Sep 20, 2022 - Technology

Cyber firms explain their ongoing hacker group name game

Illustration of a name tag with binary code on it instead of a name.
Illustration: Brendan Lynch/Axios

No matter how confusing it gets to refer to the same Russian hacker group by a handful of different names — Cozy Bear, Nobelium, APT29 and so on — don't expect the private companies behind those monikers to give them up anytime soon.

The big picture: Naming conventions for state-backed hacking groups vary from technical, advanced persistent threat (APT) group numbers to whimsical, animal-based names, making it difficult for people outside of cybersecurity research to understand which hackers do what.

  • Take one well-known Russian cyber espionage group: Mandiant researchers refer to it as APT29, CrowdStrike researchers call it Cozy Bear, and Microsoft named it Nobelium.

Driving the news: Several cyber threat intelligence firms published research about Iranian group Charming Kitten earlier this month, but each company used a different name to identify the group — renewing questions about why researchers don't standardize naming conventions.

Between the lines: Part of this is due to marketing, cyber researchers tell Axios.

  • It's a reputational win if a cyber threat intelligence firm is able to get its naming convention into the mainstream.

Yes, but: Five major threat intel firms tell Axios that even if their marketing teams weren't involved, they would still have these different names because they all have varying visibility into hackers' activities.

  • "There's not always going to be a one-to-one match for how they see the threat and how I see the threat," says Jeremy Dallman, senior director at Microsoft Threat Intelligence Center.

At Mandiant, cyber espionage researcher Benjamin Read tells Axios, they stick with the technical APT numbers to allow for more precision in their naming conventions.

  • The company has a list of more than 4,000 hacking group names.
  • Mandiant also has a core team of three or four employees who review these naming conventions as they learn about the tools and tactics those groups use.
  • Having super-precise identifications also helps Mandiant in its work with government investigators, Read says.

Other firms opt to create unique, memorable names for each group.

  • Microsoft picks names from the periodic table.
  • CrowdStrike gives Chinese state groups a name with "Panda" in it, Russian state groups get a "Bear" name, Iranian groups have "Kitten" names, and North Korean group are "Chollima."
  • Broadcom's Symantec uses names of insects.
  • Palo Alto Networks names groups after constellations.

While those naming conventions might seem silly, companies have increasingly started relying on their own naming conventions to differentiate what they're able to confirm on their own.

  • Palo Alto Networks unveiled its own naming conventions in July to better highlight what infrastructure, techniques and tools they can see hackers using, says Ryan Olson, the company's vice president of threat intelligence.

The intrigue: Each company says standardization would be impossible because of how variable their visibility is and how complex the threat landscape has become.

  • Olson relates the problem to the old tale of a group of visually impaired people trying to identify an elephant: Everyone thinks the animal is a different thing because they can only touch one part of it, like its ear or its tail.
  • "Because the universe is always changing and our views are always changing, it would be really hard to be constantly trying to adapt that across multiple vendors," Dallman says.

Sign up for Axios’ cybersecurity newsletter Codebook here.

Go deeper