‘Midnight Blizzard’, ‘Cozy Bear’ and more …How Microsoft, Google and other tech companies plans to untangle weird hacker nicknames
Microsoft, Google, CrowdStrike and Palo Alto Networks have announced that they will create a public glossary for state-sponsored hacking groups and cybercriminals. The goal is to reduce confusion caused by numerous unofficial nicknames for these entities. Microsoft and CrowdStrike expressed hopes of involving other industry partners and the US government in this effort to identify threat actors.“We do believe this will accelerate our collective response and collective defense against these threat actors,” stated Vasu Jakkal, corporate vice president at Microsoft Security.
Why it matters for US government and researchers
Cybersecurity companies have long assigned coded names to hacking groups because attributing digital attacks can be difficult. Researchers need a way to track their adversaries.These names vary from functional, like “APT1” (Mandiant) or “TA453” (Proofpoint), to more colorful aliases such as “Earth Lamia” (TrendMicro) or “Equation Group” (Kaspersky). CrowdStrike’s evocative names, like “Cozy Bear” for Russian hackers and “Kryptonite Panda” for Chinese groups, have been particularly popular, leading others to adopt similar styles. For example, Secureworks (now owned by Sophos) began using “Iron Twilight” for Russian hackers previously known as “TG-4127” in 2016. Microsoft also recently changed its naming convention from element-themed names like “Rubidium” to weather-themed ones such as “Lemon Sandstorm” or “Sangria Tempest.”“But the same actor that Microsoft refers to as Midnight Blizzard might be referred to as Cozy Bear, APT29, or UNC2452 by another vendor. Our mutual customers are always looking for clarity. Aligning the known commonalities among these actor names directly with peers helps to provide greater clarity and gives defenders a clearer path to action,” Jakkal said.However, the proliferation of these unique aliases has created overload. A 2016 U.S. government report on hacking attempts against the election caused confusion by using 48 different nicknames for various Russian hacking groups and malicious programs, including “Sofacy,” “Pawn Storm,” and “Tsar Team.”Michael Sikorski, CTO for Palo Alto’s threat intelligence unit, called the initiative a “game-changer,” noting, “Disparate naming conventions for the same threat actors create confusion at the exact moment defenders need clarity.”Adam Meyers, CrowdStrike’s senior vice president of Counter Adversary Operations, highlighted an early success. He reported that the initiative already helped his analysts link a group Microsoft named “Salt Typhoon” with CrowdStrike’s “Operator Panda.”
