Unit 42 Threat Group Naming Update

This post is also available in: 日本語 (Japanese)

What’s in a Name?

One of the complex aspects of working in cyber threat intelligence is how we identify the various elements of an attack campaign we are tracking. We give names to malware families, attack techniques, intrusion sets and even vulnerabilities. The names act as a shorthand that enables us to quickly refer to the threat. How organizations choose these names is a complicated subject, especially with regard to giving code names to the groups behind cyberattacks. If you are interested in hearing more about this subject, check out this Unit 42 podcast from 2018 that discusses threat naming in more detail.

When we first created Unit 42 in 2014, we chose a rather simple policy with regard to threat group naming.

1. If there was already a commonly used name available, we would use that name. For example, we have used the common name “Sofacy” to refer to what others call APT28, or Fancy Bear.
2. If there was no common name, we would create a new name for the group at the researchers’ discretion.
3. Wherever possible, we would include known aliases for the group in our reporting to help others understand how our group is connected to others.

This policy worked when we were small, but Unit 42 has changed significantly in the last eight years. Palo Alto Networks now has significantly more telemetry from our security products that protect networks, endpoints and cloud deployments around the world. Our Incident Response team responds to hundreds of breaches each year.

Today, we commonly find ourselves investigating threats with no common name, and our data set often doesn’t overlap clearly with what other research teams are reporting. We’ve sometimes chosen to report on threats using names that are defined by other security research teams, which tightly couples our assessment to the definition of that threat created by those researchers.

For example, last month we published a report discussing the activities of a specific threat group targeting multiple industries with a new remote access Trojan we called PingPull. We aren’t aware of any common names for this group, so we used the best one available, GALLIUM, which was defined by Microsoft.

We continue to track this group’s activity and that of many others, and our team finds it necessary to update our naming policy so we can more clearly refer to the threats we’re tracking based on our distinct telemetry and analysis.

Looking to the Stars

Developing a new system for threat group naming isn’t as simple as it might seem, there are many options to consider. Some naming schemes are simple and numeric without any context about the threat group implied by the name. Others provide the intelligence consumer insight about the group simply by hearing the name. There are naming systems based on animals, elements, insects and many more. We needed something that would not overlap with any of these to avoid naming collisions and ensure Unit 42 names are easily identified.

We chose a new schema that conveys information about the threat group using the name, and these names are based on the constellations we see in the night sky. Each name consists of two parts, the name of a constellation (such as Taurus), and a modifier word. Each constellation represents an overarching category of threat groups, and the modifier word is used to distinguish between groups within that category. Some constellations will denote categories of threat groups focused on monetary gain and hacktivism and others will denote nation-state threat groups focused on espionage.

Here is the decoder ring for the constellation names in the new system.

Non-Nation State Threat Groups

Libra = Cybercrime (General)
Orion = BEC
Scorpius = Ransomware
Virgo = Hacktivism

Nation-State Groups Focused on Espionage

Draco = Pakistan
Gemini = India
Lynx = Belarus
Pisces = North Korea
Serpens = Iran
Taurus = China
Ursa = Russia

Here are a few examples: A group conducting espionage for which we have high confidence in our attribution to Russia could be named Dancing Ursa. A group conducting a series of BEC attacks could be Scavenger Orion.

The modifier words have no particular meaning; they are simply used to differentiate between groups within the category. We have defined other constellation names for threat groups that don’t fit into the above categories, but the names listed above cover the research we have published to date.

Of course, with many new attacks we investigate, we may not have enough information to attribute the attack to a specific group at first. In these cases we will assign a numeric cluster identifier (i.e., CLU001). We will merge that cluster into a higher level group when we have enough evidence to indicate the activity was conducted by a specific group, or create a new group name in the appropriate category.

What Should You Expect Next?

We are aware that adding new names to the threat group namespace has the potential for creating confusion for the threat intelligence community. We’ve assembled a few questions we expect readers will have about how we will proceed going forward.

Will you be creating new names for all of the threat groups you’ve previously identified?

Over the past few months we have fully remapped our internal “Rosetta Stone,” which identifies the names used by other research teams and connects them as appropriate to our new naming system. Each original name we previously created has a new name. We do not plan to update our former blogs with the new names as they have been referenced in many reports since. In future publications, when we use the new name, we will clearly indicate the previously used name as an alias for the threat group.

Where can I find all of your new threat group names?

The Unit 42 ATOM Viewer contains the updated names for groups we have previously published on.

How do I map a name previously used by Unit 42 to a new one?

When we use a new name in a report, we will include our previously used name as an alias to help readers make the connection.

What’s your new name for $threat_group?

Many of the new threat group names are available on the Unit 42 ATOM viewer.

Does this naming system apply to malware, vulnerabilities, etc.?

The new naming system is only applied to threat groups, sometimes called intrusion sets. We will not use this system for malware, vulnerabilities, campaigns or other types of tools and activity.

Final Thoughts

I’m very excited to share this update with the readers of this blog. Over the last eight years, we’ve published hundreds of reports on threat group activity targeting organizations around the world. This naming change is a reflection not only of our growing threat telemetry, but also our increasing maturity as a threat intelligence organization.