Regardless of how confusing it reaches refer to exactly the same Russian hacker group by way of a couple of different names Cozy Bear, Nobelium, APT29 and so forth don’t expect the private companies behind those monikers to provide them up any time in the future.
The picture as a whole: Naming conventions for state-backed hacking groups change from technical, advanced persistent threat (APT) group numbers to whimsical, animal-based names, rendering it problematic for people beyond cybersecurity research to comprehend which hackers do what.
- Take one well-known Russian cyber espionage group: Mandiant researchers make reference to it as APT29, CrowdStrike researchers call it Cozy Bear, and Microsoft named it Nobelium.
Driving the news headlines: Several cyber threat intelligence firms published research about Iranian group Charming Kitten earlier this month, but each company used another name to recognize the group renewing questions about why researchers don’t standardize naming conventions.
- Mandiant released a written report discussing the group as APT42, while Microsoft described it as Phosphorous.
Between your lines: Section of this is because of marketing, cyber researchers tell Axios.
- It is a reputational win in case a cyber threat intelligence firm can get its naming convention in to the mainstream.
Yes, but: Five major threat intel firms tell Axios that even though their marketing teams weren’t involved, they might still have these different names since they all have varying visibility into hackers’ activities.
- “There’s not necessarily going to be considered a one-to-one match for how they start to see the threat and how I start to see the threat,” says Jeremy Dallman, senior director at Microsoft Threat Intelligence Center.
At Mandiant, cyber espionage researcher Benjamin Read tells Axios, they stick to the technical APT numbers to permit for more precision within their naming conventions.
- The business has a set of a lot more than 4,000 hacking group names.
- Mandiant also offers a core team of 3 or 4 employees who review these naming conventions because they learn about the various tools and tactics those groups use.
- Having super-precise identifications also helps Mandiant in its use government investigators, Read says.
Other firms choose to create unique, memorable names for every group.
- Microsoft picks names from the periodic table.
- CrowdStrike gives Chinese state groups a name with “Panda” inside it, Russian state groups get yourself a “Bear” name, Iranian groups have “Kitten” names, and North Korean group are “Chollima.”
- Broadcom’s Symantec uses names of insects.
- Palo Alto Networks names groups after constellations.
While those naming conventions may seem silly, companies have increasingly started counting on their very own naming conventions to differentiate what they are able to confirm by themselves.
- Palo Alto Networks unveiled its naming conventions in July to raised highlight what infrastructure, techniques and tools they are able to see hackers using, says Ryan Olson, the business’s vice president of threat intelligence.
The intrigue: Each company says standardization will be impossible due to how variable their visibility is and how complex the threat landscape is becoming.
- Olson relates the issue to the old tale of several visually impaired people attempting to identify an elephant: Everyone thinks the pet is really a different thing since they can only just touch one section of it, like its ear or its tail.
- “As the universe is definitely changing and our views are always changing, it will be very difficult to be constantly attempting to adapt that across multiple vendors,” Dallman says.
Join Axios cybersecurity newsletter Codebook here.