ – in reality, the MSTIC (Microsoft
Threat Intelligence Center) Librarian.

Separate naming conventions

FireEye/Mandiant

Mandiant is perhaps the grandfather of naming conventions with its February
2013 release of the landmark report APT1 - Exposing One of China’s Cyber
Espionage Units. APTn is Mandiant’s nomenclature for an attack group
believed to be affiliated with a nation-state.

The strength of this nomenclature is its clarity. It tells us immediately
that this group is believed to be state-affiliated. Its weakness is that it
tells us nothing else. We do not know which nation state is involved –
which is information that could provide clues to both geopolitical targets
and the vertical industries likely to be targeted.

Over time, Mandiant added other prefixes: UNC, TEMP, and FIN. UNC is
largely an inhouse name for an ‘unclassified’ activity cluster. TEMP is the
temporary working name (still largely in-house) for a cluster that is
clearly evolving toward a specific group. FIN (or APT) is the prefix for a
publicly named threat group that has a financial (or state espionage)
motivation. So, for example, UNC902 evolved into TEMPWarlock, which was
publicly ascribed to FIN11.

FIN is not used for nation-state groups. Where motivations overlap – for
example in North Korean groups that also have a financial motivation, the
APT classification takes preference.

CrowdStrike

CrowdStrike has taken a different approach to naming. Its names are both
evocative and more informative, comprising first a catchy prefix followed
by an animal with a geographic connotation when the actor is believed to be
linked to nation-state. It consequently combines marketing potential with
geographic information – Fancy Bear, a Russian state actor, is not easily
forgotten, nor is its association with CrowdStrike.

Panda is China, Bear is Russia, Chollima is North Korea, Kitten is Iran,
Buffalo is Vietnam, and so on. Non-state-affiliated suffixes include Spider
for criminal gangs and Jackal for hacktivist groups.

The glaring danger with CrowdStrike’s nomenclature – and any that implies a
specific nation-state involvement – is simple: what if the firm gets its
attribution wrong? Any requirement to rename Fancy Bear to Fancy Panda
would be a massive blow to reputation. But in fairness to CrowdStrike and
all the companies that name the groups, no such correction has yet been
needed.

“Panda is China, Bear is Russia, Chollima is North Korea, Kitten is Iran,
Buffalo is Vietnam, and so on. Non-state-affiliated suffixes include Spider
for criminal gangs and Jackal for hacktivist groups.”

Jens Monrad, Head of Mandiant Intelligence, EMEA, told SecurityWeek, “To my
knowledge, we haven't seen such a correction where attribution of a cyber
espionage campaign or group ended up being in the wrong country. It also
emphasizes that when a private organization does attribution, they do it
under well recognized analytical tradecrafts and methodologies, so whatever
is published is done with an easy-to-understand confidence and credibility
level.”

Kaspersky

Brian Bartholomew, principal security researcher at Kaspersky, described
the origin of threat group naming. Back around 2005, the names were
ascribed by the government – and the government had a very stringent
process before naming a threat actor. It was lengthy and could take a year
before a name was assigned. This was acceptable for government, since there
were only a few agencies involved.

“But as private researchers subsequently came on board,” he told
SecurityWeek, “and the process was essentially monetized and companies were
making money from their research, they had to start coming up with their
own names. They didn’t – and don’t – have clearance to see the government’s
research, but must rely on their own research. That’s how the different
names came into being and started colliding with each other.”

Since then, the research community has had numerous discussions around
developing a universal naming convention – but it has always failed. The
problem, said Bartholomew, is that each different research company has a
different visibility into what Kaspersky calls an activity cluster. “A lot
of times, within these activity clusters, we may see things we can link
together – but when we talk to another vendor, they don’t see all that we
see, but may see something extra. So, their definition of a cluster is not
necessarily a one-to-one match with what we see. If we all agree to use a
single name, because of the different visibilities, we would end up
muddying the waters for our customers.”

The consensus today is that each researcher should stick to its own name
for attribution. “While that’s confusing for customers – and even more so
for the public that is not a customer – it enables each research
organization to keep its own research distinct.”

Bartholomew then touched on the marketing incentive. “Being the first
vendor to publicize something is always a good thing for marketing. It may
not necessarily be a good thing from the researcher perspective because
sometimes keeping things quiet helps you find more pieces of the puzzle. So
sometimes people choose not to publicize things – but when there is going
to be a public blog about something, it is almost always marketing or
PR-driven.”

A good example is APT28 and Fancy Bear. APT28 had been tracked for years by
different research groups before the name was ever made public. Kaspersky
knew it as Sofacy, Microsoft knew it as Strontium. “Once the DNC hack
became public in 2016 and the Fancy Bear name appeared in the public
domain, the other groups’ names came out. But those names are not as well
recognized as Fancy Bear because CrowdStrike was first to name it
publicly.” (Incidentally, there is an anecdote that Fancy Bear was named
‘Fancy’ after ‘Sofacy’.)

But Bartholomew stresses that all good researchers try to remain outside
and unswayed by PR and marketing pressures. “There have been times where we
know that there will be a new report related to a group we’re already
watching, but we just don’t have the information to say anything publicly.”
An example occurred with SolarWinds. Some early reports attributed APT29
and Cozy Bear to the attack. “In our opinion,” said Bartholomew, “we do not
see that link – we see the activity, but we don’t see the link to the group
that was already defined as APT29. So, we still choose not to attribute it
at this point.”

