KrakenLabs’ threat actor naming conventions

KrakenLabs has developed a new naming convention that uses poisonous plants to represent the origin and criminal activities of threat actors. This approach provides a creative way to classify different types of threat actors, allowing security professionals to quickly understand the nature and behavior of the threat actor, which is helpful for identifying and mitigating threats effectively.

A standardized naming convention is crucial in the identification and classification of threat intelligence data. A standardized naming convention enables vendors to better communicate threat information so other security professionals can respond quickly and efficiently. In this blog post we will walk you through the naming methodology used by Outpost24’s threat intelligence team, KrakenLabs, to generate threat profiles, and the reasoning behind the approach.

Capabilities-centered profiles

KrakenLabs employs various methodologies and models for conducting threat investigations, with a primary focus on the MITRE ATT&CK framework, and the Diamond Model of Intrusion Analysis. These methodologies allow for several intrusion analysis tradecraft concepts, referred to as “centered” approaches, since they center around specific features of the Diamond Model. These features include the capabilities, infrastructure, adversaries, technologies, and other features of threat actors.

Given the dynamic and ever-changing nature of attack infrastructures and the individuals driving them, relying solely on this approach would be insufficient in protecting our customers. As part of our role in the threat intelligence chain, we also analyze and profile threat actors by collecting data and examining incidents from an external perspective. Our profiling focuses on the adversaries’ capabilities, which we derive from the MITRE ATT&CK tactics, techniques, and procedures (TTPs).

To better protect our customers, we have adopted a capability-centered approach, which involves exploiting the features of a capability to uncover other aspects of adversary operations. These include the victims targeted by the capability, the infrastructure supporting it, the technology enabling it, and potential clues to other related capabilities and adversaries.

Why use our own threat actor names?

It is no secret that each organization has its own access to sets of data and telemetry that others may not have. What this means is that organizations often create and define their own clusters differently, leading to the identification of unique threat group candidates.

Several factors contribute to this divergence in cluster definition and identification of potential threat actors, including differences in network architecture, data collection methods, and data source selection. Hence, it is imperative that security analysts understand the distinct approach and point of view of each organization while analyzing and profiling threat actors. This enables us to have a more comprehensive understanding of the threat landscape and enhances our ability to defend against emerging threats.

As a result of our unique perspective, and approach towards investigating threat actors, it is crucial to ensure that the reader comprehends that the profile they are reading is generated from our point of view. While this profile may align with the threat actors examined by other organizations, we believe they possess similar capabilities. For example, both Prophet Spider from CrowdStrike and UNC961 from Mandiant share the same capabilities. Additionally, several incidents documented by Sophos, which employed the Log4J vulnerability against VMware Horizon, also exhibit the same capabilities and infrastructure, albeit without any direct association with these groups. In a way, protecting against one of them can aid in detecting and mitigating the others.

Therefore, we employ this approach and assign a distinct name under which these threat actors are unified based on their capabilities.

Poisonous plants as threat actors

The KrakenLabs team has developed a new, unique naming convention for adversaries that uses poisonous plants to represent the origin and criminal activities of the threat actor. This approach provides a creative way to classify and identify different types of threat actors.

KrakenLabs’ naming convention combines an adjective and a poisonous plant name to identify each threat actor. The adjective used to describe each actor is unique and selected based on their TTPs. This allows security professionals to quickly identify the nature and behavior of the threat actor at a glance, providing a valuable tool for identifying and mitigating threats effectively.

Monkshood

Monkshood is a poisonous plant with beautiful blue flowers that is known for its toxicity, and it has been used in traditional Chinese medicine for centuries. It represents a potent and sophisticated threat actor that can cause serious harm to their targets. The Chinese threat actors are represented by this plant because it symbolizes their sophisticated and deadly capabilities.

Example: A China-backed threat actor can be identified as “Surgical Monkshood” because of their precise and calculated attacks that are designed to achieve specific objectives with minimal collateral damage.

Beshenitsa

Beshenitsa represents Russian threat actors who are known for their aggressive and unpredictable behavior. This highly poisonous plant is used to describe a threat actor that is highly effective at executing harmful attacks. Russian threat actors use their skills to carry out a range of malicious activities, including espionage, cyber-attacks, and disinformation campaigns. Beshenitsa is a fitting representation of a threat actor that is difficult to predict, yet capable of carrying out significant harm to their targets.

Example: A state-sponsored group from Russia can be identified as “Deceptive Beshenitsa” because of their ability to manipulate and deceive targets, often using social engineering and other psychological tactics.

Churihyang

Churihyang is actually the Korean name for the plant Daphne Odora, and means “a thousand-mile scent” because, in the late winter, you’ll begin to smell the pink and white flowers before you see them. However, all parts of the plant, including the berries, are toxic if ingested. It represents a North Korean threat actor that is unpredictable and potentially dangerous yet has a subtle and alluring presence.

Example: A North Korean group can be identified as “Aggressive Churihyang” because of their brazen and often violent attacks.

Nightshade

Atropa belladonna commonly known as deadly Nightshade, is a highly toxic perennial herbaceous plant found in Europe, North Africa, and Western Asia, including Iran. The Iranian threat actor is represented by this plant because they are known for their stealthy and covert operations, often operating in the shadows to achieve their objectives. These unpredictable and potent toxins represent a threat actor that is difficult to predict and capable of causing significant harm.

Example: An Iranian sponsored actor can be identified as “Stealthy Nightshade” because of their tendency to operate covertly and use sophisticated infiltration techniques to achieve their objectives.

