Decoding Threat Actors: a Free Tool for Mapping Aliases and Taming the Name Game

Um but now we have an amazing talk. This talk was actually given overseas in Europe. So we've got an international speaker even though he's a local here from from Brisbane. Um otherwise known as forensics Dave. We have Dave Matthews. Um and his talk is decoding threat actors a free tool for mapping aliases and taming the name game. So big round of applause for Dave. >> Hey thanks. Thanks very much, Kylie. Uh, I hope everyone's had enough Wow, it's very dark under these lights. Everyone's had enough beers before lunch because I can see everyone was leaving in a massive stream. So, um, yeah, this is based on a talk I did recently at the first conference in Copenhagen. Um, I've

changed a few things. So, there's a few new things as well. So, so first of all, um, I do come from a company called Gen, which you probably have never heard of, uh, but you probably heard of Avast or AVG or Norton Lifellocks. So it's all the same company. Quick bit about me. I actually um came to CRA a long time ago. I did a PhD in maths and stats actually back at A&U. A long time ago when I got into CIS admin work and then I uh discovered the uh excitement of becoming uh working in uh federal government. So I worked a lot of places around town pretty much everywhere except for one um

threeletter agency that starts it sort of sounds like tax but ATI. didn't get to work there. But and then I moved back to Brisbane. I worked in law enforcement in Queensland police. Uh and then co came and I thought, "Oh, maybe I should um try work for a vendor, be nice and safe, full remote job." Went to crowd strike and then um a good colleague of mine in the audience actually convinced me to come and join him at a bus. So and about two years ago, Jen was formed when North and Lifellock bought a bus. So that's the sort of story. So my talk is about it's based on some tools that I've uh wrote in my spare

time that I'm hosting myself. Um and it's all about thread actor naming. Uh so and you'll see why. I guess everyone probably knows why, but it's quite hard to keep track of all these different actors. So I'll talk quickly about how they're named, why you might care about this, uh and where you can currently look up details on thread actor names. and I talk about this new tool that I've written and why it might help you. So, ah, okay, thread actors. I got so many names. So, I mean, I'm sure I can't even see any hands, but I'm sure no one's heard of, uh, threat actor called stealth mango, right? So, sounds like it could be an Asian Pacific. I can't even

remember myself. Or Honeymite. So, you might have heard of instead of Honeymite, you might have heard of Mustang Panda. It's the same thread actor, just comes from a different vendor. So, and then Microsoft um is also quite challenging. They've changed um naming conventions a few times. Um so, Storm0501 um and then there's the Draos names based on heavy metal elements. So, depending on what sort of report you're reading or what news article you're looking at or who you're talking to, it could be um quite difficult to know. So, we probably can't there's not much interaction, I guess, but I'll I'll give you I'll give you a hint about how many names there are. It's over 3,000.

So, and this is why you might care. So, um you're at a conference like this, you might be reading a news article, um and you wonder who is UNCC 5221, who could that be? Um where where are they probably from? What's their sort of uh motivations for their mission they're trying to achieve? So, you could search on the web. That takes time. Um so I'll quickly just go through a lot lot of people may know already but um thread axes are named completely it's completely up to the researcher and the vendor involved. So there's some very well-known themes. So um so when I worked at Crowdstrike we had to um didn't have to we weren't told we had to

but you learn that um a panda is a Chinese nexus um a type group uh and a spider is an e-rime adversary. Uh, and there's lots of other names like chalimas and kittens and um bears of course the fancy bear also known as um a28 if you're a um mandant Google fan. Uh as I mentioned Draos uses minerals and I can never spell these minerals um well actually never heard a lot of these minerals either but they apparently are minerals. Okay. Then proof point proof point will use numbers um TA505 is quite famous and then you get to mandant and um they use um apt f or fin and UNC for unclassified groups and there's so many

of these things. Microsoft made things a bit harder. They used to use elements like nobellium, strontium. Then they changed it to uh this theme of the weather with typhoons and rainstorms and slate. Secure works also which has done a lot of research and gets a lot of good telemetry from their um endpoints. They're using um medals as well. Gold for e- crime actors, bronze for Chinese nexus actors. So like a41 is also known as bronze atlas. So, it's pretty hard to remember all this sort of stuff. Um, even if you're not working in thread intel all the time, you're going to have to read a lot of um, Intel reports. And, um, so a great example is the Lazarus group.

