Security Experts:

What's in a Threat Group Name? An Inside Look at the Intricacies of Nation-State Attribution

Understanding the naming conventions of various threat groups can help us better understand the overall threat landscape

Threat group names are an inescapable consequence of cybersecurity malware research. How to name the group is a problem. Why there are so many different names for what may appear to be the same threat group is a related problem.

We’ve all seen “Strontium (APT28, Fancy Bear)”; and sometimes with many more names in parentheses. But what does this tell us? Possibly more than we realize, but probably less than we believe. What, exactly, goes into naming these APT actors, and how are they related?

The three names above come from Microsoft, Mandiant and CrowdStrike. Within each company’s naming conventions, we know that all three research companies believe the threat group to be nation-state affiliated. And from the last, the suffix ‘Bear’ associates that nation state with Russia.

But we know nothing for certain. All we know Is that the researchers have seen something in the malware campaign they are analyzing that has similarities with a threat group given a different name by different researchers. These different names are a blessing, a necessity, and a curse -‒ and understanding how and why researchers name the different threat groups can help us better understand the overall threat landscape.

The need for a name

A name is a label that is used to formalize ideas into an entity. It provides form and limits the form of the ideas. Nothing really exists without a name.

Researchers will first detect what looks like malicious behavior happening to one of their customers. They may detect other very similar examples with other customers. This becomes a cluster of activity – but it is still basically an idea. As they dig deeper, the idea of a single entity behind the cluster may become more formalized until the reality of specific group activity cannot be denied. At this point, the group must be named so that the idea has shape.

Threat group names are an inescapable consequence of cybersecurity malware research. How to name the group is a problem. Why there are so many different names for what may appear to be the same threat group is a related problem.

To understand how this happens we need to consider how the threat groups are discovered – but we should also accept that the researchers who discover a new group have both the right and a responsibility to give it a name.

From cluster to group

Most security product vendors have their own research teams. These teams are continuously analyzing the telemetry gathered by their product from their customers. That’s the first point to realize – each research team has only a limited view of the overall threat landscape based on their own customers. Depending on the product concerned, that view might be good in certain geographical regions (or vertical industries), and weaker in others – but it will effectively never be identical to the view of any other research team. 

Microsoft describes it as looking at the universe through a telescope. Each team has a different telescope that can see different parts of the universe”

This process has been described as different teams looking at a single elephant through different holes in a fence. Each team will see a different part of the elephant. Microsoft describes it as looking at the universe through a telescope. Each team has a different telescope that can see different parts of the universe. Microsoft believes it has one of the more powerful telescopes, but still cannot see the entire universe.

Threat groups, however, operate across product boundary lines. It follows that multiple research teams will detect new activity clusters effectively simultaneously – but will only have a partial view of that activity. If the cluster evolves into a new group, there will be no existing published research that will give the group a name – so, each research team has the right and responsibility to provide a label for the threat activity it has discovered.

Different researchers may see similar activity clusters at the same time, but because of their limited visibility, may be unaware that other researchers are going through the same process. The result is that new and different attack group names may appear within a short time frame. It may be one group with three separate names, or it may be three separate groups attacking similar targets with similar malware or via the same newly discovered vulnerability.

Attribution and marketing

“Any company that claims marketing is not important in threat group naming is being disingenuous,” Juan Andrés Guerrero-Saade told SecurityWeek. Research reports about new attack groups or new campaigns from existing groups are primarily published for public consumption – so each attack group should ideally be given a label that will be both memorable and forever associated with the vendor publishing the report.

Diamond ModelHowever, at the same time, the researchers need to protect their reputation. This requires confidence in the ability to attribute certain activities to a certain group. The first step is to be able to classify a ‘cluster of activity’ as the work of a single entity. This is frequently done by applying the activity to the Diamond Model to see if the activity is related. Different researchers may use different models or different methods.

In many cases there may be a similarity in the activity with other groups already named by other researchers – but remember that the limited visibility of each research team means there will never be a complete parallel between what is seen by different researchers.

Think of it like a Venn diagram of three circles representing what three different researchers can see. There may be overlaps. There may be one area of activity that is common to all three circles. But there will be other areas that are visible to just one researcher. For this reason, it is almost impossible for a researcher to say with certainty that the activity cluster he has discovered belongs to a threat group already named by a different research group.

