While APT43’s link with the North Korean government was confirmed for the first time in the Mandiant report, the threat actor was already known by threat analysts under other names, such as Thallium, Kimsuky, Velvet Chollima, Black Banshee and STOLEN PENCIL.
This confusion comes down to each cyber threat intelligence (CTI) vendor operating its own attribution process for cyber-attacks – something we recently investigated on Infosecurity Magazine.
The most prominent threat group name is the Advanced Persistent Threat (APT). Commonly used by the whole CTI community, including US non-profit organization MITRE, which provides a standardized framework for tactics, techniques and procedures (TTPs), APT groups refer to clusters of sophisticated threat actors sponsored by, or acting on behalf of a government.
With geopolitical rather than financial motivations, APT groups typically operate cyber espionage campaigns and destructive cyber-attacks.
Once a threat actor has been confirmed to be a coherent group of hackers backed by a nation-state, the threat analysts who lead the cyber attribution allocate it a new APT number – the latest being APT43.
Other ‘sober’ naming conventions exist, consisting of codenames and numbers only. For example, APT-C groups are Chinese cybersecurity vendor 360 Security Technology’s equivalent to APT groups. APT-C numbers are sometimes used by other vendors.
Others, like MITRE’s G[XXX] (e.g. G1002) or SecureWorks’ legacy TG-[XXXX] (e.g. TG-3279), are mere identification numbers and their names do not reveal anything about the threat actor.
“We use a sober, or even dull, naming convention because we don’t want to glamorise those groups,” Collier added.
A Chinese-linked influence actor Microsoft tracks as Storm-1852 successfully pivoted to short-form video content that criticizes the Biden administration and Harris campaign before some of its assets disappeared from social media following reports of its activity. While most Storm-1852 personas masquerade as conservative US voters voting for Trump, a handful of accounts also create anti-Trump content and use political slogans and hashtags associated with American progressive politics.
The scary-cool name is there to help defenders take it seriously. If you give them a stupid name, elected leaders, business executives, and military leaders won’t take them seriously. It also becomes easier to tell them apart, and create identities. Who do they like to attack, how do they operate, what level of threat do they pose, etc. And then of course it sounds more impressive when you defeat them. Batman doesn’t get any respect for beating Condiment Man, but if he takes down Darkseid, people take notice.
Microsoft’s list of allocated names apparently includes:
Crimson Sandstorm
Diamond Sleet
Ghost Blizzard
Leopard Typhoon
Luna Tempest
Night Tsunami
Silk Typhoon
Star Blizzard
This does not pass my basic sniff test of being able to tell whether a name is a group from a hostile intelligence agency or the latest Razer gaming product, a cyberpunk video game gang name, or a video gaming guild name.
rolls eyes
You give them a cool name, you make them sound cool.
Just do the plain ol’ number thing. Let them do their own marketing work if they want marketing.
https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/understanding-threat-actor-naming-conventions.html
What is this, a Microsoft naming scheme?
kagis
Sounds like it.
https://blogs.microsoft.com/on-the-issues/2024/09/17/russian-election-interference-efforts-focus-on-the-harris-walz-campaign/
I’d rather they give them derogatory names.
Useless_tools-1852 has a nice ring to it.
The scary-cool name is there to help defenders take it seriously. If you give them a stupid name, elected leaders, business executives, and military leaders won’t take them seriously. It also becomes easier to tell them apart, and create identities. Who do they like to attack, how do they operate, what level of threat do they pose, etc. And then of course it sounds more impressive when you defeat them. Batman doesn’t get any respect for beating Condiment Man, but if he takes down Darkseid, people take notice.
.ml-80085
More specifically, they are all weather themed.
https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming
looks at list
Microsoft’s list of allocated names apparently includes:
Crimson Sandstorm
Diamond Sleet
Ghost Blizzard
Leopard Typhoon
Luna Tempest
Night Tsunami
Silk Typhoon
Star Blizzard
This does not pass my basic sniff test of being able to tell whether a name is a group from a hostile intelligence agency or the latest Razer gaming product, a cyberpunk video game gang name, or a video gaming guild name.
https://robinpiree.com/blog/guild-names
Twilight Vanguard
Crimson Shadows
That’s too similar in my book.
Is Darude Sandstorm on the list?
I’m getting strong Mega Man X vibes from this.
They’d probably be killer metroidvanias