They've got like more than 50 different names for them. So, depending on who has written the article um, or could be a journalist putting some publication out, it's hard to know off your head always. So, so that's the motivation. That's why I thought we needed something a bit better. Um, I'm like to save time obviously. I don't want to remember stuff I don't really need to remember and I I do a lot of CTI work in my job. Um, and it's my job is my hobby as well. So, um, makes it easier to look at this stuff. So, I wanted something really quickly used really quickly to actually look up and resolve um, a name into who it was and

maybe some articles that I wanted to look at about it. And initially I I use this as like a command line tool and it's um works fantastically for me but I don't want to share a command line tool with people and expect them to be able to run on their computers my program. So instead all I've done is I webified it. All you need is a web browser and you can go and look them up. So before I get to the tool I'll just talk about where all the data comes from. So initially I've um focused on data from different places like MISP and MIDA, Melpedia, Microsoft and I I I basically get all the data um that's

relevant to a thread actor uh and link it together. Um as well as various websites that I'll go through a few of those that I scrape things from. Some have APIs, some don't. Um not everything's updated. Um it's not always easy to link. Sometimes the data isn't super clean, so it's made it a bit harder to do it. But I'll start off with the best one of all. That's Misp. So, not everyone may have heard of MISP, but uh it stands for malware information sharing platform. And it started out as a platform just for sharing technical indicators about um things. It's very widely used um open source um and has taxonomies quite good taxonomies are consistent to classify

events and data and not just cyber security data. They have these things called galaxies and a galaxy represents more or less all these key value key value pairs and they got some real world examples like you can hopefully say that in the can. So there's one for ammunition for example, different types of ammunition. One for cancer. Um so here's an example. One's one for tools and these are tools are what we think of uh as malware tools that a threat actor might use or um remote access tools for example. Um there's a whole lot of those. um have sectors like mining, uh legal, corporate, um law enforcement, lots of they have one also for um

intelligence agencies. There's an actual um uh threat act sorry is an actual galaxy MIP galaxy for that. But there's two that we want to look at and one is called the thread actor galaxy and in misp thread actors for have has definitions for all well all 850 ones that have been entered into MISP and um there's lots of them there in MISP. Each of these thread actors may have aliases or synonyms and they may have references to actual research of the actual um thread actor. So mustang panda in there will have various synonyms or aliases for bronze president honeymite etc. So these files that you can get u from um these uh the miss repo they're all

just JSON and they have key value pairs like here's a little screenshot of what Mustang Panda looks like. uh has a unique UID for one you can see at the bottom of the screen there that's quite useful to um use soon. So that's that's that's one of the the the two galaxies that we're using. The other one we use is the MIS ransomware galaxy and it has details on most of the known ransomware threat actors. Not it's updated pretty frequently. Uh it's the data isn't quite as um I guess clean as the thread actor galaxy but it's fantastic resource and again here's another example of what an entry in that might look like. So people have gone through there and

actually put in even references to ransomware notes um the uh data leak sites for example and and whatnot. So this is one for black cat which is also known as alvi. So so that's they're two there's two really useful ones we use. Another one we use is um tyert uh which is now called the electronic transactional data authority. So it's basically the tai government's one that some really nice people run. It has a fantastic API is also in JSON. Unfortunately, even though they have the same thread actors names, they have different um UIDs. So again, now you got to map all these different systems to the um one thing. Uh MITER attack is also um good as well.

