Typhoon Werewolf: Classification and analysis of hacker groups

[Father]

In the digital world, where data plays a key role, hacker groups have long been an integral part. Their activities cover a wide variety of areas-from the corporate world and government structures to individual users. In order to track the activities of different groups, study them and enrich knowledge about the group, study its tactics and techniques, many companies use their own classification systems for hacker associations.

In this article, we will talk about how hacker group classifications are formed and what classifications are used by foreign and Russian companies. We will also discuss why companies need them and how they can help information security specialists in repelling attacks and fighting cybercrime.

How classifications are formed​

Cybercriminals, like their "analog" counterparts, have their own handwriting: typical actions, tools used, etc. And even the most anonymous group leaves traces in the attacked infrastructure, which can be studied and systematized by cybersecurity specialists.

Oleg Skulkin
Head of BI.ZONE Threat Intelligence

Hacker groups should be viewed as clusters of activity rather than groups of intruders. These clusters will have a unique set of methods and tools, as well as an infrastructure. This combination allows you to distinguish one such cluster from another. We give them their names.

This allows you to identify clusters that are relevant to a particular industry and geography, understand the methods they use, and make sure that your organization is protected from real threats.

In addition, classification is a way to get additional context. For example, we see network communication with an IP address that is associated with a specific cluster, such as Cobalt Werewolf. Linking to a cluster gives us a lot of additional information: about indicators of compromise, tactics, techniques and procedures, and tools. This information will allow us to quickly and effectively respond to an incident, as we will know in advance what to pay attention to. In addition, the staff can proactively search for the use of similar methods. This will make sure that there are no traces of detected malicious activity left in the infrastructure.

By understanding current clusters, you can focus on complex attacks that require staff attention, rather than on noisy mass attacks that can easily be blocked even by basic technical security tools.

And, of course, it is always more interesting to understand and confront the mysterious "werewolf", rather than look at the next soulless work of a means of protection. As for solving crimes: in some cases, such attribution can help, for example, to combine several episodes into one.

There is a large body of knowledge within the classification, but most often a name is assigned based on two factors:

• probable country that the researcher attributes the grouping to;\
• the group's motivation (financial, pro-government espionage, hacktivism, etc.).

This approach is primarily due to the simplicity of perception and accessibility of a wide audience, since "an Iranian pro-state group" is more likely to get on the pages of the media than "a group that uses Group A techniques, malicious programs of groups B-C and attacks mainly companies in the financial sector."

Since creating a classification requires a large amount of data, including directly from compromised systems, large companies and associations maintain it. Next, let's talk about some of the classifications that are used in Russia and other countries.

Western classifications​

Microsoft​

Its own version of the classification of hacker groups has long been conducted by Microsoft. This is due to the complexity, scale, and scope of threats that both company employees and numerous users of their products face on a daily basis.

Previously, Microsoft used chemical elements to designate groups of intruders, but last year it introduced a new system. In April 2023, Microsoft changed the taxonomy of names to use the names of weather events. In general, the new classification divides all groups that Microsoft monitors by key groups and nationality. The table below shows examples of names from the new Microsoft taxonomy.

By key groups	By nationality
Financial motivation	Tempest	Russia	Blizzard (blizzard)
Attacks on the Private sector (PSOAs)	Tsunami	China	Typhoon
Influence operations	Flood	Turkey	Dust
Groups in development	Storm	Vietnam	Cyclone

Threat actors within the same weather event are assigned an adjective that allows you to distinguish between groups of participants that have different TTP, infrastructure, goals, or other identified patterns.

Microsoft also has a summary table that shows the groups they classify with their names in the old version and in some other Western classifications.

CrowdStrike​

Unlike Microsoft, CrowdStrike focused not on natural phenomena, but on animalism, combining the names used by major vendors.

Financially motivated criminals in their classification are called "spiders" (Scattered Spider), hacktivists – "jackals" (Ghost Jackal).

But pro-state hackers are also divided by country. For example, hackers from Iran have "kittens" (Static Kitten), and from China – "pandas" (Sunrise Panda).

Mandiant​

Much less creative, but very simple and understandable classification is used by the American IT company Mandiant. Within its framework, all cybercrime communities are divided into two categories:

• APT-Pro-government groups;
• FIN – financially motivated groupings.

Next, the grouping is assigned a number according to its detection. For example, APT1, APT2, APT3, etc.

Nikita Leokumovich
Head of Response and Digital Forensics at Angara Security

APT (advanced persistent threat, nation-state actors) – a permanent serious (advanced) threat. A group of individuals who have special knowledge in the field of information technology and have resources on the balance sheet that together can create or pose a threat of dangerous cyber attacks.

