Hello and welcome to the Arachne Digital cyber threat actor (CTA) tracker, Spindle. This is a resource for the cyber threat intelligence (CTI) community. Arachne Digital has also introduced its own unique naming convention that is open source for people to use.
Spindle is open source and available on GitHub. It serves as a reference document capturing different names, aliases, and connections of CTAs. Here is a human readable document and here is a machine readable document.
The Arachne Digital naming convention consists of a random word with one of the below suffixes:
- State sponsored CTAs — Nymphs
- Organised crime groups — Elves
- Hacktivists — Mermaids
- Terrorists — Undines
- Industrial espionage CTAs — Sylphs
- Low sophistication CTAs — Fairies
- Unknown — Changelings
Arachne Digital names are only assigned when there is no widely accepted existing name. When there is a widely accepted existing name, Arachne Digital will try to align to that name for the sake of promoting standardisation. Our names are liminal, meaning that they will disappear if another name for the exact same group becomes widely accepted.
If you want to have a name assigned to a new CTA or add to the information around an existing CTA, open an issue on this GitHub repository.
For new CTAs, outline the research you have done to establish the CTA and that the CTA does not already have a name. This research to establish a CTA can vary, be it primary research or simply public reports about a campaign that is not attributed to a known CTA. This will be reviewed by Arachne Digital staff and if approved, an entry will be added to Spindle.
For existing CTAs, outline the information you would like to include in Spindle, and please link back to online sources. If you have performed original research, publish a blog post and link to that. This will be reviewed by Arachne Digital staff and if approved, an entry will be added to Spindle.
Have a read through our blog post discussing this topic. But if you just want the summary, there are different naming conventions in CTI because of:
- Differing Perspectives: Various organisations have unique perspectives and varying levels of visibility into cyber threats. They name CTAs based on their specific insights, which can differ significantly from one another.
- Data Sharing Challenges: Information sharing within the CTI community is not always straightforward. Groups might be hesitant to share their intelligence due to concerns about revealing their detection capabilities or sensitive information. Legal constraints and classification can further hinder information sharing.
- Diverse Methodologies: Different CTI groups employ diverse methodologies for data collection, analysis, and intelligence production. This leads to disparities in how they perceive and name CTAs.
- The Complexity of Threat Landscape: CTAs often operate in complex, interconnected ways. One CTA may collaborate with others or perform various roles within a larger campaign, making it challenging to agree on a single, universally accepted name.
- A Lack of Oversight: Without a centralised global authority overseeing CTI naming, achieving interoperable naming conventions is difficult. Organisations often develop their naming conventions independently.
- A Need for Liminal Names: Some groups use interim or liminal names internally while waiting for more evidence to consolidate various aliases into a single identity.
While we need various naming conventions, this causes problems such as:
- Confusion for Defenders: Multiple naming conventions make it challenging for defenders to track and understand cyber threat actors (CTAs). This confusion can impede effective threat response and mitigation.
- Difficulty for Outsiders: Those outside the CTI community, including journalists and the general public, may find it nearly impossible to navigate and understand the complex web of aliases and naming conventions.
- Continuous Expansion: The number of aliases and naming conventions continues to grow and shift as new threat groups emerge and existing ones evolve. This dynamic environment adds to the complexity of the CTI landscape.
- Incompatibility: Lack of interoperability among naming conventions means that different groups cannot share a naming convention as they may assign the same name to different CTAs. This can lead to confusion and misattribution.
- Time-Consuming Analysis: Analysts may spend excessive time trying to reconcile multiple aliases for the same CTA, slowing down the intelligence analysis process.
- Loss of Relevant Information: Valuable context and insights about CTAs may be lost when multiple names are used for the same threat actor, making it difficult to identify patterns and trends.
To combat these problems, Arachne Digital is trying to promote standardisation where possible, assigning our own names only when a viable alternative does not exist, and dropping our name when one does.
Check out our roadmap for Spindle here.
This repository is licensed under Creative Commons Attribution Share Alike 4.0 International.
If you have any questions about Arachne Digital's approach to naming CTAs or need further information, please reach out to us at contact[at]arachne[dot]digital.