However, to avoid criticism of plagiarizing other researchers, together with a genuine desire to recognize their work, the new name is often published with the overlaps to other groups indicated by their names in parentheses. 

Attributing activity to a specific named or yet-unnamed threat actor is a major problem. Firstly, the increased use of commodity malware even by nation-state attack groups means it is less easy – not impossible – to ascribe attribution using specific malware. Secondly, attackers use false flags to confuse the researchers. 

In 2016, a destructive attack against the French television company TV5Monde was blamed on a group known as CyberCaliphate that first appeared in 2014 and was assumed to be linked to ISIS. A few months after the TV5Monde attack, new research from FireEye/Mandiant found links to Sofacy, an actor linked to Russia. 

“It is believed,” wrote researchers Guerrero-Saade and Brian Bartholomew at the time, “that CyberCaliphate was created to provide the Sofacy actors a way to conduct psychological operations against certain targets of interest while providing a level of plausible deniability.”

It’s as if a criminal had stolen someone else’s DNA and left it at a crime scene instead of their own,” - Vitaly Kamluk, Kaspersky

More recently, destructive malware known as Olympic Destroyer was used against Winter Olympic systems in South Korea in 2018. The easiest assumption was that North Korea was launching attacks against South Korea – and Kaspersky even found a 100% fingerprint match to known North Korean malware components. But other clues were also discovered pointing in different directions. 

“It’s as if a criminal had stolen someone else’s DNA and left it at a crime scene instead of their own,” commented Vitaly Kamluk, head of the APAC research team at Kaspersky. Eventually, both the U.K. and U.S. governments attributed the Olympic Destroyer campaign to GRU, the  Russian military intelligence service.

The marketing incentive combined with great difficulties in definitive attribution makes threat group naming simultaneously important and difficult. Many researchers have developed their own naming conventions, and the task of naming is given an important role. Microsoft calls their person in charge, ‘the mystic librarian’ – in reality, the MSTIC (Microsoft Threat Intelligence Center) Librarian.

Separate naming conventions

FireEye/Mandiant

Mandiant is perhaps the grandfather of naming conventions with its February 2013 release of the landmark report APT1 - Exposing One of China’s Cyber Espionage Units. APTn is Mandiant’s nomenclature for an attack group believed to be affiliated with a nation-state.

The strength of this nomenclature is its clarity. It tells us immediately that this group is believed to be state-affiliated. Its weakness is that it tells us nothing else. We do not know which nation state is involved – which is information that could provide clues to both geopolitical targets and the vertical industries likely to be targeted.

Over time, Mandiant added other prefixes: UNC, TEMP, and FIN. UNC is largely an inhouse name for an ‘unclassified’ activity cluster. TEMP is the temporary working name (still largely in-house) for a cluster that is clearly evolving toward a specific group. FIN (or APT) is the prefix for a publicly named threat group that has a financial (or state espionage) motivation. So, for example, UNC902 evolved into TEMPWarlock, which was publicly ascribed to FIN11.

FIN is not used for nation-state groups. Where motivations overlap – for example in North Korean groups that also have a financial motivation, the APT classification takes preference.

CrowdStrike

CrowdStrike has taken a different approach to naming. Its names are both evocative and more informative, comprising first a catchy prefix followed by an animal with a geographic connotation when the actor is believed to be linked to nation-state. It consequently combines marketing potential with geographic information – Fancy Bear, a Russian state actor, is not easily forgotten, nor is its association with CrowdStrike.

Panda is China, Bear is Russia, Chollima is North Korea, Kitten is Iran, Buffalo is Vietnam, and so on. Non-state-affiliated suffixes include Spider for criminal gangs and Jackal for hacktivist groups.

The glaring danger with CrowdStrike’s nomenclature – and any that implies a specific nation-state involvement – is simple: what if the firm gets its attribution wrong? Any requirement to rename Fancy Bear to Fancy Panda would be a massive blow to reputation. But in fairness to CrowdStrike and all the companies that name the groups, no such correction has yet been needed. 

“Panda is China, Bear is Russia, Chollima is North Korea, Kitten is Iran, Buffalo is Vietnam, and so on. Non-state-affiliated suffixes include Spider for criminal gangs and Jackal for hacktivist groups.”

