Attacker List and Name Equivalences
Different security companies refer to (presumably) the same attacker using their own naming scheme. In this post, we list the names used by security companies for the SolarWinds hack perpetrators, along with name equivalences where applicable.
APT28
- The APT28 designation is used by FireEye 1
- Unit 26165, GRU 2
- Also known as Fancy Bear: CrowdStrike 3
APT29
- The APT29 designation is used by FireEye
- Also known as Cozy Bear: CrowdStrike 4
Sandworm
- Unit 74455, GRU 2
- FireEye appears to club Unit 74455 with Unit 26165
- Also known as Voodoo Bear: CrowdStrike 5
UNC2452
- The UNC designation is used by FireEye for as yet un-categorized (unknown) attackers 6
- Dark Halo: Volexity 7
- SolarStorm: Palo Alto Networks 8
- Stellar Particle: CrowdStrike 9,10
- NOBELIUM: Microsoft 11
- As per an White House statement 12, the SolarWinds hack was perpetrated by APT29. In other words UNC2452 is the same as APT29
Turla Group
References
-
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/ ↩
-
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html ↩
-
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/ ↩
-
https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/ ↩
-
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ ↩
-
https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/ ↩
-
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/ ↩