1. How Threat Actors are Classified
Our intelligence team is dedicated to tracking the activities of threat actor groups and understanding as much as possible about each. In total, we track well over 100 adversaries of all shapes and sizes, including nation-state, eCrime, and hacktivist adversaries.
We use a cryptonym system for adversary categorization. So “Anchor Panda” isn’t just a pet name; it designates both the adversary’s nation-state and the group they targeted…in this case, civilian and military maritime operations.
Some adversaries are tied to nation-state actors—in this case, “Panda” is the umbrella term for all nation-state activity tied to the People’s Republic of China. Non-nation-state based adversaries are categorized not by location but by intention; for instance, activist groups like the Syrian Electronic Army, are categorized as “Jackal,” which expresses both intent and motivation. The following is the cryptonym system that CrowdStrike uses for adversary categorization:
- Bear = Russia
- Buffalo = Vietnam
- Chollima (a mythical winged horse) = North Korea
- Crane = South Korea
- Kitten = Iran
- Leopard = Pakistan
- Panda = China
- Tiger = India
- Jackal = Activist groups
- Spider = Criminal groups
2. Threat Actor Profiles
Below is a list of the most prevalent threat actors – categorized by country or group. Click on the name of any adversary to learn more about their known aliases, targets, methods, and more.
Chinese Threat Adversaries
Driven by requirements laid out under the government’s Made in China 2025 Plan, Chinese threat actors have been observed targeting technology, energy, and healthcare sectors. During the past year, CrowdStrike has identified an uptick in China-based adversaries, due in part to the souring U.S.-Sino relations.
Avg. Breakout Time in 2018: 04:00:26
Iranian Threat Adversaries
Iranian threat actors have boosted their efforts through the adoption of new tactics, techniques, and procedures (TTPs) this year. These new TTPs include things like strategic web compromise (SWC) campaigns and mobile malware, and have been used to target regional rivals, contain dissident activity, and expand their “soft war” campaigns.
Avg. Breakout Time in 2018: 05:09:04
North Korean Adversaries
Despite diplomatic overtures, DPRK-based adversaries appear to have increased their activity this year. Among their goals, financial sector and inter-Korea related intelligence stand out as priorities among DPRK actors.
Avg. Breakout Time in 2018: 02:20:14
Russian Threat Adversaries
Russian threat actors continue to be the most active and destructive among nation-state adversaries. This year’s top targets included the Ukrainian government, law enforcement, and military entities.
Avg. Breakout Time in 2018: 00:18:49
Non-State Criminal Groups
The most notable trend among eCrime adversaries has been the rise of “Big Game Hunting”. Using sophisticated ransomware campaigns to target large organizations, Big Game Hunting operations have proven to be incredibly lucrative for eCrime organizations.
Avg. Breakout Time in 2018: 09:42:23
3. The CrowdStrike Philosophy
Forewarned is forearmed, and nowhere is this sentiment more true than in the field of cybersecurity. When George Kurtz and his team founded CrowdStrike, they enshrined this philosophy at the very core of the company’s mission, and the saying “You don’t have a malware problem, you have an adversary problem,” became our calling card.
It was George’s contention that if we were going to be successful in helping companies protect their networks and information assets from the ‘bad guys’ then the malware was just a symptom of a larger problem and the most robust security posture was rooted in understanding ‘who’ was unleashing that malware.
In short, understanding the adversary is the key to protecting against attacks because, while you can’t foresee all attacks, you can at least use intelligence from the past to inform possible future assaults and help mitigate consequences. Consuming adversary intelligence is important to enterprises because in order to protect yourself, you need to know both who will come after you and how they will come after you.
The CrowdStrike Intelligence Team
Our threat intelligence team’s primary focus is to track adversaries associated with nation-state actors and monitor their activity. Typically one never wants to disclose one’s amassed intelligence in a way that may compromise the ability to collect more intelligence; this is clearly a losing game. However, occasionally the release of some intelligence is required or beneficial, and the loss of the intelligence collection capability is outweighed by the perceived benefit of the release. This is often characterized as ‘Intelligence Gain/Loss’ by intelligence professionals, and it is often a hotly debated calculus.
It has become apparent in recent months, as cyber intelligence comes to the forefront of the national and community dialogs, that we have a few problems in the way we discuss and disseminate cyber intelligence information. One of the biggest points of confusion for people is the nomenclature that we use to describe adversaries and malware.
At CrowdStrike we believe firmly in focusing on the adversary. What adversary, you may ask? Well, that’s where all this is going. Some in the community refer to the adversary by the malware detection name from a specific anti-virus vendor, e.g. Hydraq. This is sometimes useful, but when the adversary is using a malware that is detected as Generic.Downloader.234, you have a much harder time communicating. Additionally, every A/V vendor uses different names, so one might have Generic.Downloader.234 and another might have Downloader.863, which makes it difficult to share intelligence with groups that don’t use the same A/V as you.
Adversaries use multiple malware packages during their attacks, and once they gain access to the victim enterprise, they use a whole other set of tools and utilities to accomplish their objectives. This is where we start categorizing adversaries by their Tools and Techniques, which is the right approach but multiple names have emerged and are inconsistently used by the community. As an example, we all know Comment Crew, A/K/A Comment Team, A/K/A APT-1, A/K/A Comment, etc, etc. This is where we are going to run into problems – we are starting to develop the same naming schemes as A/V, which will eventually lead to confusion. To attempt to help the community avert the naming dilemma, we are sharing with the research community the CrowdStrike cryptonyms for some of the more prolific and active adversaries. In addition to helping ensure we all know who these adversaries are and when they are active, we are sharing some signatures that will help identify them on the enterprises they frequent.
- Common and unambiguous nomenclature to help the community discuss these adversaries
- Ability to detect these adversaries on the wire
- More visibility to the problem of targeted attack aimed at stealing intellectual property and opportunity from governments, businesses, human rights activists, and non-profit groups
- The adversary has to change tactics, techniques, and practices which raises the cost of their espionage tradecraft
- Momentary loss of visibility on the adversary
- We have to work hard to stay on the adversary and generate more intelligence
The choice for us is clear – the Gain outweighs the Loss.