Jens Monrad, Head of Mandiant Intelligence, EMEA, told SecurityWeek, “To my knowledge, we haven't seen such a correction where attribution of a cyber espionage campaign or group ended up being in the wrong country. It also emphasizes that when a private organization does attribution, they do it under well recognized analytical tradecrafts and methodologies, so whatever is published is done with an easy-to-understand confidence and credibility level.”

Kaspersky

Brian Bartholomew, principal security researcher at Kaspersky, described the origin of threat group naming. Back around 2005, the names were ascribed by the government – and the government had a very stringent process before naming a threat actor. It was lengthy and could take a year before a name was assigned. This was acceptable for government, since there were only a few agencies involved. 

“But as private researchers subsequently came on board,” he told SecurityWeek, “and the process was essentially monetized and companies were making money from their research, they had to start coming up with their own names. They didn’t – and don’t – have clearance to see the government’s research, but must rely on their own research. That’s how the different names came into being and started colliding with each other.”

Since then, the research community has had numerous discussions around developing a universal naming convention – but it has always failed. The problem, said Bartholomew, is that each different research company has a different visibility into what Kaspersky calls an activity cluster. “A lot of times, within these activity clusters, we may see things we can link together – but when we talk to another vendor, they don’t see all that we see, but may see something extra. So, their definition of a cluster is not necessarily a one-to-one match with what we see. If we all agree to use a single name, because of the different visibilities, we would end up muddying the waters for our customers.”

The consensus today is that each researcher should stick to its own name for attribution. “While that’s confusing for customers – and even more so for the public that is not a customer – it enables each research organization to keep its own research distinct.”

Bartholomew then touched on the marketing incentive. “Being the first vendor to publicize something is always a good thing for marketing. It may not necessarily be a good thing from the researcher perspective because sometimes keeping things quiet helps you find more pieces of the puzzle. So sometimes people choose not to publicize things – but when there is going to be a public blog about something, it is almost always marketing or PR-driven.”

A good example is APT28 and Fancy Bear. APT28 had been tracked for years by different research groups before the name was ever made public. Kaspersky knew it as Sofacy, Microsoft knew it as Strontium. “Once the DNC hack became public in 2016 and the Fancy Bear name appeared in the public domain, the other groups’ names came out. But those names are not as well recognized as Fancy Bear because CrowdStrike was first to name it publicly.” (Incidentally, there is an anecdote that Fancy Bear was named ‘Fancy’ after ‘Sofacy’.)

But Bartholomew stresses that all good researchers try to remain outside and unswayed by PR and marketing pressures. “There have been times where we know that there will be a new report related to a group we’re already watching, but we just don’t have the information to say anything publicly.” An example occurred with SolarWinds. Some early reports attributed APT29 and Cozy Bear to the attack. “In our opinion,” said Bartholomew, “we do not see that link – we see the activity, but we don’t see the link to the group that was already defined as APT29. So, we still choose not to attribute it at this point.”

Kaspersky does not have a formal naming policy, beyond that its names must not give any hint of attribution to either a named actor or a government sponsor. It simply shies away from the attribution problem. “We don’t do direct attribution,” he said. “We call them activity clusters, and we can associate the activity with an entity, but we don’t go that extra step of attribution.”

The firm doesn't have a strict policy in naming. “Usually, the name is up to the researcher who is doing the work. When I do naming, I tend to not follow any convention but usually try to latch on to something that will allow me to remember the research later. The names typically don’t really mean anything. It’s sometimes named after the malware in some way, or is a play on words based on some of the infrastructure being used. We don’t have a specific convention.”

Microsoft

Jeremy Dallman, senior director of strategic programs and partnerships at Microsoft, described the complexities and considerations that go into Microsoft’s naming conventions – but Microsoft takes a subtly different approach to many researchers and is more akin to Kaspersky. 

“We care little about the person behind the keyboard,” he told SecurityWeek. “Although their persona and methods are relevant, we are not law enforcement. Our concern is protecting our customers.” For this reason, Microsoft calls the adversary an ‘activity group’ (again, like Kaspersky) rather than a ‘threat group’ and it makes no attempt to attribute the activity group to a geographic location or nation state. 

