An old Chinese proverb reads: “The beginning of wisdom is to call things by their right names.” That’s increasingly difficult in the cybersecurity realm, thanks to a complex web of competing interests.
We have standard naming conventions for security bugs (thanks, MITRE!) but that doesn't stop people from giving them fancy names, just the same. The growing popularity of branded celebrity bugs gave us Heartbleed, Spectre and Meltdown, and now Simjacker. They all have CVE entries, but their founders chose to layer a whole extra layer of packaging and flashy logos on top. It's a good way of raising awareness, not to mention a handy marketing tool to fund your next research grant or attract potential customers to your web site. On the other hand, you could also argue that leads to branded bug fatigue.
Things get even sticker when it comes to naming hacking groups. Infosecurity reported this week that the US imposed sanctions on three such North Korean outfits including the Lazarus Group, which has been linked to campaigns including the Sony Pictures hack and WannaCry.
Does anything strike you as problematic about the way the Treasury department described the group? It referred to it as LAZARUS GROUP (a.k.a. APPLEWORM; a.k.a. APT-C-26; a.k.a. GROUP 77; a.k.a. GUARDIANS OF PEACE; a.k.a. HIDDEN COBRA; a.k.a. OFFICE 91; a.k.a. RED DOT; a.k.a. TEMP.HERMIT; a.k.a. THE NEW ROMANTIC CYBER ARMY TEAM; a.k.a. WHOIS HACKING TEAM; a.k.a. ZINC).
That's a lot of aliases, but it isn't unusual. Different companies find the groups via their own research methods, and often adopt their own separate naming conventions. It makes things difficult for security pros who are trying to keep all these groups straight, let alone non-technical journalists looking at this research from the outside. Why does it happen?
Naming hacking groups is a complex and disorganized process. Bugs are static entities (a vulnerability in a ten year-old piece of printer firmware doesn't change much). Conversely, hacking groups are made of people. They're squishy and organic, morphing and splitting off into factions, getting new members and partnering with affiliate groups.
One of the problems is that the research teams tracking these groups are working with their own data, which may be incomplete. Hacker groups use different infrastructure at different points in time to keep white hats guessing.
It would be great to see the researchers all exchange their indictors of compromise (IoCs) to get a universal picture of the hackers' operations, but these are often private companies, driven primarily by profit. Their information is their bread and butter.
This leads to the next problem, which is that companies are loath to use the names that others have given to hacking groups. If you're the company that named a group, then you own it. You branded it, so you're seen as an authority. Who wants to invest time in researching a hacking group only to hand over that trophy to a competitor who happened to discover it a few days before you?
Will we ever see a normalized set of naming conventions for hacking groups? A CVE scheme for identifying bad guys? It’s unlikely. Hopefully they'll keep publishing extensive technical reports with lists of IoCs so that someone somewhere can correlate them. But even then, that'll only help us with mapping similarities between the forest of names.
That makes it difficult for threat intel teams to keep track of the different groups. As cybercrime becomes increasingly sophisticated and the communities behind it evolve, don't expect the problem to get easier any time soon.
