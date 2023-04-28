Cyber ​​attackers carrying out espionage operations on behalf of Iran’s Islamic Revolutionary Guard Corps are known by various names, according to the threat intelligence group investigating the attacks: Magic Hound, APT35, Charming Kitten, Cobalt Illusion, TA453 and Phosphorus.

Add one more to the mix: Mint Sandstorm.

Last week, Microsoft changed its naming convention for threat groups, removing capitalized names derived from atomic elements, such as ACTINIUM, and adopting a two-name scheme based on storm terminology, such as Aqua Blizzard, the Russian-related group formerly known as ACTINIUM. The company adopted the new agreement to indicate interest in attack group sponsor Blizzard for Russia, Typhoon for China, and Tempest for financially motivated actors, for example in the same way that CrowdStrike and Secureworks create their names for threat groups.

Such nicknames are a way to give customers an easy way to remember the adversaries behind particular threats and attacks, says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.

“By giving them something that answers that and stays in their reference memory, they can jump into deeper analysis and investigation more quickly,” she says. “We want to effectively protect and inform our customers; this is a step toward evolving that capability and clarifying it for security practitioners and other threat intelligence analysts.”

Unfortunately, having yet another naming convention also adds to the proliferation of labels for threat groups, an overabundance that muddies the already murky waters of threat attribution to some degree. There are at least eight names for the Iranian group that Microsoft called PHOSPHORUS, and 15 names for the Russian group known as Cozy Bear, including two former Microsoft names YTTRIUM and NOBELIUM and now its new Microsoft name, Midnight Blizzard, according to ATT&CK database maintained by MITRE, a non-profit government research organization.

Many people don’t know which names apply to which groups, says Adam Pennington, ATT&CK manager at MITER.

“There’s a ton of different names, because there’s a lot of companies that have gotten into this space…and so each of these organizations come up with a potentially a little different definition of what this group they are ‘ see. They each have a different picture of intelligence.”

When a cozy bear is not

In the 1990s and early 2000s, security companies often invented their own names for computer viruses, hoping that their name would stick as a demonstration that they were the first to catch a particular threat. Yet others often assigned a different name to a particular threat. So Conficker also responded to Downup and Kido, while the Blaster Worm also went through MSBlast and Lovesan.

Yet while those names were pseudonyms for the same threats, assigning threat groups is different, part art and part science, says Microsoft’s DeGrippo.

“Each vendor uses different data to assign actor attribution, with different levels of confidence,” she says. “Because each vendor approaches this analysis of a threat in a different way, they often disagree on attribution or find only partial overlaps, forcing each of them to create their own unique names for describe their unique point of view.”

Each company uses a different name, and sometimes several, for the same group of threats. Data source: MITER, Microsoft

Take the notorious Cozy Bear, a group of cyber operatives acting on behalf of the Russian Federation’s Foreign Intelligence Service (SVR), which has been operating since at least 2008. The group is perhaps best known for compromising computers of the National Democrat. Convention and as executing the supply chain attack that involved compromising SolarWinds. Cozy Bear is CrowdStrike’s name for the group, but Mandiant and Microsoft had two names for the group UNC2452 and APT29 for Mandiant, and NOBELIUM and YTTRIUM for Microsoft pointing out that differences in analysis could lead to different conclusions.

Additionally, with many state actors, there’s a lot of cross-pollination between cyber ops groups, so it’s only natural that vendor attacker images will diverge, says MITER’s Pennington.

“When you go into countries like North Korea and Iran, there’s often quite a bit of disagreement between different companies, where they draw the lines between the groups and how many different things they’ve brought together into one entity” , he said. “So there are strong differences depending on what intelligence companies have and what parts of the threat cluster they are looking at.”

The opponent problem is a bit of a problem

Threat intelligence providers and incident response companies like to say, “You don’t have a malware problem, you have an adversary problem.” With companies tracking hundreds of threat groups, the multitude of names can make it harder for companies to determine who is attacking them.

Threat intelligence analysts are aware that misattribution can undermine their efforts, so they take steps to ensure that attribution is correct and that attributing an attack to a new group of actors is done with care, CrowdStrike stated in a blog post on the subject.

“Only after a series of rigid analytical steps will an actor be given a name and added to CrowdStrike’s list of named opponents,” the company said.

Beyond names, however, attribution has significant benefits. Knowing that a group, whether it’s called APT28, Fancy Bear or Forest Blizzard, is targeting political and government institutions can help companies and organizations determine if they might be targeted. Additionally, by noting the range of tactics a group employs, a company can research and guard against these efforts, once it has identified the group.

Will vendors ever be able to use the same name for the same threat group? Maybe not, says Microsoft’s DeGrippo.

“Honestly, it’s something that may never be fully resolved,” she says. “The threat landscape is changing very rapidly, and we need to be able to quickly tie attribution to activities. Dependence on data sharing and consensus in a large industry with many vendors could slow down the ability to attribution a security company, resulting in a gap in threat protection.”