Download our Guide to Penetration Testing to learn everything you need to know to successfully plan, scope and execute your penetration testing projects
Cyber attribution (otherwise known as attack attribution) is the process of identifying who is responsible for a cyberattack and other cyber crime related activity such as hosting a Dark Web marketplace. It is often very difficult or impossible to determine the identity, or sometimes even the location of specific individuals. The Internet offers many ways to anonymize one's activity.
For example, cyber criminals may send their activity through the Tor network, custom VPNs or proxy servers, BulletProof hosting services, and can even hide their malware on the blockchain. They may leverage stolen infrastructure, operate within nations that refuse to cooperate with international authorities on cybercrime investigations, communicate on the dark-web, or use other covert methods to conceal their true identities. But cybersecurity professionals need to assign labels to unknown hackers to track their activity, determine their motives and understand their affiliations, and origin (e.g., nation-state backing).
At the Black Hat cybersecurity conference in August 2024, CISA Director Jen Easterly criticized the practice of assigning dramatic names to hacking groups, suggesting that the practice inadvertently glamorizes cyber crime. Others in the cybersecurity community agree. The sheer volume of threat actor names that security researchers encounter is staggering.
Is this simply an inevitable reflection of a situation that is out of control? In this article we will delve into how threat actors are named and some of the conventions used in the cybersecurity industry.
When a credible cybersecurity report warns that a particular threat actor is increasing their activity, cyber defenders have the opportunity to adjust and verify the effectiveness of their defences through security testing. This may include reading research from multiple sources and developing a schematic of the threat actor's tactics, techniques, and procedures (TTP) and conducting targeted Objective-based Penetration Testing campaigns, Red Team assessments, or Purple Team exercises to bolster detection capabilities.
A comprehensive defensive posture requires consolidating all available information about an active threat. However, knowing all the pseudonyms they are referenced by is often infeasible due to the lack of a standardized naming convention such as the Computer Antivirus Research Organization (CARO) malware naming scheme used for naming malware which is still in use by Microsoft and Trend Micro among others. Software vulnerability tracking using the CVE scheme also benefits from a standardized identifier.
The lack of standardized naming scheme for threat actors is problematic since we don't necessarily care what the attacker's nickname is, we care what type of attacks have been attributed to them. This can allow defenders to target and test specific security controls - especially when a threat actor's activity is on the rise.
When a group of hackers are determined to operate as a cohesive unit—typically due to observed patterns of behavior, infrastructure, tools, techniques, and objectives—and is believed to be backed by a nation-state, it is often labeled as an Advanced Persistent Threat (APT) group.
The designation of a new APT number (such as APT43) is typically done by major cybersecurity firms or intelligence agencies. These entities conduct detailed investigations to uncover evidence that links a set of operations to a specific group, often assigning an APT number and possibly a nickname to make tracking and communication easier. Alsom, in some cases the first letter of the country of origin is appended to the APT prefix such as "APT-C" to denote Chinese state backed threat actors. APT-R refers to Russian threat actors, APT-I to Iranian threat actors, and APT-K to North Korean threat actors.
Cyber threat intelligence (CTI) vendors employ a variety of naming conventions to identify and categorize threat actors. These conventions serve different purposes, such as distinguishing groups based on their behavior, origin, or motivations, and often reflect the methodologies and policies of the vendor. However, they can sometimes lead to confusion, as the same threat actor may have multiple names across the CTI community.
Here are some vendor specific conventions:
The MITRE ATT&CK Group repository uses the prefix G[XXX] (e.g., G1002) and also tracks some pseudonyms (nicknames) assigned to the group.
Mandiant uses UNC[XXXX] (e.g., UNC1878) to label clusters of unidentified threat activity. "UNC" stands for "Uncategorized", signifying that the group or activity is not yet fully attributed or categorized. Mandiant has also also used TEMP.[X] (e.g., TEMP.Periscope) for groups with unclear motivations.
Recorded Future uses TAG-[XX] (e.g., TAG-53) for Temporary Attribution of threat clusters.
