Written by @BushidoToken
All organizations have their own unique access into sets of data and telemetry that other organizations do not. Many organizations create and define their own clusters differently which generates unique threat group candidates
How the complex task of adversary attribution should be performed is an often debated topic amongst Cyber Threat Intelligence (CTI) analysts from various backgrounds at various organizations. This is because there is no standardized way of doing attribution, but the way it is being done by some organizations is actually is problematic and counterproductive.
The Curated Intelligence community are a varied bunch of passionate CTI analysts with years of experience. So naturally, whenever the topic of attribution comes up everyone likes to share their $0.02. This is one of the best parts of our community and leads to great discussions like one we had recently on threat group naming schemes.
The discussion began by someone sharing a recent article by Checkpoint on "Twisted Panda", a new threat group from China reportedly launching collection campaigns against Russian’s state-owned defense institutes. The report by Checkpoint is good and topical. However, Curated Intelligence noticed it is following the odd trend of several third-party vendors hijacking the naming scheme for threat groups created by CrowdStrike.
There are, however, a number of vendors that have used CrowdStrike's naming scheme to give a new moniker to threat activity they observed in the wild, for example: RampantKitten, DomesticKitten, FoxKitten, SiameseKitten, FerociousKitten, ViciousPanda, and SharpPanda. These were not created by CrowdStrike, but by CTI analysts at vendors such as Checkpoint, Kaspersky, and ClearSky.
In short, the main issue with this act of borrowing CrowdStrike's nomenclature is that how they define a particular named entity will not use the same standards or be the same process that other organizations (such as Checkpoint, Kaspersky, and ClearSky) use to describe that entity.
Common fallacious arguments against the practise of using threat group naming schemes:
- "I don't like that there are a dozen different names for the same threat group"
- "The only reason they do it is for marketing"
- "It's okay to use CrowdStrike's naming scheme because it is convenient"
"Wouldn't it be fantastic if I could slap a name on it and not have to do a bunch of research?"
- Mandiant uses numbered APT, FIN and UNC groups, e.g. APT1, FIN7, UNC2452
- Proofpoint uses numbered TA groups, e.g. TA505, TA542
- Symantec uses species of insects, e.g. Cicada, Shuckworm, Dragonfly
- Recorded Future uses a color plus phonetic alphabet, e.g. RedDelta, RedEcho, RedFoxtrot
- IBM uses numbered ITG or Hive, e.g. ITG14, Hive0065
- Microsoft uses elements, e.g. PHOSPHORUS, NOBELIUM, STRONTIUM
- Secureworks uses elements plus nickname, e.g. Gold Drake, Iron Liberty, Bronze Union
- Dragos uses minerals, e.g. XENOTIME, ELECTRUM, CHERNOVITE
"What can I say? CTI is hard man. It’s not that simple."
This is why as a research community, we end up with multiple names for what seems to be the same threat groups. The problem with this statement is that it is not nuanced. Threat groups are fluid and they evolve, they are rarely 1:1. Curated Intelligence member @ChicagoCyber did a great job illustrating this how this works via an attribution Venn diagram to describe the various overlaps between multiple Iran-aligned threat groups that he tracks through his research with Proofpoint and in-depth study of all other materials available. Overlaps can include malware samples, tools, commands, infrastructure, TTPs, and specific targeted organizations, among other observables.