Doesn't have as many thread actors, but it's another sort source of data that we pull in. And I'll talk about Melpedia. Melpedia as well. So, Melpedia actually has malware samples and um the nice thing about and has also has data on thread actors. The great thing is it uses the same UID as it does in MISP. So, you can link things together and it's really useful for getting references about a particular thread actor group. Um if you want to contribute data to Melia, you got to be invited, which really needs two people to vet you. So um that's really only if you need if you want to actually get modify data or upload data but um you can actually

search it manually yourself. Go to the website Melp website type in a name and it has a lot of aliases come back for it. It's pretty it's pretty complete. It also has regularly updated uh references that are um uploaded. So this is from this morning um I grabbed show me the current references. So, someone's uploaded an article by Zcala about a new malware family with links to ice and the second article was an article about shiny hunters. So, those things get tagged with a thread actor name and then we grab it later on. I'll show you that. So, if you have an account um see me later and I maybe can help you get an account if you

do want to contribute to it. Um you can propose a new um entry into ML PD yourself. the URL uh that you've seen um does take a while though to get in unfortunately. So, so more sources. So, Microsoft um they also published um it's reasonably recent thing the last few months they started um publishing um data on the threat actor groups that they track uh has their naming conventions. Unfortunately, it doesn't have any UID which helps to track things um equivalent between thread actor groups. So, and it's not quite as rigorous. It doesn't have references to um a thread actors either. So, but it's still a source of information. Um here's an example of one of the JSON entries that

they have. You can see it's just basically the thread actor name, maybe the country of origin, uh and some other names which are their aliases. and they're not as complete as the other other groups. So, they've recently announced a partnership with Microsoft, which I'll talk about, um, sorry, with CrowdStrike, which I'll talk about in a second. Uh, ransomware.live. This is a fantastic site. It's run by a gentleman in Paris, uh, Julian. You can go to that website, buy him a coffee. Um, I don't know if he he has a real job, I think, but he does like coffee. Um what it has is a continually updated uh ransomware related activity stream. So you can hook this into your Slack

channel or RSS feed or what I'm doing is I'm getting the API out of it. Uh there's no payroll ads. Uh there may be rate li rate limiting with the API but um I don't think so. Um it's quite easy to dump stuff down. Um so here's an article on um Quillin talks a bit about it. Uh says when Quillin was first discovered back in 2022 when it was last discovered like yesterday it's had 770 victims. So it's an active group and if you actually go to the site they actually record who the victims are basically by scraping their um data leak sites. They have ransomware um notes as well. So it's um great. So what we also

pull these thread actor names into our tool and there's a few other sites I use as well which are great but there's no API so you have to scrape the websites um which makes it a bit harder like Whiz and Palo Alto. Um so some quick stats. So MISP has about 8 850 thread actor groups, 1200 aliases. M has about 180 thread actor groups. So if you're just looking at MIDA, you're not going to get a good picture of all these thread actor names. Tyert is really good too. It has about 590 and400 aliases. It's updated quite well. Microsoft just has 140 in their um GitHub repo. Uh ransomware live is tracking just ransomware threat

groups. So has over 280 ransomware groups. So when you aggregate all of these up together, you get to 3,700 names and aliases that you may have to keep spinning around in your head. So it's quite um annoying. So recently, um actually not that recently. So a lot of people probably heard of Florian Roth. He's uh one of the um leaders in threat intelligence and all kinds of clever cyber work. Um, so back in 2015, he had this sort of problem. He's trying to get his head around names and he set up this um spreadsheet. You may have seen it's a publicly accessible Google doc spreadsheet and it's already out of date. Like it's um not updated anymore,

but for a while you could contact Florine and you could add your own threat actors in and like here's an example um what it looks like right now if you actually go to it, but it's out of date again. So and it's not easy to search etc. So, it's not really a solution. But recently, Microsoft um and CrowdStrike, I believe, have had some sort of chat. Um they both put out blog posts about um their plan to harmonize thread actor naming. So, they published some blog posts um where they've trying to map their thread actor names together. But um so this is Joe photo of Joe I took a few weeks ago at the conference

in um he's what you may have heard of Joe Slowick. He has a lot of strong opinions about CTI really really sharp guy um and his thoughts about this that this is a good thing but it's not going to really really be a solution. uh while it would be nice if everyone in the industry agreed, he doesn't think it's going to work. And and pretty much that's because every organization's going to go and continue to use their own naming conventions no matter what um pressure is applied to them. So um so let's talk about the um this tool. So um so wouldn't it be nice if there's something you could use to quickly look up um thread actor names? You can use

regular expressions to look that up. Um, so there's an example there I'll show you in a second. And it what it does is it lets you query all of these different data sources. So on the back end, it's all written in Python, but you don't know that cuz it's you're using the web interface. It pulls data from MISP, Tyert, Maida, Melpedia, Microsoft, Grantsword Live, and some other sites and data that I've add myself by other um guess sharing groups that I've seen um put things in. So currently it has that's roughly I think it's up to date that's roughly 3,700 names you can look up. So you can search, you can search with this tool for the names, you can search

through descriptions, you can even search through URLs that may be referencing uh work about that particular actor and um it will be useful if you had an article. So like here I'm just checking my time. Good. Okay. So um so I was going initial literally put out some command line stuff see if we could clone it themselves but not everyone would like that. So what I've I've done is made a website. It's at this URL thrter.org. If you go to thronter.org, you should see um the um and someone asked me what does front mean? So there's obviously um someone called Mike Thrron on the urban dictionary. It's very authorative um uh source of information. Someone who hunts

cyber threats for a living. They can sense the threats before anyone else. And the domain was free. So I registered. So, I'll do a quick um demo of that. You can see what it looks like. And if I can get there and I can get there. Yes. Great. So, so you go to Frontter. There's this thing called the AP Zoo. And Yep. Wi-Fi should be on, I hope. Yes. Excellent. Okay. So, this is the the basic web page. So, you can go in here and you can start typing in say scattered spider. That's always in the press. And as you start typing, you'll get it'll completed, right? But if all you all you want is a quick lookup for

who that thread actor is, you can just go and talk it type it in here and it will immediately bring up names for scattered spider. But if you actually go in um we just do a a query for scattered spider and and it will come back with a description of all the different aliases for scattered spider. Oh, look UNC 3944. Now, everyone who works at Mandant or Google tag, they should know what that is, right? And people in CTI, oh, you're not UNCC 3944, but most humans wouldn't know that. And there's a reason for that because if you go into type UNC, there's a lot of UNCC numbers, right? So, it's very hard to remember these sort of things. So, it's

a quick way of um looking things up like that. You could also um so for example if I wanted to see all um articles on a gov.auu talking about thread actors I could search for that for example and I'd see u okay there's 17 gov.auu urls that reference these different thread actors and you can then search for um gov.au and you'd see some are for um like cyber.gov.au. Thank you to our sponsors of course they're helping out. So that is also quite useful as well. Um what else can I show you there? So oh one one last thing. Sorry two things. So there's um uh you can contact me anonymously. This is an actual talk I did um about a

year ago at the first conference in Japan and it's all about um how you can do an anonymous communication. So it's it's on my LinkedIn. You have a look at that talk. But basically you can fill this out and it will go to me and say what you like. attach a file could be a malware sample for example. Um, the other thing that is also useful here is if you're a threat actor or sorry, if you're a threat researcher, you work for a vendor, you might want to go here and look at the full raw list of all the different thread actor names. You must want to check, well, maybe I shouldn't use um, so say I'm going to make a new name

called Koala. Is there any koalas? There is a koala. Okay, so there's one called Koala team. So um maybe I wouldn't maybe be careful about my new koala thread actor as a result. So that is a really quick demo and obviously you can have a play around yourself. Okay. And this is my backup demo in case the internet wasn't working. So a quick reminder on how the tool works. It gets data from all of these different sources. You can search. It has some additional features as well. You can add your own repository in which might be useful if you have internal um naming for thread actors that you use perhaps you know your internal confluence wiks that sort of stuff or

perhaps you want to add something that isn't in misp so you can add your own repository add your own data in um what else so um perhaps you wanted to you've read a blog like there's a interesting company called silent push they put a actor out about they put a a blog post out about a new thread actor there called IMP 1G. I can't remember that, but I want to record that. I might add that as a thread actor. Um, it's so new it's not in Meledia or MISP. Or you could track unpublished thread actors perhaps might be relevant to your work. Uh, obviously this is more of a niche sort of area, but some people here

