Secureworks Threat Groups
The Secureworks Counter Threat Unit™ (CTU) job is to maintain an understanding of the threat landscape, and to use that understanding to protect and inform customers. Threat Group names are used to track clusters of activity that are assessed to be related. Threat Groups are intrusion sets or clusters of observed activity: they exist in cyberspace, and we see them attempting to cause harm to our customers or see reports of them causing harm to others.
That is different than Threat Actors, which are real-world people and organizations with real-world locations. Threat Groups map to Threat Actors, but the mapping is not necessarily one-to-one. A sub-contractor might acquire a new contract, groups might share infrastructure, or a foreign intelligence service might operate multiple teams that have the same objective but look and feel very different in terms of their targeting, techniques, and infrastructure.
Understanding Threat Groups helps us determine which customers might be at risk from which Threat Actors and identify applicable playbooks. The information can also help a target or victim understand the who, which could lead to the how and the why. Those insights can drive security investment, training, and controls. If the worst happens, they can also drive the focus, speed, and scale of the response.
Understanding Threat Actors is also important, because it might allow for a better assessment of the why beyond what can be inferred from observed activity—but it is also harder to do reliably and it arguably offers less direct security value then focusing on Threat Groups. CTU reporting and alerts in the platform regularly refers to named Threat Groups.
Threat Group Naming Convention ⫘
Every time a new Threat Group is identified, they are assigned a name selected randomly from a list. Where that Threat Group is attributed to a specific country or thematic area, such as financially motivated cybercriminals, it will be assigned a prefix that denotes that attribution. As understanding of a Threat Group changes over time, it can be merged into another existing group or split into two or more different groups. As an illustrative example, let’s say that analysis of a network intrusion leads CTU researchers to conclude that the observed set of tools and behaviors cannot be associated with any existing Threat Group. It is therefore a new Threat Group, and is assigned a random name, HILLTOP. If subsequently CTU researchers assess that HILLTOP operates on behalf of the Chinese government, then is given the prefix BRONZE, used to denote Chinese government-backed Threat Groups. It becomes BRONZE HILLTOP.
The full list of thematic prefixes assigned to threat groups are as follows:
| ORIGIN/THEME | METAL/ALLOY |
|---|---|
| Palestine | ALUMINUM |
| China | BRONZE |
| Iran | COBALT |
| Pakistan | COPPER |
| Cybercrime | GOLD |
| Russia | IRON |
| Lebanon | LITHIUM |
| North Korea | NICKEL |
| United States | PLATINUM |
| Red Team | RADIUM |
| Singapore | SILVER |
| United Kingdom | STEEL |
| Vietnam | TIN |
| South Korea | TUNGSTEN |
| India | ZINC |
Naming Convention History ⫘
In November 2016, CTU researchers began to transition from a numeric Threat Group identification format (e.g., TG-1234) to a word-based naming convention. The new names reflect the origin or category of the threat and are intended to be easier for clients to recognize and remember. You may occasionally see references to these older Threat Group names. For example, BRONZE UNION is a prolific Chinese threat group that used to be referred to as TG-3390. This Threat Group designation became publicly known based on some pioneering research published by CTU researchers, and has been followed up by a series of public and customer facing reports on BRONZE UNION. Maintaining the relationship between the two can help readers understand that it’s the same group, it’s just the name that changed.
For a list of Threat Group profiles, see the Secureworks article Threat Profiles.