How are ATT&CK STIX object IDs determined?

I’m trying to understand some anomalies I’m seeing with ATT&CK results.

My initial assumption was that all Matices have distinct object STIX ID’s, even if the object is in more than one Matrix.

As an example, the Tactic Persistence is found in all three Matricies. For reference they are…

• x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92
  • TA0003 Enterprise
  • CTI Butler Web | One API. Much CTI.
• x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac
  • TA0110 ICS
  • CTI Butler Web | One API. Much CTI.
• x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54
  • TA0028 Mobile
  • CTI Butler Web | One API. Much CTI.

Another example, take the Technique Process Injection…

• attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c
  • T1659 Enterprise
  • CTI Butler Web | One API. Much CTI.
• attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff
  • T1631 Mobile
  • CTI Butler Web | One API. Much CTI.

BUT…

Take the group OilRig (G0049)

It has a duplicate ID in both the ICS and Enterprise Matrix as follows

• intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d
  • Enterprise
  • CTI Butler Web | One API. Much CTI.
• intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d
  • ICS
  • CTI Butler Web | One API. Much CTI.

So in some cases ids seem to persist, but in others they change.

What is the logic here?

It comes down to the type of object (as I understand it)

Take the Tactic and Technique IDs that change between each framework (Enterprise, Mobile, ICS).

Tactics and Techniques will be slightly different in their execution between mobile and enterprise infrastructure, for example (thus warrant slightly different objects to represent them).

Now take Groups, your other example. Groups are the same regardless of wether it’s targeting enterprise, mobile or ICS infrastructure.