Cyber threat groups are often named by the cybersecurity community, including researchers, companies, and government agencies, based on various characteristics, patterns, or affiliations associated with their activities.
Several methods are used for naming these groups:
Methods for Naming Threat Groups
1. Geographical Location
Some groups are named based on the country or region they are believed to operate from or target.
For example, “Lazarus Group” is a North Korean state-sponsored cyber-espionage group known for its global operations and high-profile attacks.
2. Industry or Target
Groups can be named based on the industry they primarily target or the type of organizations they attack.
For example, “FIN7” is a cybercrime group that mainly targets the financial sector and has been involved in the theft of millions of credit card numbers.
3. Thematic or Cultural References
Some groups are named after themes or cultural references that appear in their malware, communication, or other artifacts.
Stay One Step Ahead of Cyber Threats
For example, “Cozy Bear” and “Fancy Bear” are both Russian state-sponsored cyber-espionage groups, with their names derived from the use of “bear” as a symbol for Russia.
4. Technical Characteristics
Cyber threat groups can be named based on specific technical aspects of their malware, infrastructure, or attack techniques.
For example, the “Equation Group” is a highly sophisticated cyber-espionage group believed to be linked to the U.S. National Security Agency (NSA), and its name comes from its use of complex encryption algorithms and obfuscation techniques.
5. Alphabetical or Numerical Codes
Some organizations assign alphabetical or numerical codes to threat groups to avoid biases or assumptions related to geography or cultural references.
For example, FireEye uses an alphanumeric naming system such as “APT28” (Advanced Persistent Threat 28) to refer to the Russian state-sponsored cyber-espionage group known as Fancy Bear.
The Mandiant Naming Process
The Mandiant Story
Mandiant is a cybersecurity company that specializes in incident response, threat intelligence, and cyber defense. It was founded in 2004 by Kevin Mandia, an expert in the field of cybersecurity.
In 2013, Mandiant gained significant recognition for its APT1 report, which exposed a Chinese state-sponsored cyber espionage group responsible for a series of cyber attacks against various organizations, and in 2014, it was acquired by FireEye, a leading cybersecurity firm.
Mandiant is well-known for its expertise in investigating high-profile security breaches and providing threat intelligence to help organizations defend against advanced cyber threats.
Its team of experts includes former military, law enforcement, and intelligence professionals who possess deep knowledge of advanced persistent threats (APTs) and the tactics, techniques, and procedures (TTPs) employed by cyber adversaries.
How Mandiant Identifies a Threat Group
To identify a threat group, Mandiant initially focuses on detecting tactics, techniques, and procedures (TTPs), which are behavioral activities, in order to find patterns of behavior that form clusters.
The process they follow is a dynamic one, which can be described in the following order:
|1||Uncategorized Threat Group (UNC), e.g. UNC2452||UNC determined initially using behavioral clusters.|
|2||TEMP.<name>, e.g. TEMP.Periscope||A candidate-name is selected once further evaluation is warranted.|
|3||Advanced Persistent Threat (APT) or Financially Motivated Threat Group (FIN), e.g. APT1, FIN7||Once the motivation is established, the appropriate type is selected, and a formal name is selected.|
Are There Other Names for the Term Cyber Threat Group?
Cyber threat groups are often referred to by various names, which can include Advanced Persistent Threats (APTs), nation-state actors, cyber espionage groups, hacking groups, or cybercriminal organizations.
As discussed above, these names can be based on the group’s origin, tactics, motivations, or specific campaigns they are involved in.
Here are some examples of well-known cyber threat group names:
- APT28 (Fancy Bear, Sofacy, Strontium, Pawn Storm)
- APT29 (Cozy Bear, The Dukes, Yttrium)
- Lazarus Group (Hidden Cobra, Guardians of Peace, Zinc)
- Equation Group (The Equation, EquationDrug, GrayFish)
- Turla Group (Waterbug, Venomous Bear, Uroburos)
- APT33 (Elfin, Refined Kitten, Holmium)
- APT34 (OilRig, Helix Kitten, Cobalt Gypsy)
- APT37 (Reaper, Group123, StarCruft)
- Sandworm Team (BlackEnergy, Voodoo Bear, TeleBots)
- Carbanak Group (Anunak, Cobalt, Carbon Spider)
Note that the same cyber threat group can be referred to by different names depending on the cybersecurity vendor or organization tracking them.
Why Can’t Cyber Threat Group Names Be Standardized?
Vendors name threat actors they track, with some using numbers and others using catchy names that create emotional connections.
While people outside the field often criticize vendors for the lack of standardization, overconfident attribution, and perceived bias, understanding the reasons for different names reveals a surprising complexity.
There are human, technical, and operational reasons for different names.
Human reasons include:
- Researchers using a malware name as a threat actor name, sowing confusion
- Vendors don’t use their competitor’s already-established research
- Journalists’ unwillingness to issue corrections
Technical reasons include:
- Vendors having a limited, piece-meal visibility into threat actors’ activities
- Threat actors joining forces or splitting up
- Threat actor groups sharing toolsets or command and control (C2) infrastructure
Operational reasons include:
- Vendors not wanting to use another vendor’s name due to possible disagreements
- Vendors not wanting to admit another vendor’s research is more complete
Standardizing threat actor names is challenging, similar to the antivirus industry.
To maintain consistency and facilitate information sharing, initiatives, such as the MITRE ATT&CK framework, attempt to standardize the naming conventions and provide comprehensive information about each group’s tactics, techniques, and procedures (TTPs).
Until this happens, we’ll have to make do with duplicate and poorly mapped naming schemes.
What Are Threat Actors? (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional