Cozy Bear vs. Midnight Blizzard: Names for cybergangs to be matched
The IT security scene uses different names for cyber groups, and confusion is inevitable. Microsoft and CrowdStrike promise help.
(Image: Muhrfotografi/Shutterstock.com)
Microsoft and CrowdStrike have begun to harmonize their respective designations for malicious cyber groups. The declared goal is a complete comparison between the two companies' classifications, in which other players from the IT security industry will participate. The US group and the IT security company have now announced this and have also published the first results of their initiative online. It shows, for example, that the cyber group that CrowdStrike calls “Fancy Bear” is called “Forest Blizzard” by Microsoft and what other names it has been given. The various names can also be retrieved automatically.
“Fancy Bear” = “Strontium” = “APT28” = “Forest Blizzard”
The reason given for the cooperation is the delay that the different names could cause in the fight against cyberattacks. When defending against such attacks, seconds could make the difference between success and failure. The different and often inconsistent taxonomies for malicious cyber actors are an important reason for such a delay. That is why work is now underway to reconcile the names. Both companies have made a first version of this list of names public, with the IT security companies Mandiant (from Google) and Palo Alto Networks wanting to participate. Microsoft explains how the names can be retrieved on a separate page.
Videos by heise
The naming of cybercrime groups, also known as advanced persistent threats (APTs), and state-controlled attackers on IT infrastructure has caused confusion for years. Different companies in the industry have different approaches. Even if they are each subject to a logic, the resulting designations have nothing to do with those assigned by others. For example, Microsoft explains in detail how players from certain countries are given a part of a name that actually refers to a weather phenomenon. Cyber actors from China always receive a double name including “Typhoon”, from Russia those with “Blizzard”, for Iran “Sandstorm” is reserved – for Germany “Gale” (“strong wind”).
CrowdStrike, on the other hand, uses animal names, with Chinese players being called “Panda” and those from Russia “Bear”. From time to time, some of these names become known beyond the industry, such as “Fancy Bear”. The group is credited with a whole series of high-profile attacks. Occasionally, however, the naming is also silly, for example, one group was given the name “Golden Chickens” and the backdoor used by it the name “More_eggs”. As part of the initiative now presented by Microsoft and CrowdStrike, nothing will change in the underlying naming system, only the comparison between the names is to be standardized.
(mho)
