Threat Group Naming Conventions

JJ's Blog
6 min readJul 8, 2022

--

Actors, Adversaries and Activities

Source: SocInvestigation Blog

APT (Advanced Persistent Threats), is the most dangerous word in the world of cyber security. APTs is the term used to describe a massive attack campaign where malicious threat actors established their long-term footholds in targeted organisations to gain the most sensitive information. These attacks are highly sophisticated, undetected and motivated and very patient to spend years and years on a particular campaign.

The Advanced process signifies sophisticated techniques using malware and known vulnerabilities to exploit the internal systems.

The Persistent process suggests that an external command and control system is continuously monitoring and extracting data from a specific target.

The Threat process indicates human involvement in orchestrating the attack.

Source: Malware Bytes

APT is a broad term used to describe an attack campaign typically a nation-state, state-sponsored group or team of intruders that establishes an illicit, gains, unauthorised access via security vulnerabilities and loopholes within the infrastructure of the target organizations and remains undetected for a longer period to gather highly sensitive data.

Fun Fact: Cyber Sec Tech Giant Mandiant, who tracked down the first-ever Chinese cyber-espionage threat group APT 1 have the longest time period on the target organization of 4 Years, 10 Months within which the threat group has continued to access a victim’s network and exfiltrate data.

Steps of an APT Attack

Most of the time an APT threat actor gains access through an email, network, compromise, or any unpatched/zero-day vulnerabilities and drops malware into an organization’s network.

The advanced malware probes for additional network access and vulnerabilities or communicates with command-and-control (CnC) servers to receive additional instructions and/or malicious code.

The malware typically establishes additional points of compromise to ensure that the cyber attack can continue if one point is closed.

Once a threat actors have successfully established reliable network access, they started gathering the sensitive information.

Threat actors are specifically drops various malware to collects data on a staging server and then exfiltrates the data off the network and under the full control of the threat actor.

Source: phoenixNAP

How are APT Groups entitled?

Generally, we came across many different aliases for these APT groups but the concern is how security researchers provide a specific name to these Threat actors. Let’s uncover the Naming Conventions of these APT Groups.

Providing a specific name to the threat group is not an easy task, it is a very lengthy process to decide, which is not feasible to determine overnight. There is tons of research, expertise, data collection and investigations required to identify the Threat Group and their activities.

As security firms tend to have their naming convention methods, there will be multiple aliases for an APT group, which makes anyone confused.

Whenever any researchers detect and uncover malicious activity, they group forensically-related artefacts into ‘clusters’. These clusters indicate actions, infrastructure, and malware that are all part of an intrusion, campaign, and activities which have direct links. Later this activity has been put in the category of the “uncategorized” groups.

Over time, these clusters can grow, merge with other clusters, and potentially graduate into named groups, such as APT28, APT37, Deep Panda, FIN7, etc etc.

APT Groups (Source: CrowdStrike)

Organization’s Naming scheme

In the world of APT tacking, organizations and researchers have developed their own naming conventions, I have mentioned some of them are as follows,

Mandiant Naming scheme:

Mandiant is perhaps the grandfather of naming conventions with its February 2013 release of the landmark report APT1 — Exposing One of China’s Cyber Espionage Units.

Mandiant use APTn nomenclature for an attack group believed to be affiliated with a nation-state. Over time, Mandiant also added other prefixes such as UNC, TEMP, and FIN.

  • UNC is largely an in-house name for an ‘unclassified’ activity cluster.
  • TEMP is the temporary working name (still largely in-house) for a cluster that is evolving toward a specific group.
  • FIN (or APT) is the prefix for a publicly named threat group that has a financial (or state espionage) motivation.

Below are some other popular naming schemes include:

  • Proofpoint uses numbered TA groups, e.g. TA505, TA542
  • Symantec uses species of insects, e.g. Cicada, Shuckworm, Dragonfly
  • Recorded Future uses a colour plus phonetic alphabet, e.g. RedDelta, RedEcho, RedFoxtrot
  • IBM uses numbered ITG or Hive, e.g. ITG14, Hive0065
  • Microsoft uses element’s names, e.g. PHOSPHORUS, NOBELIUM, STRONTIUM
  • Secureworks uses elements plus nicknames, e.g. Gold Drake, Iron Liberty, Bronze Union.
CrowdStrike 2022 Global Threat Report showcasing the specific adversary belongs to which Nation

If you’re interested to read more about APT Groups, Operations and their aliases, Please find below attached excel,

Why So Many aliases?

Most of the time organisations start tracing down the APT cluster by mapping the intrusion activities of that particular threat actor either by Diamond Model, Cyber Kill chain process or via MITRE ATT&CKTM Framework.

Different organizations and the associated research team might have different capabilities, visibilities, and analysing methods, or might have their own infrastructure and stored data to track down the APT group.

Sometimes its also possible that the researchers have lesser confidence in the threat group and their associated activities, so rather than making a perfect name, they’re just assigned a temporary name, which can be changed later, as it’s always better to have some name rather than calling the group ‘Unknown’.

It may be one group with three separate names, or it may be three separate groups attacking similar targets either with similar malware or via exploiting the same vulnerability or it might be the same methods, we don’t know.

There’s always a difference between how you and others can judge the information. Let me explain with an example,

Let’s have 2 different organisations, A and B. They are tracking one of those APT Groups named,

Company A - APT28
Company B - Fancy Bear

As we know, both are the same threat group but different researchers may see similar activity clusters at the same time, but because of their limited visibility, they might be unaware about other researchers are going through the same process. The result is that new and different attack group names may appear within a short time frame.

During the research, we never know whether both APT28 and Fancy Bear are belongs to the same clusters or not, as every organizations has their telemetry, data standards, observation, procedures, and confidence levels.

Additionally, the intrusion identified by Company A is might be distinct from Company B, there might be some overlap but it’s never the exact match.

There are tons of other reasons for providing the names of the Threat Actors, as unless specified publicly, there is no reason to believe any two organizations have the same visibility and standards.

These are might be some of the reasons why most CTI teams and organizations leverage their own naming scheme.

Everyone creates their own names, Doesn’t quite work.
Use someone else’s name, Doesn’t quite work either. 😄

Resources:

Other resources to track APT groups and their activities:

--

--

JJ's Blog
JJ's Blog

Written by JJ's Blog

Intel | Research | Darkweb | Mystery | Infosec

Responses (1)