Threat Group Naming Schemes In Cyber Threat Intelligence

Curated Intelligence members explore threat group naming schemes and why they are important

Written by @BushidoToken


All organizations have their own unique access into sets of data and telemetry that other organizations do not. Many organizations create and define their own clusters differently which generates unique threat group candidates


How the complex task of adversary attribution should be performed is an often debated topic amongst Cyber Threat Intelligence (CTI) analysts from various backgrounds at various organizations. This is because there is no standardized way of doing attribution, but the way it is being done by some organizations is actually is problematic and counterproductive.

The Curated Intelligence community are a varied bunch of passionate CTI analysts with years of experience. So naturally, whenever the topic of attribution comes up everyone likes to share their $0.02. This is one of the best parts of our community and leads to great discussions like one we had recently on threat group naming schemes.

The discussion began by someone sharing a recent article by Checkpoint on "Twisted Panda", a new threat group from China reportedly launching collection campaigns against Russian’s state-owned defense institutes. The report by Checkpoint is good and topical. However, Curated Intelligence noticed it is following the odd trend of several third-party vendors hijacking the naming scheme for threat groups created by CrowdStrike.

Figure 1: CrowdStrike's Threat Group Naming Scheme (Source: CrowdStrike Global Threat Report 2022)

There are, however, a number of vendors that have used CrowdStrike's naming scheme to give a new moniker to threat activity they observed in the wild, for example: RampantKitten, DomesticKitten, FoxKitten, SiameseKitten, FerociousKitten, ViciousPanda, and SharpPanda. These were not created by CrowdStrike, but by CTI analysts at vendors such as Checkpoint, Kaspersky, and ClearSky.

The Problem

In short, the main issue with this act of borrowing CrowdStrike's nomenclature is that how they define a particular named entity will not use the same standards or be the same process that other organizations (such as Checkpoint, Kaspersky, and ClearSky) use to describe that entity. 

Common fallacious arguments against the practise of using threat group naming schemes: 

  • "I don't like that there are a dozen different names for the same threat group"
  • "The only reason they do it is for marketing"
  • "It's okay to use CrowdStrike's naming scheme because it is convenient"
Attribution Matters
Many CTI analysts are likely to have heard the phrase "attribution matters" and indeed it does. But, co-opting another vendor's threat group naming scheme is going about attribution the wrong way. 

"Wouldn't it be fantastic if I could slap a name on it and not have to do a bunch of research?"
Every organization has their own telemetry, data, standards, procedures, and confidence levels. Unless specified publicly, there is no reason to believe any two organizations have the same visibility and standards. This is the main reason why most CTI teams leverage their own naming scheme. Some of the popular naming schemes include:
  • Mandiant uses numbered APT, FIN and UNC groups, e.g. APT1, FIN7, UNC2452
  • Proofpoint uses numbered TA groups, e.g. TA505, TA542
  • Symantec uses species of insects, e.g. Cicada, Shuckworm, Dragonfly
  • Recorded Future uses a color plus phonetic alphabet, e.g. RedDelta, RedEcho, RedFoxtrot
  • IBM uses numbered ITG or Hive, e.g. ITG14, Hive0065
  • Microsoft uses elements, e.g. PHOSPHORUS, NOBELIUM, STRONTIUM
  • Secureworks uses elements plus nickname, e.g. Gold Drake, Iron Liberty, Bronze Union
  • Dragos uses minerals, e.g. XENOTIME, ELECTRUM, CHERNOVITE

"What can I say? CTI is hard man. It’s not that simple."

This is why as a research community, we end up with multiple names for what seems to be the same threat groups. The problem with this statement is that it is not nuanced. Threat groups are fluid and they evolve, they are rarely 1:1. Curated Intelligence member @ChicagoCyber did a great job illustrating this how this works via an attribution Venn diagram to describe the various overlaps between multiple Iran-aligned threat groups that he tracks through his research with Proofpoint and in-depth study of all other materials available. Overlaps can include malware samples, tools, commands, infrastructure, TTPs, and specific targeted organizations, among other observables.

Figure 2: Vizualtion of CharmingKitten attribtion (Source: @ChicagoCyber)

One of the most important parts of CTI is examining sources of data. You will do well to remember that organizations such as CrowdStrike and Microsoft have some of the largest and most comprehensive sets of intrusion data globally. Their products are deployed at the largest and most important organizations on the planet, which are also the ones the more advanced threat groups want to gain access to.

Further, a talk by Sergio Caltagirone at the SANS Cyber Threat Intelligence Summit 2017 highlighted how the Microsoft Threat Intelligence Center (MSTIC) performs data analytics on intrusions. Caltagirone explained that "there is very little that happens on the internet without Microsoft knowing". This makes sense because of how far and wide Microsoft Windows and Azure is used internationally and the telemetry that comes with these products. Therefore, because of this immense visibility, any assessments around attribution by these types of organizations are inherently going to be stronger than your average security vendor with less visibility.

Call to Action

Everyone in Curated Intelligence agrees that sharing data on threat groups is an important part of CTI. When FireEye/Mandiant initially disclosed that they were compromised during the SolarWinds campaign in December 2020, it kick-started one of the largest threat hunts in history. Sharing that information publicly was critical to allow other organizations to look for similar signs of an intrusion, which turned out to be one the largest supply-chain attacks in history. 

I think the collective CTI research community can agree sharing is caring. However, sharing in a certain way can be confusing and frustrate analysis. Analytics standards are important. By hijacking another vendor's naming scheme, it is essentially unethically leveraging the credibility of another research team and/or company's product. By using another organization's naming scheme, it may even (unintentionally) come off as an assertion that the level of visibility, standards, confidence level, processes, and research work is the same. This simply cannot be true, for the reasons already presented in this blog.

If you are a researcher at an organization with less telemetry than behemoths like Microsoft, Google, AWS, or CrowdStrike, it is worth remembering that what appears as an interesting set of "highly targeted" intrusion data, can turn out to be much more widespread in large data sets. Therefore, even with solid methodology and great analysts, research put out by smaller organizations is going to be taken with a larger grain of salt purely due to the fact they know less.

Some researchers simply believe that the practice of naming notional "groups" based on overlapping infrastructure, tooling, or TTPs is outdated and that the focus is inverted. Organizations should focus more on assessing the adequacy of their defences against the threat (or their products on protecting their customers if they are a vendor). Instead of dedicating time and resources to locate the exact building where the PLA Unit is based, the focus might be better suited on addressing why it remained undetected by your team for 6 months.

Lastly, it is important to remember we all have team members (or customers/stakeholders) who actually don’t spend every day reading threat reports but still want the important threat intel. As CTI analysts, we should strive to be the voice of clarity and reason, and Sherpa them through the metaphoric challenging terrain, which is the threat landscape.