may be into something like that. Um, or even tracking your commercial cyber threat intel. Um, and you can also host this locally. It'll work offline. You can be air gap network in a different class network. You don't need the internet to do it. You can have your own um VM running at all. And um, yes, a few more features as well. Um, one example I was going to give there was there's some entries and missed for some old cyber.gav.au URLs that don't exist anymore. So you can correct that like the copy paste thread actor has some URLs referencing ACSC. Um I sort of zoom it up here. So that URL doesn't actually work anymore. So

it's a sort of a dead link. If you go there now you'll get a page not found. But in Thrron I've re I've said ignore the old one. Here's the new one and it will go to it. So you can correct URLs and that sort of thing. Like I've corrected it here to the actual correct URL. So that um is also useful. Microsoft's misspelled some thread actors recently. Um they called um you probably can't I'll zoom zoom in a bit. They instead of cobalt they had cobalt instead of typhoon they had typhon and took about a month. I logged a issue on their GitHub to actually fix it. Took a almost a month for them to fix it. But in thron

you can say ignore anything. You ignore this thread actor. Here's the right one. Um I mentioned the checking this exists already. So, um I'm almost at time. Yep. So, if you wanted to, um you could look up already by um just using there's some other software they mispublished for doing a similar sort of thing, but it's nowhere near as robust or ready in comparison to thria has a good good web interface and there's another website or.eu was funded by EU. I think it's also very good. Um so um I guess the the critical thing is that when you see a thread actor name mapping you shouldn't necessarily assume that it's exactly the same because every

vendor sees different telemetry. So uh and sometimes thread actors will work together with other groups or they split up merge to become new ones um even though there's an overlap perhaps the same sort of malware the same C C2 where they're hosting things. So, um, here's a quote from Sean Sullivan, which is pretty good. Like, thread actor attribution research is like being a a paleontologist who's found the bones of a dinosaur. Everyone's got a bone, but nobody has the full skeleton. So, that's a good quote summarizing this sort of problem. So, there's some more work I have in the pipeline when I get time. That's adding more sources uh that are quite good and dduplicating things there. Automating

more work tracking some of these old reports that have now died on the net like fireey.com doesn't work anymore. AP ones um famous reports it's on the way back machine but preserving this sort of stuff for ever will be good. Um and that's the challenge I guess the updating. Uh even though I've automated a lot of it there's still some moving parts that we have to work with. And um a very quick thing a thing about uh Avas I was just going to mention it's not a sales pitch cuz not a sales thing but um this is the history of how we became um Avas became gen and when I joined Avas the mission was

that everyone can have free cyber security like we have a free product that's still there is still a great free product u because we got over 500 million users so we get a lot of um telemetry and we're always keen to help other people um especially search law enforcement forcement um and we have helped people with ransomware infections. Some some of the things we talk about publicly, some of the things we share privately through CS and law enforcement. Um and these are some um blog posts we we've done on some of the um ransomware strains that we've actually put out decryptors for. Um so if you did have um ransomware sample of that and you did had nowhere else to

help um you could reach out um and we could perhaps do it. We don't there's no this is not something we do for money right so it's completely free you can reach out for free give a sample some indicators then we can maybe help out. So, and we're often careful about sharing things, especially if a thread actor is watching because they if we run a blog post saying that the crypto algorithm has, you know, entropy weakness that we can use to break that break their um encryption, then they'll just, you know, ramp up the key, fix their problem. So, and then we can't break it again. Okay. Um and sometimes we've done some help of

different um especially in Asia Pacific um targeting um like this case we found a um a signing someone's certificate signing Australian companies uh certificate being used to sign code in a um in the Philippine Navy oh Philippine Navy when Felina was here was another another story we helped with. Um, so what I'll do there is um I think that's the last slide. So there's my contact details there. You can also post anonymously off this the um uh frontal website. Check the website out. I love some feedback. Hope it helps you guys. And that is it guys.