Microsoft, CrowdStrike, Palo Alto and Google said they would create a public glossary of state-sponsored hacking groups and cybercriminals, in a bid to ease confusion over the menagerie of unofficial nicknames for them.
Microsoft and CrowdStrike said they hoped to potentially bring other industry partners and the US government into the effort to identify Who’s Who in the murky world of digital espionage.
“We do believe this will accelerate our collective response and collective defense against these threat actors,” said Vasu Jakkal, corporate vice president, Microsoft Security.
How meaningful the effort ends up being remains to be seen.
Cyber security companies have long assigned coded names to hacking groups, as attributing hackers to a country or an organisation can be difficult and researchers need a way to describe who they are up against.
Some names are dry and functional, like the “APT1” hacking group exposed by cyber security firm Mandiant or the “TA453” group tracked by Proofpoint.
Others have more colour and mystery, like the “Earth Lamia” group tracked by Trend Micro or the “Equation Group” uncovered by Kaspersky.
CrowdStrike’s evocative nicknames – “Cozy Bear” for a set of Russian hackers, or “Kryptonite Panda” for a set of Chinese ones – have tended to be the most popular, and others have also adopted the same kind of offbeat monikers.
In 2016, for example, the company Secureworks – now owned by Sophos – began using the name “Iron Twilight” for the Russian hackers it previously tracked as “TG-4127.”
Microsoft itself recently revamped its nicknames, moving away from staid, element-themed ones like “Rubidium” to weather-themed ones like “Lemon Sandstorm” or “Sangria Tempest.”
But the explosion of whimsical aliases has already led to overload.
When the US government issued a report about hacking attempts against the 2016 election, it sparked confusion by including 48 separate nicknames attributed to a grab bag of Russian hacking groups and malicious programs, including “Sofacy,” “Pawn Storm,” “CHOPSTICK,” “Tsar Team,” and “OnionDuke.”
Michael Sikorski, the chief technology officer for Palo Alto’s threat intelligence unit, said the initiative was a “game-changer.”
“Disparate naming conventions for the same threat actors create confusion at the exact moment defenders need clarity,” he said.
Juan Andres Guerrero-Saade, Executive Director for Intelligence and Security Research at cyber security firm SentinelOne, was skeptical of the effort, saying the cold reality of the cyber security industry was that companies hoarded information.
Unless that changed, he said, “this is branding-marketing-fairy dust sprinkled on top of business realities.”
But CrowdStrike senior vice president of counter adversary operations, Adam Meyers, said the move had already delivered a win by helping his analysts connect a group Microsoft called “Salt Typhoon” with one CrowdStrike dubbed “Operator Panda.”