Dhatura

Dhatura, a genus of flowering plants found in India, is highly toxic due to its alkaloid content and is known for its hallucinogenic properties. Although used in traditional Indian medicine, it is also used as a recreational drug and is associated with Indian folklore and mythology. The name adds a sense of danger and mystique, fitting for the complex attacks and secrecy of threat actors. Additionally, Dhatura is associated with witchcraft and sorcery in Indian folklore, further adding to its appropriateness as a name for Indian threat actors.

Example: A threat actor from India can be identified as “Social Datura” due to their reliance on social engineering tactics to manipulate and deceive targets.

Oleanders

Oleanders represent criminal threat actors and Arab countries as a poisonous plant commonly found in the Mediterranean region. This plant is used to describe a threat actor that is highly skilled at deception, often disguising themselves to blend in with their surroundings. Oleanders have pink or white flowers and glossy green leaves, but all parts of the plant are highly toxic if ingested, containing cardiac glycosides that can cause serious health effects or even death.

Example: Arab Countries Actors can be identified as “Profitable Oleanders” because of their focus on financial gain and cybercrime for profit.

Hacktivism and cyberterrorism: Ricinus

Ricinus represents those ideologically motivated threat actors who are known for their subversive and potentially dangerous actions, such as hacktivism groups and cyber-terrorists. Ricinus communis, also known as the Castor bean plant, is one of the oldest known poisonous plants. The ricin contained in the seeds of the plant is highly toxic, causing death in a few hours after being inhaled or consumed. This toxin is infamous for being used by terrorists in their chemical bombs. The plant’s toxic properties have made it a symbol of subversion, danger, and terror, which aligns with the goals of many hacktivist and cyber-terrorist threat actors.

Example: A Hacktivist can be identified as “Disruptive Ricinus” because of their tendency to use disruptive tactics such as DDoS attacks to achieve their objectives.

Ransomware: Wolfsbane

Wolfsbane, also known as aconite, represents ransomware threat actors who use sophisticated encryption to hold victims’ data hostage. This highly toxic plant is used to describe a threat actor that is highly effective at carrying out ransomware attacks. Ransomware threat actors use their skills to encrypt victims’ data and demand ransom payments. Wolfsbane can symbolize a threat actor that seeks to hold victims’ data hostage in a similar way to how the plant holds the body hostage when ingested. This could make it a memorable and distinctive name for a ransomware group, which is important in the crowded and competitive landscape of threat actors.

Example: A Ransomware group can be identified as “Extortionist Wolfsbane” due to their use of encryption and locking of targets to extort ransom payments.

IAB: Foxglove

Foxglove represents IAB (Initial Access Brokers) threat actors who specialize in selling or trading access to compromised computer systems. This highly poisonous flowering plant is used to describe a threat actor that is highly effective at compromising computer systems and using that access to cause harm. IAB threat actors specialize in gaining initial access to computer systems and then selling that access to other malicious actors. This process can be highly disruptive and costly to businesses and individuals. The foxglove plant serves as an appropriate analogy for a threat actor that seeks to compromise computer systems in a similar way to how consuming the plant jeopardizes the body’s safety, ultimately attacking the heart.

Example: “Prophet Spider” or “UNC961,” the threat actor, has been dubbed “Pawning Foxglove”, as they frequently sell accesses to vulnerable machines using known exploits. This is similar to how a burglar would sell stolen items to a pawnshop.

Cybercriminals: Hemlock

Cybercriminals are individuals or groups who engage in hacking to gain financial profit, often by stealing personal information, credit card numbers, or intellectual property. Hemlock, a poisonous plant containing the toxic alkaloid coniine in all its parts, can have lethal effects on the nervous system in high doses. The toxicity of coniine has been extensively studied in livestock, with numerous cases of animal deaths resulting from hemlock poisonings due to the plant’s rapid growth and intermixing into pastures. The impact on the livestock industry has been significant. The use of “Hemlock” to describe cybercriminals is fitting, as both have negative impacts on their respective industries; while cybercrime primarily affects businesses, hemlock can be devastating to the livestock industry.

Example: A hacking-as-a-service group can be identified as “Innovative Hemlock” due to their use of zero days to exploit the public server of their victims.

Closing thoughts

The use of a consistent and standardized naming convention is crucial in the threat intelligence sector to easily identify and classify different types of threats. KrakenLabs employs a capability-centered approach, focusing on the adversaries’ capabilities, infrastructure, technologies, and other features. While each organization has its own access to data and telemetry, it is imperative for security analysts to understand the unique approach and point of view of different organizations while analyzing and profiling threat actors.

KrakenLabs has developed a new, unique naming convention that uses poisonous plants to represent the origin and criminal activities of the threat actor. This approach provides a creative way to classify different types of threat actors, allowing security professionals to quickly understand the nature and behavior of the threat actor, which is helpful for identifying and mitigating threats effectively. The use of poisonous plant names to represent each threat actor’s capabilities, combined with KrakenLabs’ capability-centered approach, enhances our ability to defend against emerging threats. Learn more about our cyber threat intelligence solution, Threat Compass.

About the Author

Borja Rodriguez author
Borja Rodriguez Manager of Threat Intelligence Operations, Outpost24

Borja manages the Threat Intelligence Operations at Outpost24's KrakenLabs department. He brings years of industry experience, specializing in offensive security operations, penetration testing, red teaming, and threat intelligence research. His publications on topics like ARS, OnlinerSpambot, Formbook, and Traffers groups contribute valuable insights to the cybersecurity domain.