How do advanced persistent threat groups such as Darkhotel and Anchor Panda get their ridiculous names?

What’s in a name? When it comes to advanced persistent threat groups, it is often quite a bit.

While their monikers’ may seem whimsical – Fancy Bear, Nomadic Octopus, Ocean Lotus and Darkhotel – the reality is these are not arbitrary names. In fact, many are similar to schoolyard nicknames or a type of shorthand – tied to the attributes of the mysterious groups behind cyberattacks.

Generally speaking, it’s difficult to determine the exact entity behind an APT group. Not that it’s impossible, but while researchers might suspect that a certain country could be funding and directing an APT’s hacking, espionage and malware activity, all too often such attribution is more based on instinct or suspicions than hard evidence. Throw in false flags and other attempts to throw threat-hunters off the trail, and it becomes a dicey business to point a decisive finger at a suspected culprit after or during a cyberattack campaign.

This is also, of course, a high-stakes business. If the security community throws its consensus behind, say, an Iranian military wing funding the latest wiper campaign that’s sabotaging critical infrastructure, the geopolitical ramifications of that pronouncement could be severe.

That’s why security researchers instead tend to take an FBI-like profiling approach for these gangs. Even if a serial killer’s identity isn’t known, the FBI examines the modus operandi behind the criminal to building a solid outline of the person behind the crime. That was the impetus behind pseudonyms such as the Boston Strangler or the Zodiac Killer.

Similarly, cybercrime researchers build profiles based on their typical targeting, tactics, malware and techniques, in order to follow APT activity and campaigns around the world. Sometimes they are also given names, which act as a handy way to organize and catalogue threat patterns – often with a nod to the geography they’re thought to be associated with.

Why So Many Aliases?

When it comes to the names themselves, security firms tend to have their own naming conventions, meaning that there will be multiple aliases for any given APT group. It makes for a confusing state of affairs, but it’s unlikely to be resolved anytime soon.

For instance, researchers at CrowdStrike and CyberX and others use animal names that are associated with geography. Panda for instance refers to China, while a reference to “cat” or “kitten” means Iran (either for Persian cats, or the shape of the country, depending on which researcher you talk to). Lotus meanwhile tends to point to Vietnam, and names containing “bear” are reserved for Russia.

Meanwhile, FireEye/Mandiant takes a more clinical approach, and uses numbers, i.e., APT33. Ben Read, senior manager of analysis at FireEye, explained that the numbers correspond to internal country codes.

“We take the responsibility of attributing an APT to a country seriously – but at the same time our naming system designates the country by design. Because we have to make that call before we give them a name and it puts us into a little bit of a box,” he said. So, until the researchers achieve a high degree of confidence on who’s behind an attack, they might assign a temporary name, to be changed to a number later.

And sometimes the naming process is a more fun, individualized exercise.

“CrowdStrike’s Dmitri Alperovitch is rumored to have named the Fancy Bear APT after the fact that the Sofacy malware that it uses reminded him of the song ‘Fancy’ from Australian singer Iggy Azalea,” explained Phil Neray, vice president of industrial cybersecurity for CyberX. “the song has a lyric that goes, ‘I’m so fancy can’t you taste this gold,’ so CrowdStrike named them Fancy Bear, a.k.a. APT 28 in FireEye’s convention.”

Fancy Bear is also called Pawn Storm, Sofacy Group, Sednit and STRONTIUM.

In some cases, APT names proliferate thanks to oneupsmanship and marketing. If researchers from one company can give an APT a catchy name that sticks with the public, then research competitors may have to succumb to using their rival’s APT name.

Another reason for the plethora of aliases is the fact that each security company is working from its own set of data.

“You’re really naming groups of behavior, and these can overlap and get really messy,” said Jill Sopko, senior security researcher at NETSCOUT. “We as a security community are stronger based on our differences. Some teams can see specific actors’ effects on servers or routers, while we see more on the network traffic side. Working together, we can help define the tools, tactics and procedures at play in order to come together and say yes this is what we’re talking about – but even then, in a year our definitions and attribution criteria might diverge. Now that the Sofacy malware is out in the wild for instance, anyone can use it, not just APT28 – so it’s certainly not an exact science to determine which APT is responsible for which campaign.”

FireEye’s Read added, “where it gets tricky is the fact that there are weird overlapping circles within the APT community, and they may be sharing tools but operating separately.”

Hiding Their Tracks

APT tracking and naming has become more difficult in recent years thanks to better efforts to thwart identification. This includes using commodity malware that’s common in the wild, or leaving fake artifacts for researchers to find – and misinterpret.

“For at least four years we’ve seen APTs trying to implant things inside the malware to derail researchers,” said Neatsun Ziv, vice president of threat prevention at Check Point. “They might change the language or the timestamp of the malware in order to be associated with working hours in a certain country, so the attack will look like it’s from somewhere else.”

Perhaps the best example of this is the Olympic Destroyer campaign, which employed an eponymous wiper malware to briefly disrupted the Winter Olympic Games in South Korea last February. Despite its name, Olympic Destroyer has targeted victims beyond the Games in the months since, using spear-phishing emails with attached documents containing malicious macros as its initial threat vector.

The group’s doc files and macro obfuscators have unique characteristics that can be used to distinguish them from other droppers. For instance, most droppers include one of the three document author names: James, John or AV. These “fingerprints” are important for researchers tracking the group, because they’re so few and far between, analysts said.

Between a lack of distinguishing characteristics and the numerous false flags built into the code to make it look like the work of other well-known APTs, Kaspersky Lab has called efforts to identify the group “attribution hell” — an assessment that has evolved into dubbing the group “Hades” as a catch-all. Hades, is a biblical reference widely associated with a hell-like underworld.

“The APT tried to pin it on Lazarus Group from North Korea, by inserting code into the malware that only North Koreans have used in the past,” said Neray. “I suspect this is actually a Russian group, mad about the doping ban or something like that.”

Some research outfits have not only named APTs, they have created memorable images for them. Have a look.

"Ocean Lotus" - Credit Volexity

"Deep Panda" – Credit: source unknown

"Fancy Bear" - Credit CrowdStrike

"Charming Kitten" – Credit ClearSky Security

"Lazarus Group" – Credit Kaspersky Lab

"DarkHotel" – Credit Kaspersky Lab

Attribution: A Thorny Arena

Sophisticated attempts by APTs to obscure their identities has given rise to a spirited discussion of the role of security firms when it comes to attribution.

“We do think attribution can be valuable when you’re doing a risk profile,” said Read. “If you’re dealing with a spear-phishing incident, attribution may not seem like the most vital thing.”

However, if you open a new office in a country, or do a business deal with a state-run entity, and then find yourself attacked, it helps to know who’s behind the attack, he said.

“We try to draw on all sources of data when we’re doing this,” Read said. “It’s multifactored, and we look at the devices targeted, the type of phish, which folder the APT is hiding data in, what passwords were compromised and how – we gather everything that has happened in this incident and then say, okay, who is this – is it a bigger broader group that we know, or is it something new?”

Ziv at Check Point said that the stakes vary depending on the incident.

“If we’re talking about attacks on critical infrastructure – we need to know who’s trying to do that, who’s targeting you, so you can boost your security,” he said. “Black Energy crippled Ukraine’s power grid, and that is not a small thing at all.”

Attribution also tends to be incremental and evolve over time.

“First we give it a campaign name,” explained NETSCOUT’s Sopko. “Over time, you may amass enough information to make it a group – if it has a solid history, and you have an understanding of group’s operation, infrastructure, capabilities and victims — then you can put that against a larger geopolitical landscape.”

(This article was updated on 2/5/2019 at 1pm ET to substitute the name “Double Secret Octopus” with the correct name “Nomadic Octopus”)