Cybersecurity vendors argue that unique threat actor taxonomies are crucial for maintaining accurate threat tracking and defense procedures, despite complaints from the infosec community about the growing number of unique names for a single threat group. Adversary attribution allows vendors to link threat actors to malicious activities, identify their motivations and tactics, and equip analysts with knowledge to mitigate future threats. However, the propagation of several vendor-specific taxonomies has led to concerns about overlapping names for the same cyber adversaries, making it confusing for clients to track specific threat activity.
For instance, the Russian cyber espionage group behind the notorious breach of the Democratic National Committee in 2016 is known as Fancy Bear by CrowdStrike, APT28 by Mandiant, Strontium by Microsoft, Sofacy by Palo Alto Networks, Iron Twilight by Secureworks, and Pawn Storm by Trend Micro. The various codenames create challenges for security researchers and enterprise defenders trying to track specific threat activity.
Still, some vendors argue that tracking cybercriminal activity under their company’s own individual naming conventions is essential because each security vendor observes the threat landscape through its own collected data and analysis. “It’s really important to name those actor groups individually because every single company — Microsoft, Palo Alto Networks, etc. — has their viewpoint into that actor activity,” said Kyle Wilhoit, director of threat research of Unit 42 at Palo Alto Networks.
Recently, Microsoft overhauled its naming taxonomy for threat groups, which features weather-themed names for specific types of adversaries. Microsoft’s latest blog post employs its new threat group classifications, describing the recent operations of “Mint Sandstorm,” an Iranian nation-state actor formerly documented by the company as “Phosphorus.” The company’s new system aligns them with the theme of weather. The threat actors are categorized into five categories, one of them being the attackers’ country of origin. For example, Russia is dubbed “Blizzard,” represented by a snowflake symbol.
Secureworks’ Counter Threat Unit (CTU) labels threat actor groups based upon their associated nation-state to provide customers with a greater background on threat groups, while Palo Alto Network’s Unit 42 Threat Unit refurbished its naming policy last year with constellations that denote the motivations of the attackers.
Threat analysts amalgamate an immense volume of clustered data every day. Tracking the source of the threat activity may be difficult to confidently pinpoint as researchers sift through the information. It can also be a challenge to attribute familiar activity to a known APT or to assign that activity to a new splinter group. Vendors may have differing views depending on their respective threat intelligence.
Despite recent changes to improve clarity, cybersecurity professionals should not expect to see consolidation or a unified system anytime soon. “We’re not creating these threat group names because we’re trying to make life complicated for defenders. We’re doing it in good faith,” said Don Smith, vice president of threat intelligence at Secureworks. “We’re continually trying to deconflict and ensure that we share the understanding, but there will inevitably be differences.”