Threat actor naming conventions: a big mess!
The task of adversary attribution and how it should be done is a controversial topic in the cyber threat intelligence community. This is because there is no standardized way of doing attribution, starting with naming the threat actors.
Each security company has its own telemetry, data, standards, procedures and confidence levels. This is the main reason why most CTI teams use their own naming scheme.
Here are some examples where the classification method is officially known:
CrowdStrike
Uses nickname plus species of animals, each assigned to a specific country/category:
| Name | Nation-state or Category |
|---|---|
| BEAR | RUSSIA |
| BUFFALO | VIETNAM |
| CHOLLIMA | DPRK (NORTH KOREA) |
| CRANE ROK | (REPUBLIC OF KOREA) |
| JACKAL | HACKTIVIST |
| KITTEN | IRAN |
| LEOPARD | PAKISTAN |
| LYNX | GEORGIA |
| OCELOT | COLOMBIA |
| PANDA | PEOPLE’S REPUBLIC OF CHINA |
| SPIDER | ECRIME |
| TIGER | INDIA |
| WOLF | TURKEY |
Examples
Mandiant
Uses numbered APT, FIN and UNC groups. To identify a threat group, Mandiant initially focuses on detecting tactics, techniques, and procedures (TTPs), which are behavioral activities, in order to find patterns of behavior that form clusters.
The process they follow is a dynamic one, which can be described in the following order:
| Order | Name | Description |
|---|---|---|
| 1 | Uncategorized Threat Group (UNC) | UNC determined initially using behavioral clusters |
| 2 | TEMP.[name] | A candidate-name is selected once further evaluation is warranted |
| 3 | Advanced Persistent Threat (APT) or Financially Motivated Threat Group (FIN) | Once the motivation is established, the appropriate type is selected, and a formal name is selected |
Examples
Recorded Future
Uses a color plus phonetic alphabet:
| Color | Nation-state or Category |
|---|---|
| RED | PEOPLE’S REPUBLIC OF CHINA |
| GREEN | IRAN |
| PURPLE | NORTH KOREA |
| BLUE | RUSSIA |
| GRAY | CYBERCRIME |
Examples
Microsoft
According to a recent taxonomy update,
threat actor groups will be named after weather events. A weather event or “family name” represents either a nation-state actor attribution (e.g., Typhoon indicates origin or attribution to China) or a motivation (e.g., Tempest indicates financially motivated actors).
| Name | Nation-state or Category |
|---|---|
| Typhoon | PEOPLE’S REPUBLIC OF CHINA |
| Sandstorm | Iran |
| Rain | Lebanon |
| Sleet | North Korea |
| Blizzard | Russia |
| Hail | South Korea |
| Dust | Turkey |
| Cyclone | Vietnam |
| Tempest | Financially motivated |
| Tsunami | PSOAs |
| Flood | Influence operations |
| Storm | Groups in development |
Examples
Secureworks
Uses elements plus nickname:
| Element | Nation-state or Category |
|---|---|
| BRONZE | PEOPLE’S REPUBLIC OF CHINA |
| ZINC | INDIA |
| COBALT | IRAN |
| NICKEL | NORTH COREA |
| TUNGSTEN | SOUTH KOREA |
| COPPER | PAKISTAN |
| ALUMINUM | PALESTINE |
| IRON | RUSSIA |
| PLATINUM | UNITED STATES |
| TIN | VIETNAM |
| GOLD | CYBERCRIME |
Examples
IBM
Uses numbered ITG or Hive. ITG stands for IBM Threat Group and is used fo both nation-state and cybercriminal. IBM tracks and names threat groups numerically, identified by IBM Threat Group (ITG) followed by an assigned number. For threat groups still in the research phase, IBM uses the designation Hive.
Examples
Proofpoint
Uses numbered TA groups. TA simply stands for Threat Actor.
Examples
Symantec
Uses species of insects.
Examples
Personally, I can only agree with researchers who simply believe that the practice of naming fictitious “groups” based on overlapping infrastructure, tools or TTPs is outdated, and that organisations should focus more on assessing the adequacy of their defences against the threat.