Friday, September 17, 2021

Horsing around

Different companies in the cyber security industry use proprietary naming conventions when attributing activity to nation-state threat actors.

CrowdStrike uses animals that are purportedly related to the countries in question (“cat” or “kitten” for Iranian-linked groups; “panda” for China-based actors; “bear” for Russians); to distinguish within the nations there are modifiers: “Charming Kitten” and “Helix Kitten”, “Cozy Bear” and “Fancy Bear”, “Vixen Panda” and “Deep Panda”. Mandiant distinguishes confirmed groups with APT (Advanced Persistent Threat) plus a number. APT1 through APT27 are based in China; APT33 is Iranian; APT37 hangs in the DPRK; APT29 is Russian. Microsoft names them after metals on the Periodic Table. Hafnium and Platinum are Chinese; Nobelium and Yttrium are Russian; Thallium is North Korean.

Do not get me started on malware names.

Mind you—when you realize that APT41 = Barium = Wicked Panda = Sparklinggoblin (ESET) = Winnti Group (Kaspersky), well, it’s got to be confusing.

The other day I was reading a story about a China-based threat group referred to as “Mustang Panda” and I swear that ever since I have been singing this Wilson Pickett song (covered here by The Commitments), only substituting “panda” for “Sally”.

You’re welcome.


 

No comments:

Post a Comment