There is no clear rule to follow this taxonomy, so large companies in the field of information security often have their own classification of hacker groups based on some selected features or rules. But this often leads to confusion. Especially when the groups themselves come up with names and publish them in open sources. For example, the APT28 grouping has several other names (IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127).

This classification is often used by Russian and foreign companies to simplify the identification and memorization of threat actors. And the term APT group has firmly entered the everyday life of information security specialists as a synonym for a pro-state hacker group.

Russian classifications​

Solar​

At Solar, cyber groups are classified according to their skill level. The Solar taxonomy is interesting because it includes not only hackers, but also robots, or rather automated systems:

1. Automated systems – used in mass attacks, as well as for hacking devices and infrastructures with a low level of protection.
2. Cyber Hooligans are lone enthusiasts who manifest themselves mainly in minor hooliganism and violation of the integrity of the infrastructure.
3. Cybercriminals are organized groups that specialize in crimes related to encryption, mining, and money withdrawal.
4. Cyber hires are advanced groups targeted for custom attacks, espionage, and hacktivism.
5. Cyberwarriors are pro-state groups that specialize in cyber espionage, complete capture of infrastructure for the ability to control and apply any actions and approaches.

In the Solar classification, the gradation is particularly interesting according to the capabilities of the violator and possible incidents that he can implement once inside the company's infrastructure.

BI.ZONE​

BI. ZONE, like the previously mentioned CrowdStrike, uses animal images in its classification. But we focused on the canid family.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

In BI. ZONE, we use our own classification of dimensions, which is based on the main motivation of a particular activity cluster. So, we call clusters whose main motivation is financial "wolves", for example, Red Wolf. Clusters whose main motivation is espionage are "werewolves", for example, Core Werewolf. Finally, we classify hacktivists as "hyenas", such as Gambling Hyena. We refer to both clusters that we have discovered and those that we already know but are tracking.

Our classification started with "wolves". The name of our company, BI. ZONE, is consonant with the word "bison", and the main opponents of bison in the wild are wolves. And in Russian culture, wolves are often associated with villains. They were followed by "werewolves" – a name that seemed appropriate for pro-government hackers, and later we separated out hacktivists.

Further, the group assigned to a particular group is assigned an adjective that reflects the motives of intruders, the peculiarities of their behavior, TTR, and so on. For example, at least three criminal groups were added to Wolves over the period 2022-2023 – Battle Wolf, Twelfth Wolf, and Shadow Wolf.

It should be said separately that the title of "werewolves" is ideally suited to pro-state groups – they are talked about on TV, but their existence is denied. And at the same time, lycanthropy is present in medical reference books, as is cyberintelligence – an existing area of activity in any developed country.

Does the classification of hacker groups help information security specialists and do I need to create a single international taxonomy​

The opinions of information security experts on the importance of classifying hacker groups vary. Some believe that it is a necessary tool for effective fight against cybercrime. After all, determining which group a particular attack belongs to allows you to better understand its characteristics, features of the methods used, and targets. This can help you develop appropriate security strategies and measures to prevent similar attacks in the future.

Andrey Yefimov
Engineer of the Information Security Department of IMBA IT

Effective classification of hacker groups plays a key role in the fight against cyber attacks. It allows you to better understand the nature of the threat, predict future attacks, and develop appropriate defense strategies. For example, if you know that a group focuses on financial institutions, the relevant companies can improve their security systems based on the available information about this group.

However, other experts doubt the practical value of classifying hacker groups. After all, it's not the names of dimensions that matter, but the data that is hidden under them. At the same time, the very naming that companies use in their classifications is not crucial: whether the grouping will be called "Angry Cats" or "Explosive Daisies". The names of groups and the principle of their division into clusters rather indicate a particular company's view of the most relevant threats.

There is also a certain amount of self-expression in the names used for grouping companies and research teams that analyze incidents and study hacker activity.

Sergey Polunin
Head of the Security Group for infrastructure IT solutions at Gazinformservis

It should be understood that it is not classification that helps in repelling cyber attacks and uncovering cybercrime, but understanding what techniques a particular group uses and what goals it is aimed at. As a rule, groups use a small range of tactics and tools, and are aimed at specific goals. Usually, the targets are specific state authorities, especially if the group is somehow connected to the government of another country. Or, more often, they are focused on specific industries – finance, oil and gas, and the nuclear industry.

The lack of a single classifier of hacker groups has an objective justification, related to the impossibility of combining all the data that different companies have into a single common database. For the same reason, there is no single TI platform.

There is also a subjective reason related to the fact that many companies do not agree on the significance of the criteria by which hacker groups should be divided into clusters.

And this has its advantages. For example, we can confidently predict that there will be more Typhoons, Spiders, Kittens, and other creative names in the cybersecurity world.