Microsoft previously used DEV-[XXXX] (e.g., DEV-0537) to track and identify emerging threat actors. Their new convention applies a weather-themed taxonomy to classify threat actors, and also assigns family names to denote their origin or motivation. For example, "Typhoon" refers to nation-state actors from China, while "Tempest" indicates financially motivated groups. Adjectives like "Velvet" or "Storm" further distinguish groups within the same family based on tactics, techniques, and procedures (TTPs).
Trend Micro labels groups as Void [X] (e.g, Void Manticore) when their motivations are unconfirmed or mixed.
Some CTI vendors link threat actors to specific nation-states using unique thematic conventions:
China: Panda (CrowdStrike), Taurus (Palo Alto Networks)
Russia: Bear (CrowdStrike), Ursa (Palo Alto Networks)
North Korea: Chollima (CrowdStrike), Pisces (Palo Alto Networks)
Iran: Kitten (CrowdStrike), Serpens (Palo Alto Networks), COBALT (SecureWorks)
Turkey: Wolf (CrowdStrike)
Pakistan: Leopard (CrowdStrike), Draco (Palo Alto Networks)
Threat actors are also named based on their goals and methods:
Espionage: Earth (Trend Micro)
Financial crime: FIN (Mandiant), Spider (CrowdStrike), GOLD (SecureWorks)
Destruction: Fire (Trend Micro)
Hacktivism: Wind (Trend Micro), Jackal (CrowdStrike)
Some vendors, like Palo Alto Networks, categorize groups by attack types, such as Orion for business email compromise or Scorpius for ransomware. Also, sometimes artifacts from the malware or ransomware note discovered during forensic investigation are used to name the associated threat actor or campaign.
For example, a unique phrase, filename, or cryptographic signature left behind by the malware could inspire the naming. Similarly, campaign names may derive from recurring patterns or identifiers observed across multiple incidents, such as email headers, domains, or tools used in the attacks.
Certain cybercriminal groups name themselves, leveraging branding for operational or intimidation purposes. Security vendors often adopt these self-coined names in their analysis, contributing to their widespread recognition.
Here are a few notable threat actors who named themselves, often as part of their branding strategy or to assert their presence in the cybercriminal ecosystem:
LAPSUS$: A hacking group known for high-profile extortion campaigns and data breaches.
Conti: A ransomware group known for its self-branded ransomware and public extortion site.
REvil (Ransomware Evil): A ransomware-as-a-service (RaaS) operation that named itself to reflect its malicious activities.
LockBit: A ransomware group that self-identifies through its malware and operations to promote its RaaS offerings.
Black Basta: A ransomware operation branding itself for recognition and marketing in the cybercriminal underworld.
Malpedia has perhaps the most extensive list of threat actors. The list includes many alternative names. The list is easily searchable and includes associated malware strains used by each group.
The APTMAP tool is an interesting resource providing a visualization of threat actors globally
CISA tracks APT threat actors by the government that supports them
Google provides basic descriptions for APT 1-39 and a more comprehensive spreadsheet of threat actors
Rapid 7 has an extensive list of APT groups which includes alternative names
SecureWorks tracks over 150 threat actors and active threats
The sheer volume of threat actor names stems from the diverse naming conventions used by different CTI vendors, geopolitical influences, and the imperfect nature of threat attribution. Names can reflect a group's origin, motivations, tactics, or even artifacts left behind in attacks.
While this abundance can seem overwhelming, some tools are available to help track associated alternative names and hopefully armed with this knowledge you can more quickly identify some threat actor traits by understanding what's in a name.
Share your details, and a member of our team will be in touch soon.
Our Penetration Security Testing methodology is derived from the SANS Pentest Methodology, the MITRE ATT&CK framework, and the NIST SP800-115 to uncover security gaps.
Download MethodologyDownload our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.
Download GuideExplore in-depth resources from our ethical hackers to assist you and your team’s cyber-related decisions.
September 13 - Blog
Knowing is half the battle, and the use and abuse of common frameworks shed insight into what defenders need to do to build defense in depth.
November 19 - Blog
The top cybersecurity statistics for 2024 can help inform your organization's security strategies for 2025 and beyond. Learn more today.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
© 2024 Packetlabs. All rights reserved.