This post may contain affiliate links, please read our affiliate disclosure to learn more.
Cyber Threat Group

How Does a Cyber Threat Group Get Its Name?

 By Charles Joseph | Cybersecurity Researcher
 Published on March 22nd, 2023
This post was updated on November 25th, 2023

Cyber threat groups are often named by the cybersecurity community, including researchers, companies, and government agencies, based on various characteristics, patterns, or affiliations associated with their activities.

Several methods are used for naming these groups:

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

Methods for Naming Threat Groups

1. Geographical Location

Some groups are named based on the country or region they are believed to operate from or target.

For example, “Lazarus Group” is a North Korean state-sponsored cyber-espionage group known for its global operations and high-profile attacks.

2. Industry or Target

Groups can be named based on the industry they primarily target or the type of organizations they attack.

For example, “FIN7” is a cybercrime group that mainly targets the financial sector and has been involved in the theft of millions of credit card numbers.

3. Thematic or Cultural References

Some groups are named after themes or cultural references that appear in their malware, communication, or other artifacts.

For example, “Cozy Bear” and “Fancy Bear” are both Russian state-sponsored cyber-espionage groups, with their names derived from the use of “bear” as a symbol for Russia.

4. Technical Characteristics

Cyber threat groups can be named based on specific technical aspects of their malware, infrastructure, or attack techniques.

For example, the “Equation Group” is a highly sophisticated cyber-espionage group believed to be linked to the U.S. National Security Agency (NSA), and its name comes from its use of complex encryption algorithms and obfuscation techniques.

5. Alphabetical or Numerical Codes

Some organizations assign alphabetical or numerical codes to threat groups to avoid biases or assumptions related to geography or cultural references.

For example, FireEye uses an alphanumeric naming system such as “APT28” (Advanced Persistent Threat 28) to refer to the Russian state-sponsored cyber-espionage group known as Fancy Bear.

The Mandiant Naming Process


The Mandiant Story

Mandiant is a cybersecurity company that specializes in incident response, threat intelligence, and cyber defense. It was founded in 2004 by Kevin Mandia, an expert in the field of cybersecurity.

In 2013, Mandiant gained significant recognition for its APT1 report, which exposed a Chinese state-sponsored cyber espionage group responsible for a series of cyber attacks against various organizations, and in 2014, it was acquired by FireEye, a leading cybersecurity firm.

Mandiant is well-known for its expertise in investigating high-profile security breaches and providing threat intelligence to help organizations defend against advanced cyber threats.

Its team of experts includes former military, law enforcement, and intelligence professionals who possess deep knowledge of advanced persistent threats (APTs) and the tactics, techniques, and procedures (TTPs) employed by cyber adversaries.

How Mandiant Identifies a Threat Group

To identify a threat group, Mandiant initially focuses on detecting tactics, techniques, and procedures (TTPs), which are behavioral activities, in order to find patterns of behavior that form clusters.

The process they follow is a dynamic one, which can be described in the following order:

OrderNaming ConventionDescription
1Uncategorized Threat Group (UNC), e.g. UNC2452UNC determined initially using behavioral clusters.
2TEMP.<name>, e.g. TEMP.PeriscopeA candidate-name is selected once further evaluation is warranted.
3Advanced Persistent Threat (APT) or Financially Motivated Threat Group (FIN), e.g. APT1, FIN7Once the motivation is established, the appropriate type is selected, and a formal name is selected.

Are There Other Names for the Term Cyber Threat Group?

Cyber threat groups are often referred to by various names, which can include Advanced Persistent Threats (APTs), nation-state actors, cyber espionage groups, hacking groups, or cybercriminal organizations.

As discussed above, these names can be based on the group’s origin, tactics, motivations, or specific campaigns they are involved in.

Here are some examples of well-known cyber threat group names:

  1. APT28 (Fancy Bear, Sofacy, Strontium, Pawn Storm)
  2. APT29 (Cozy Bear, The Dukes, Yttrium)
  3. Lazarus Group (Hidden Cobra, Guardians of Peace, Zinc)
  4. Equation Group (The Equation, EquationDrug, GrayFish)
  5. Turla Group (Waterbug, Venomous Bear, Uroburos)
  6. APT33 (Elfin, Refined Kitten, Holmium)
  7. APT34 (OilRig, Helix Kitten, Cobalt Gypsy)
  8. APT37 (Reaper, Group123, StarCruft)
  9. Sandworm Team (BlackEnergy, Voodoo Bear, TeleBots)
  10. Carbanak Group (Anunak, Cobalt, Carbon Spider)

Note that the same cyber threat group can be referred to by different names depending on the cybersecurity vendor or organization tracking them.

Why Can’t Cyber Threat Group Names Be Standardized?

Vendors name threat actors they track, with some using numbers and others using catchy names that create emotional connections.

While people outside the field often criticize vendors for the lack of standardization, overconfident attribution, and perceived bias, understanding the reasons for different names reveals a surprising complexity.

There are human, technical, and operational reasons for different names.

Human reasons include:

  • Researchers using a malware name as a threat actor name, sowing confusion
  • Vendors don’t use their competitor’s already-established research
  • Journalists’ unwillingness to issue corrections

Technical reasons include:

  • Vendors having a limited, piece-meal visibility into threat actors’ activities
  • Threat actors joining forces or splitting up
  • Threat actor groups sharing toolsets or command and control (C2) infrastructure

Operational reasons include:

  • Vendors not wanting to use another vendor’s name due to possible disagreements
  • Vendors not wanting to admit another vendor’s research is more complete


Standardizing threat actor names is challenging, similar to the antivirus industry.

To maintain consistency and facilitate information sharing, initiatives, such as the MITRE ATT&CK framework, attempt to standardize the naming conventions and provide comprehensive information about each group’s tactics, techniques, and procedures (TTPs).

Until this happens, we’ll have to make do with duplicate and poorly mapped naming schemes.

What Are Threat Actors? (Video)

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top