All The Rosetta Stones!
The ancient Rosetta Stone provided an approximate translation between Egyptian hieroglyphics, Egyptian Demotic script, and Ancient Greek. In threat intelligence, we use Rosetta Stones to translate the different names that our sources assign to threat activity groups into our own “native language.” What one source calls “APT1,” another source calls “Unit 61398.” But, in your security operations shop’s “native language,” those names translate to “Comment Crew.” All told, it makes for a confusing situation (that isn’t going away) as analysts juggle and triangulate reports describing threats and malware and their associated reams of indicators.
Fortunately, there are a few publicly available Rosetta Stones that can help us deconflict activity groups. And it’s time to put them in one spot! So here they are:
APT Groups and Operations. This is probably the most comprehensive resource for names of publicly-reported APT groups and their various aliases. It is crowdsourced, so aliases may not always be accurately mapped, but Florian Roth does appear to vet all proposed mappings.
MISP Galaxy Adversary Groups. This is a GitHub repository created as part of the Malware Information Sharing Platform (MISP) project. The JSON format should make it easy to modify and plug into existing tools and workflows (even if you don’t use MISP).
MITRE’s Group List. This list is included as a handy resource within MITRE’s ATT&CK framework. I don’t think it’s as comprehensive as the first two Rosetta Stones, but I like that it is well-sourced with footnotes linking directly to blog posts or PDF reports.
Tips For Using a Rosetta Stone
With a Rosetta Stone inevitably comes the issue of attribution. What attribution means to you as analyst, your team, and your intelligence consumers is… well, up to you, your team, and your intelligence consumers.
Generally though…
These public resources serve as great reference materials for an analyst. Use them for research and to explore relationships between aliases.
Don’t treat the mappings as one-to-one. Mappings may reflect overlaps in infrastructure, tools, or other features, but shouldn’t be seen as identical [1].
Don’t worry about trying to document the aliases for every known threat group. Start by documenting the groups your organization has previously encountered, or which you hypothesize are a relevant threat to your organization. Documenting these names will make it easier to identify relevant intelligence when it crosses your desk.
Pick a native language, your Ancient Greek, for you Rosetta Stone and make sure your colleagues and customers agree on that language. For espionage-motivated threats, I personally prefer Mandiant’s APT[N+1] convention—it’s simple and doesn’t convey origins based on nationalities or geographies which could lead to bias.
In some cases though, you may have to create new vocabulary for your language. For example, if you identify a pattern of threat activity that you want to track and consistently communicate, then assign the activity set a name. But doesn’t this just add to the confusion of names and aliases? If your sharing your intelligence with peers, then yes, it might. But I believe the Rosetta Stone and language you’ve adopted should—first and foremost—service your security operations. If your security analysts know how to respond when they see “Prickly Pear”—the name you assigned to the activity set—then that is a success [2].
If you are aware of other similar resources, have more Rosetta Stone tips, or have any feedback, just reach out on Twitter, @CYINT_dude!
~
[1] The data and methods that threat research teams use to cluster and then assign a name to a set of malicious activity are not always transparent and almost certainly vary from team to team.
[2] The pros and cons of this approach probably warrant a separate post, I admit, and are open to debate. Suffice to say that I believe there is benefit in creating your own aliases. When it makes sense to do so : )