“We [like many other researchers] use the diamond model to classify an activity group into a common profile and a named element,” he continued. When this is done, a naming convention becomes necessary to both define and communicate the entity both internally and to customers (unlike Kaspersky). This process is controlled by the MSTIC Librarian.

The beer flavor wheelMSTIC, the Microsoft Threat Intelligence Center, has existed internally for over a decade, but only became formalized some five years ago. “We quickly realized we needed to get into some code naming because we actively track more than 40 nation-state activity groups and more than 140 activity groups in total, spanning all of the activity categories. We needed names to be able to communicate about the groups both internally and with our customers. We had lots of ideas. An early one was using the beer flavors on the beer flavor wheel. We even tried to use dinosaur names – but abandoned that idea because of the length in writing and difficulty in pronunciation. So, we needed to look for something that wouldn’t violate any licensing terms, was recognizable to the public, and would provide enough components for use over an extended period. We ended up at the periodic table of elements. And volcanoes. And trees. In each case, there’s a good source of easily recognized names.”

Elements are used for nation state actors, volcanoes for criminal activity, and trees for private sector activity. And DEV for new activity that is still being investigated. Microsoft believes that these distinctions help their customers better understand the threat from any activity group. But it is still not simple. Consider volcanoes: there are active volcanoes and passive volcanoes. There are viscous (explosive and destructive, think of Krakatoa and Etna/Pompeii) and non-viscous (such as the usually gentler volcanoes in Hawaii). The MSTIC Librarian must consider whether there are any cultural sensitivities with any name, and she avoids any cultural association.

Microsoft also differs from many of the other research groups in having a wider view of the threat universe through its customer telemetry. “Often,” said Dallman, “the activity we view overlaps with the view of other researchers, and we can agree with a level of confidence that we have a common view of a section of the threat universe. So, for us, Strontium equals APT28 equals Fancy Bear.” But this doesn’t always happen. 

Several research companies have looked at the confusion caused by these multiple names and have consciously chosen not to increase it. They will use existing names whenever they feel there is sufficient overlap to justify it, or even allow their researchers to choose their own names.

Quite often, the use of specific malware is discovered before knowledge of the threat actor concerned becomes known. The name of the malware and the name of the group coalesce and are used interchangeably and confusingly. When talking about DarkSide, it isn’t clear whether the reference is to the actor or the malware. The same happens with REvil.

As research into the use and development of such malware continues, the actors become better understood. CrowdStrike, for example, now refers to the DarkSide group as Carbon Spider, and the REvil group as Pinchy Spider.

Can the system be improved?

It is difficult to see how the threat group naming system can be improved. Each research group is usually required to give the subject of research its own name, because it can never be certain of the degree of overlap with existing named groups. This results in multiple different names for possibly the same threat group. But at the same time, some researchers have a high level of confidence in dual identity. In both cases, the research group feels obliged to recognize the work of other researchers – and we have the convention of own-name followed by other names in parenthesis. The reader, however, does not automatically know how closely the groups in parentheses overlap the subject of a new report.

This is perhaps the only area that could be easily improved. The reader – who’s first view is probably a journalist’s report on the report – may see ‘aka’ (also known as), or nothing at all attached to the parenthesized list. There is rarely any indication of the likelihood or degree of similarity between the different named groups. 

A formalized taxonomy that describes the relationship (such as ‘believed with a high/medium/low level of confidence to be related to...’) would help solve this. But this is unlikely and could not be enforced. First, all the different researchers would need to agree and use a common taxonomy. Second, and less likely, all journalists would need to comply with and include that taxonomy. But the journalist population has different priorities (probably time- and immediacy-based) and changes and moves around even faster than the researcher population.

For now, there is unlikely to be any change in current practices. When the reader sees a parenthesized list of other researchers’ threat groups, there can be an assumption of some degree of relationship between the different groups, but no absolute knowledge.

Related: Attribution Hell: Cyberspies Hacking Other Cyberspies

Related: Attribution Concerns Raised Over Cyber Sanctions Program

Related: FBI Attribution of 'VPNFilter' Attack Raises Questions

Related: WikiLeaks Releases CIA Tool Used to Impede Malware Attribution

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.