back to article Microsoft goes meteorological in defining cybercrook groups

Do you know your APT28 from your Fancy Bear? Your Pawn Storm from your Swallowtail? Your IRON TWILIGHT from your SNAKEMACKEREL? If you said yes, GTFO because they are all allegedly the same thing. And therein lies the problem with the cybersecurity industry's naming conventions – they're shit. Companies investigating the same …

  1. TheMaskedMan Silver badge

    Can't help noticing that all the names mentioned, with the possible exception of sleet, are slightly cool sounding in a contrived kind of way - a bit like the output of a character name generator.

    If we simply must use a system like this, couldn't we at least call them something like Arsehole, Dickhead etc?

    Of course, the obvious solution would be to call them what they are - Russian etc. But that would be too easy, wouldn't it.

    1. msknight

      Totally get where you're coming from, but as the news outlets occasionally report on the big cybercrime stories I can't imagine anyone sanctioning the reporter saying, "Thieving Ruskie Dickheads broke into a school and lifted a lot of children's private... er.. information."

      1. TheMaskedMan Silver badge

        "I can't imagine anyone sanctioning the reporter saying, "Thieving Ruskie Dickheads broke into a school and lifted a lot of children's private... er.. information.""

        Sadly, neither can I, though it would make refreshingly accurate change:) maybe a job for the Reg Standards Bureau?

    2. Michael Wojcik Silver badge

      Some of the researchers publish at least parts of their naming conventions. Mandiant's dull but sensible APT-n is pretty obvious: "APT" for "Advanced Persistent Threat" and they just increment n when they think they might have a new group on their hands. MITRE's scheme is similar, except they just use a "G" for "group" and a four-digit identifier.

      The two-word names that end with a mammal such as "Fancy Bear" and "Deep Panda" use a scheme that I think Alperovich came up with, where the animal type identifies the presumed nation hosting the group (Bear for Russia and so on). Other names are assigned based on observed habits of the group; "Sandworm" (aka "Voodoo Bear", etc) was so-named by Hultquist in part because identifiers in their code had a lot of references to Dune.

      I have no idea how Microsoft came up with names like "Strontium" (excuse me, "STRONTIUM", because SHOUTING MAKES THINGS BETTER).

      The two-word or portmanteau nonsense-phrase names like "Pawn Storm" are reminiscent of the naming convention the NSA and some other US Federal organizations like to use (e.g. "ETERNALBLUE"). Those might just be randomly-chosen word pairs, but they might be the result of Cantor-depairing a single integer representing some sort of serial number or other code. (Cantor pairing is a bijection – in fact the only such bijection – between any one integer and a pair of integers.) The idea here is you have an integer, you compute its corresponding Cantor pair, then you use the first value to index (mod size) an array of adjectives, and the second to index an array of nouns. I wrote a quick implementation of this on a lark some time back, with small word lists of a few dozen adjectives and nouns each.

      So let's just use that for a naming scheme, using the MITRE G-number. Fancy Bear is now "Short Advertisement". Remix Kitten is "Local Dream". Gothic Panda is "Big Nest". I expect everyone to use these names in the future; I will supply them at the reasonable cost of $10/query.

  2. Howard Sway Silver badge

    Sleet means North Korea! Typhoon means China! Sandstorm means Iran!

    I guess Cloudy means an extortion racket from Redmond.

  3. Ken Moorhouse Silver badge

    I thought Storms would be related to Phishing?

    But then again, Michael Fish was not the best predictor of storm-like behaviour.

  4. Doctor Syntax Silver badge

    Latin binomials?

    It's all very well repeating the old joke about standards but where naming is concerned it seems likely that an agreed standard is needed, it's jut no likely to come from a unilateral attempt,even if Microsoft has form in trying to concoct standards to suit itself.

    Botany had the same problem until Linnaeus came along with a systematic convention. Even so his binomials needed to fit into a larger hierarchy. (And zoologists seem to have been keen on throwing in the occasional trinomial.)

  5. Diogenes8080

    I thought the Crowdstrike nomenclature was fairly well established. If MS want to get on that stage, they are going to have to earn it by exposing gangs and their methods before other research groups do.In theory they have the exposure and resources to do so. In practice - I'll let Defender latency speak for itself.

    1. Michael Wojcik Silver badge

      Crowdstrike is only one player in this game. It depends a lot on where you get your news.

      Really, using the MITRE codes make the most sense, except that it's hard to remember what's ascribed to G0007 versus G0087.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like