What’s in a Name? How the Abnormal Intelligence Team Names BEC Threat Groups

If you’re part of the cybersecurity community, you know cyber threat group names are everywhere.

Some groups are named after animals, while others are assigned numbers. In some cases, it seems like researchers randomly choose words to name the group, almost as if they were throwing darts at a dartboard. And sometimes, a single group may receive unique names from separate organizations using completely different naming conventions!

Typically, cyber threat groups that receive the distinction of being named fall into two categories: 1) state-affiliated groups, or 2) groups that develop/deploy malware. Groups behind other types of attacks, like business email compromise (BEC), rarely get the privilege of receiving their own special name from threat researchers.

Some of this could be due to the fact that threats like BEC are much more decentralized in nature than something like ransomware. Instead of groups having a clear and solid hierarchy (which makes clustering them into groups easier), actors behind threats like BEC are commonly loosely affiliated with each other without a rigid structure.

Our threat intelligence team at Abnormal, however, has extensive visibility into the full cycle of BEC attacks. As a result, we’re able to identify unique characteristics of BEC attacks that allow us to cluster attacks into threat groups more effectively.

This blog post covers how we’re able to track and categorize BEC attacks into threat groups and discusses the strategy we use to name the groups we identify.

Understanding BEC attacks and the actors behind them is usually limited to simply observing the initial emails targeting potential victims. However, this approach has limitations, as these initial messages are often brief and unremarkable—providing little information for solid attribution.

We also know that BEC actors routinely share “formats”, or templates, that are used in the initial stages of an attack. So it’s not uncommon to see multiple actors that are completely unrelated to each other using the same initial format. As a result, relying on the content of initial messages for attribution can easily lead to mistaken conclusions.

With active defense, on the other hand, we’re able to gather a much richer corpus of intelligence that helps us more effectively attribute attacks to actors or groups. Not only are we able to use the information available in an initial BEC message, but we also have at our disposal all of the data we collect during the course of an active defense engagement.

Overall, we use the following pieces of information to cluster BEC attacks linked to a likely common actor or group:

• Conscious behavioral choices, such as username/domain naming convention or deviations from a known email format

• Similar operational tactics or techniques, such as spoofing an impersonated email address, the use a preferred webmail service, or pivoting to an alternate form of communication

• Overarching pretext or theme of an attack

• Attack goals and motivations, including the process by which those goals are realized

• Target victimologies, such as target industry and targeted employee roles

• Location-based information, such as IP address or attacker country

• Characteristics of mule accounts used to receive fraudulent payments

• Second-stage attack behavior, such as the use of a unique fake invoice or response to artificial obstacles

By profiling attacks using the above criteria, we are able to cluster them into groups that share multiple common characteristics and are likely unique to that threat group. It’s important to note, though, that our definition of “group” within the context of BEC attacks may be a little different than other cyber threats.

As we mentioned earlier, the BEC ecosystem is highly decentralized and many actors may not be part of a formal group structure. In this context, a BEC "group" refers to a series of attacks that share unique behavioral characteristics that distinguish them from other attacks. It's important to note that the term "group" is a broad term that can refer to a single individual actor or a larger collective.

So now we've grouped these BEC attacks into threat groups, it's time for the fun part: giving them a name!

But here's the thing: names for these groups are often completely disconnected from their actual identity. That makes it tough for members of the cybersecurity community to remember which group is which, or what kind of threats they're known for.

If we only had a few groups to worry about, this wouldn't be a big deal. But with hundreds of named threat groups out there, some going by multiple different names, things can get confusing fast. How many cybersecurity professionals out there can easily recall anything about APT3 vs APT28 vs APT37 without consulting Google?

When it came to naming our BEC groups, we wanted to create a system that allows anyone to quickly understand something about a group without having to refer to a threat group codex. The names of the BEC threat groups we track consist of two parts: a color shade and a randomly selected animal.

The color shade is the most important component and indicates the primary type of attack associated with the group. The color/threat type key is as follows:

We can see this naming convention in action if we look at some of the recent threat groups we’ve written about:

• Crimson Kingsnake: Crimson = Red = Financial Supply Chain Compromise
• Cobalt Terrapin: Cobalt = Blue = Internal impersonation Payment Fraud
• Chiffon Herring: Chiffon = Yellow = Payroll Diversion
• Lilac Wolverine: Lilac = Purple = Gift Card Request

Cyber threat group names are a useful way of identifying and tracking the activities of different groups or organizations that engage in cyberattacks. Knowing the name of a particular group allows organizations to gather more information about the group and its activities and helps them better understand their motivations and goals. It also enables organizations to track the group's activities and assess the potential risks that it poses.

This information can be used to anticipate a group's future activities, allocate resources for dealing with any potential threats, and develop more effective countermeasures for defending against the group's attacks.

Threat group names can also help to improve collaboration and information sharing among different organizations. By sharing information about the activities and goals of different groups, organizations can work together to combat cyber threats more effectively.

Overall, cyber threat group names are an important tool for tracking and defending against these groups, and they play a crucial role in helping organizations to protect themselves from attack. By providing a means of identifying and tracking the activities of different groups, these names can help organizations to stay one step ahead of threat actors and to develop effective strategies for defending against their attacks.

See how Abnormal blocks email attacks like business email compromise before they can reach employee inboxes. Request a demo today.