You Say Cozy Bear, I Say Midnight Blizzard, Voodoo Bear, Apt29 …

Opinion Microsoft and CrowdStrike made a lot of noise on Monday about teaming up with other threat-intel outfits to “bring clarity to threat-actor naming.”

It’s a great idea that would benefit network defenders tasked with keeping track of the 200-plus nation-state, financially motivated, and hacktivist crews that all the major security vendors and government agencies call by different names. Take Cozy Bear, also dubbed Midnight Blizzard, APT29, or UNC2452, depending on who you ask.

“Our mutual customers are always looking for clarity,” Microsoft Security corporate VP Vasu Jakkal wrote. “Aligning the known commonalities among these actor names directly with peers helps to provide greater clarity and gives defenders a clearer path to action.”

Unfortunately, they didn’t actually do anything to deliver this clarity — like, say, agreeing to use the same name to track a particular cyber-goon squad. 

Instead, Microsoft and CrowdStrike published what they described as their “first version of our joint threat actor mapping.” And if you scroll wayyyy down, you’ll find a chart that lists Microsoft’s name for a particular group along with “other names” for that same gang.

Some of these crews have akas in the double digits. The cyber-operations wing of Russia’s Military Intelligence Unit 74455, best known as Sandworm, has 10 other aliases depending on who is talking about it. Microsoft calls it Seashell Blizzard, and it’s also known as IRIDIUM, VOODOO BEAR, BE2, UAC-0113, Blue Echidna, PHANTOM, BlackEnergy Lite, and APT44.

A Chinese government-backed group that Microsoft tracks as Satin Typhoon, is also called SCANDIUM, DYNAMITE PANDA, COMBINE, TG-0416, SILVERVIPER, Red Wraith, APT18, Elderwood Group, and Wekby.

Clarity? Not so much.

Crouching Yeti, Hidden Lynx

While we’re all focusing on clarity and making life easier for network defenders, why not take former CISA boss Jen Easterly’s suggestion and stop “glamorizing” crime gangs with fancy, poetic names? 

Velvet Chollima (aka Opal Sleet, OSMIUM, Planedown, Konni, and APT43) doesn’t sound like a North Korean cyber-espionage crew. It sounds like the name of my new belly dance troupe.

And I’m pretty sure Crouching Yeti was in the running for my kids’ soccer team name.

Microsoft included all of these names and more on its CrowdStrike collab, aka “initial taxonomy mapping” — aka another article you need to click on to figure out who FamousSparrow is (Trick question: Microsoft says it’s Salt Typhoon; ESET said, “FamousSparrow appears to be its own distinct cluster.”)  

And, we’re told, Google/Mandiant and Palo Alto Networks Unit 42 will also be joining the fun in the future.

So we asked all of them: Why not just use a single naming standard? 

“Our blog explains the existence of different naming taxonomies in the industry,” a Microsoft spokesperson told The Register. “Imposing a single standard on the industry would be technologically challenging and may affect intelligence. Mapping allows popular taxonomies to remain while simplifying their use for customers.”  

What do we need? Clarity!

CrowdStrike senior VP of counter adversary operations Adam Meyers also wrote about the need to “bring clarity and coordination to the way organizations label threat actor groups.”

The security shop calls the Chinese government spy crew that broke into US telecom networks “Operator Panda.” Microsoft and most everyone else calls them Salt Typhoon. 

We should note that other security vendors including Trend Micro have called on Microsoft to share a detailed report of the tactics, techniques, and procedures (TTPs) used in the Salt Typhoon attacks so they can directly tie them to Beijing-backed groups that they track by different names.

And that Russian GRU-backed crew — Sandworm — that Microsoft tracks as Seashell Blizzard? CrowdStrike calls them Voodoo Bear.

Meyers told The Register that a single naming standard won’t work:

He added that the collab “brings clarity,” and that the partners are “focused on mapping, not mandating.”

“By building a shared reference system that allows teams to correlate aliases quickly, we’re helping defenders accelerate their response,” Meyers said.

Google got more to the point with its answer, and hinted at what we’ve long suspected: it’s about vendors’ egos. Everyone wants to claim the catchiest bad-guy name that rises to the top and becomes the one name to rule them all. 

“Historically, security companies have certainly wanted to have their own naming schemes for marketing purposes, but it’s primarily influenced by how different security organizations track what they actually see, what they have visibility into, and then how they go about attribution,” Google Threat Intelligence Group Deputy Chief Analyst Luke McNamara told The Register.

When asked why not use and/or create a single standard, he suggested we ask Microsoft and declined to comment further.

Palo Alto Networks Unit 42 CTO and Head of Threat Intelligence, Michael Sikorski, also told The Register that a single naming convention would be “incredibly difficult,” but called the “growing alignment” between the four companies’ threat intel teams a “critical step in the right direction. This will better streamline how threat intelligence is shared and ensure that responses are faster and more effective.”

“When the same threat actor is referred to by multiple names, it can create unnecessary confusion and delay,” Sikorski continued. “Aligning on terminology isn’t just a matter of semantics — it’s a strategic one.” 

It appears that using different names — but calling it a collaboration in the spirit of making things easier for their joint customers — is also a strategic choice. ®

Original Source