Microsoft, CrowdStrike, Alphabet (Google's parent company), and Palo Alto Networks have joined forces to make life more difficult for cybercriminals. How? By creating a public glossary that organizes the chaotic universe of names and aliases used to refer to criminal groups on the internet, which is constantly growing and until now had not been centralized anywhere.
This “cybercrime handbook” is designed to help both researchers and ethical hackers easily identify which group they are dealing with and what kind of activities they typically engage in. Many of these groups have multiple names (some official, others not so much), which makes it quite difficult to track them down. The idea is that, with a single glance, they can be located without having to cross-reference multiple sources.
Microsoft explained everything in a blog post, saying that this new resource aims to “give security researchers a hand, as they already have to deal with a flood of threat data.”
In the world of cybersecurity, it is not uncommon for the same group of hackers to change their name over time, especially as their methods and objectives evolve. This was made clear by Secureworks (now part of Sophos) back in 2016, when it decided to stop using the name TG-4217 and start calling it Iron Twilight, referring to the same Russian group.
It is also very common for different analysts and companies to refer to the same group by completely different names. Sometimes they use combinations of letters and numbers, such as APT1 (identified by Mandiant) or TA453 (the name given by Proofpoint). Another clear example is the North Korean group known as both APT37 and ScarCruft. Same people, different labels.
Each cybersecurity firm has its own style. Some, such as CrowdStrike, prefer more catchy and memorable names. For example, they have named groups such as Kryptonite Panda (a Chinese group) or Cozy Bear (a Russian group). TrendMicro has tracked Earth Lamia, while Kaspersky has taken on the mysterious Equation Group.
This mix of names may seem confusing, and it is. Microsoft explains it well: each company names groups according to its own criteria, making it difficult to know whether they are referring to the same group or not.
To bring some order to the chaos, Microsoft has adopted a more structured system: it uses a kind of taxonomy based on meteorological phenomena. They classify groups according to five main categories: state-sponsored, financially motivated, private companies that carry out cyberattacks on commission (PSOA), disinformation campaigns, and groups focused on developing tools.
Each is assigned the name of a storm or weather event. For example, if the attack comes from China, it is labeled “Typhoon.” If it is a group seeking money, its second name will be “Storm.” Thus, they have moved from technical names such as Rubidium to much more creative ones such as Sangria Tempest or Lemon Sandstorm. Sounds more epic, doesn't it?
Microsoft table for assigning nicknames to cybercriminal groups
Read more: Fake DocuSign and GitCode Sites Used to Spread Malware
Although several cybersecurity companies have welcomed the initiative with enthusiasm (such as Michael Sikorski, chief technology officer at Palo Alto's threat intelligence unit, who said it represents a true “paradigm shift”), not everyone is so convinced.
For example, SentinelOne is not so sure. Its director of intelligence and security research expressed some concern with a rather blunt comment: according to him, these types of efforts tend to favor large companies, which end up retaining control of all research. “This is like marketing fairy dust sprinkled over the harsh realities of business,” he said, making it clear that he does not entirely buy into the narrative.
Even so, the project seems to be working. CrowdStrike has commented that this new way of standardizing names has already served a very specific purpose: connecting the dots and discovering that two groups that appeared to be different (Salt Typhoon, according to Microsoft, and Operator Panda, according to CrowdStrike) could actually be the same.