Kaspersky does not have a formal naming policy, beyond that its names must
not give any hint of attribution to either a named actor or a government
sponsor. It simply shies away from the attribution problem. “We don’t do
direct attribution,” he said. “We call them activity clusters, and we can
associate the activity with an entity, but we don’t go that extra step of
attribution.”

The firm doesn't have a strict policy in naming. “Usually, the name is up
to the researcher who is doing the work. When I do naming, I tend to not
follow any convention but usually try to latch on to something that will
allow me to remember the research later. The names typically don’t really
mean anything. It’s sometimes named after the malware in some way, or is a
play on words based on some of the infrastructure being used. We don’t have
a specific convention.”

Microsoft

Jeremy Dallman, senior director of strategic programs and partnerships at
Microsoft, described the complexities and considerations that go into
Microsoft’s naming conventions – but Microsoft takes a subtly different
approach to many researchers and is more akin to Kaspersky.

“We care little about the person behind the keyboard,” he told
SecurityWeek. “Although their persona and methods are relevant, we are not
law enforcement. Our concern is protecting our customers.” For this reason,
Microsoft calls the adversary an ‘activity group’ (again, like Kaspersky)
rather than a ‘threat group’ and it makes no attempt to attribute the
activity group to a geographic location or nation state.

“We [like many other researchers] use the diamond model to classify an
activity group into a common profile and a named element,” he continued.
When this is done, a naming convention becomes necessary to both define and
communicate the entity both internally and to customers (unlike Kaspersky).
This process is controlled by the MSTIC Librarian.

The beer flavor wheelMSTIC, the Microsoft Threat Intelligence Center, has
existed internally for over a decade, but only became formalized some five
years ago. “We quickly realized we needed to get into some code naming
because we actively track more than 40 nation-state activity groups and
more than 140 activity groups in total, spanning all of the activity
categories. We needed names to be able to communicate about the groups both
internally and with our customers. We had lots of ideas. An early one was
using the beer flavors on the beer flavor wheel. We even tried to use
dinosaur names – but abandoned that idea because of the length in writing
and difficulty in pronunciation. So, we needed to look for something that
wouldn’t violate any licensing terms, was recognizable to the public, and
would provide enough components for use over an extended period. We ended
up at the periodic table of elements. And volcanoes. And trees. In each
case, there’s a good source of easily recognized names.”

Elements are used for nation state actors, volcanoes for criminal activity,
and trees for private sector activity. And DEV for new activity that is
still being investigated. Microsoft believes that these distinctions help
their customers better understand the threat from any activity group. But
it is still not simple. Consider volcanoes: there are active volcanoes and
passive volcanoes. There are viscous (explosive and destructive, think of
Krakatoa and Etna/Pompeii) and non-viscous (such as the usually gentler
volcanoes in Hawaii). The MSTIC Librarian must consider whether there are
any cultural sensitivities with any name, and she avoids any cultural
association.

Microsoft also differs from many of the other research groups in having a
wider view of the threat universe through its customer telemetry. “Often,”
said Dallman, “the activity we view overlaps with the view of other
researchers, and we can agree with a level of confidence that we have a
common view of a section of the threat universe. So, for us, Strontium
equals APT28 equals Fancy Bear.” But this doesn’t always happen.

Several research companies have looked at the confusion caused by these
multiple names and have consciously chosen not to increase it. They will
use existing names whenever they feel there is sufficient overlap to
justify it, or even allow their researchers to choose their own names.

Quite often, the use of specific malware is discovered before knowledge of
the threat actor concerned becomes known. The name of the malware and the
name of the group coalesce and are used interchangeably and confusingly.
When talking about DarkSide, it isn’t clear whether the reference is to the
actor or the malware. The same happens with REvil.

As research into the use and development of such malware continues, the
actors become better understood. CrowdStrike, for example, now refers to
the DarkSide group as Carbon Spider, and the REvil group as Pinchy Spider.

Can the system be improved?

It is difficult to see how the threat group naming system can be improved.
Each research group is usually required to give the subject of research its
own name, because it can never be certain of the degree of overlap with
existing named groups. This results in multiple different names for
possibly the same threat group. But at the same time, some researchers have
a high level of confidence in dual identity. In both cases, the research
group feels obliged to recognize the work of other researchers – and we
have the convention of own-name followed by other names in parenthesis. The
reader, however, does not automatically know how closely the groups in
parentheses overlap the subject of a new report.

This is perhaps the only area that could be easily improved. The reader –
who’s first view is probably a journalist’s report on the report – may see
‘aka’ (also known as), or nothing at all attached to the parenthesized
list. There is rarely any indication of the likelihood or degree of
similarity between the different named groups.

A formalized taxonomy that describes the relationship (such as ‘believed
with a high/medium/low level of confidence to be related to...’) would help
solve this. But this is unlikely and could not be enforced. First, all the
different researchers would need to agree and use a common taxonomy.
Second, and less likely, all journalists would need to comply with and
include that taxonomy. But the journalist population has different
priorities (probably time- and immediacy-based) and changes and moves
around even faster than the researcher population.

For now, there is unlikely to be any change in current practices. When the
reader sees a parenthesized list of other researchers’ threat groups, there
can be an assumption of some degree of relationship between the different
groups, but no absolute knowledge.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211006/8967e998/attachment.html>