What’s in a Name? Understanding Threat Actor Naming Conventions
On March 28, 2023, Google-owned firm Mandiant revealed that a new North Korean threat group, APT43, was operating cyber espionage for the Kim Jong-un regime using stolen cryptocurrency funds.
While APT43’s link with the North Korean government was confirmed for the first time in the Mandiant report, the threat actor was already known by threat analysts under other names, such as Thallium, Kimsuky, Velvet Chollima, Black Banshee and STOLEN PENCIL.
This confusion comes down to each cyber threat intelligence (CTI) vendor operating its own attribution process for cyber-attacks – something we recently investigated on Infosecurity Magazine. Here are some keys to understanding some of the patterns used by threat analysts and untangling what the most common threat group names refer to.
The most prominent threat group name is the Advanced Persistent Threat (APT). Commonly used by the whole CTI community, including US non-profit organization MITRE, which provides a standardized framework for tactics, techniques and procedures (TTPs), APT groups refer to clusters of sophisticated threat actors sponsored by, or acting on behalf of a government.
With geopolitical rather than financial motivations, APT groups typically operate cyber espionage campaigns and destructive cyber-attacks.
Once a threat actor has been confirmed to be a coherent group of hackers backed by a nation-state, the threat analysts who lead the cyber attribution allocate it a new APT number – the latest being APT43.
The first APT group, APT1, was identified by Mandiant in a 2013 paper about China’s espionage group PLA Unit 61398.
“It marked the birth of commercial cyber threat intelligence,” Jamie Collier, an EMEA senior threat intelligence advisor at Mandiant, told Infosecurity.
Other ‘sober’ naming conventions exist, consisting of codenames and numbers only. For example, APT-C groups are Chinese cybersecurity vendor 360 Security Technology’s equivalent to APT groups. APT-C numbers are sometimes used by other vendors.
Others, like MITRE’s G[XXX] (e.g. G1002) or SecureWorks’ legacy TG-[XXXX] (e.g. TG-3279), are mere identification numbers and their names do not reveal anything about the threat actor.
“We use a sober, or even dull, naming convention because we don’t want to glamorise those groups,” Collier added.
Work In Progress Threat Clusters
Since cyber attribution is a long, laborious process during which things can quickly evolve on the threat side, several vendors use temporary codenames that allow them to publish their analyses on a given cluster of cyber intrusion without providing full disclosure of who is behind the incident.
Mandiant is one of these, using UNC[XXXX] (e.g. UNC1878) to identify clusters of threat activity, and TEMP.[X] (e.g. TEMP.Periscope) when it can trace it back to a coherent threat group but cannot yet claim its motivations with high confidence.
Recorded Future’s Insikt Group and Microsoft respectively use TAG-[XX] (e.g. TAG-53) and DEV-[XXXX] (e.g. DEV-0537) in a similar fashion.
Trend Micro names Void [X] threat groups whose motivations are not confirmed or mixed.
Looking for more infosecurity & cybersecurity insights?
Keep up to date with the latest trends and expert insights from Infosecurity Europe.
Cyber attribution is not only a technical process, but also one deeply entangled in geopolitics. The CTI community is divided between vendors who refuse to link threat actors to specific nation-states and those who engage in a name-and-shame strategy.
In the former group, Trend Micro’s corporate policy, for example, is very clear: its threat analysts must never attribute a cyber-attack to a specific country.
“We believe that it’s not our mission to point the finger. Our mission is to defend against threats and not to interfere with politics,” Feike Hacquebord, a senior threat researcher at Trend Micro, told Infosecurity.
In the latter group, many vendors use their own naming conventions – in very creative ways – to refer to nation-sponsored hackers, along with APT groups.
Here’s a list of some of these:
- China: [X] Panda (CrowdStrike), [X] Taurus (Palo Alto Networks), BRONZE [X] (SecureWorks)
- Iran: [X] Kitten (CrowdStrike), [X] Serpens (Palo Alto Networks), COBALT [X] (SecureWorks)
- India: [X] Tiger (CrowdStrike), [X] Gemini (Palo Alto Networks), ZINC [X] (SecureWorks)
- North Korea: [X] Chollima (CrowdStrike), [X] Pisces (Palo Alto Networks)
- Pakistan: [X] Leopard (CrowdStrike), [X] Draco (Palo Alto Networks)
- Russia: [X] Bear (CrowdStrike), [X] Ursa (Palo Alto Networks), IRON [X] (SecureWorks)
- South Korea: [X] Crane (CrowdStrike)
- Turkey: [X] Wolf (CrowdStrike)
- Syria: [X] Hawk (CrowdStrike)
- Vietnam: [X] Buffalo (CrowdStrike)
Other vendors, or sometimes the same ones, use naming conventions to refer to the threat groups’ motivations.
Here’s a list of the most common ones:
- Espionage groups: Earth [X] (Trend Micro)
- Financially-motivated groups: Water [X] (Trend Micro), [X] Spider (CrowdStrike), [X] Libra (Palo Alto Networks), GOLD [X] (SecureWorks), FIN[XX] (Mandiant)
- Destruction seekers: Fire [X] (Trend Micro)
- Hacktivists: Wind [X] (Trend Micro), [X] Virgo (Palo Alto Networks), [X] Jackal (CrowdStrike)
Palo Alto Networks also uses names to refer to the type of attacks threat groups typically deploy, such as [X] Orion for groups prone to launching business email compromise attacks and [X] Scorpius for ransomware groups.
Read more: Threat Intelligence: Why Attributing Cyber-Attacks Matters
Using Self-Claimed Names
Many vendors have also invented their own galaxy of names, which usually do not give away anything on the threat groups’ origins or motivations, such as Microsoft’s and Dragos’ element-based names, Accenture iDefense’s fish names, or Broadcom’s Symantec threat naming conventions referring to the exploited vulnerabilities used.
Finally, for several big cybercriminal groups, naming themselves is a powerful tool in the branding strategy they adopt as part of their business model. Cybersecurity vendors often reuse these names when they first encounter an attack from such a group.
Also, bear in mind that some threat analysts tend to use a name coined by a competitor when the latter’s forensics work is already recognized in the community.
Enjoy this article? Make sure to share it!
Keep up to date with the latest infosecurity news and trends in our latest articles.
Stay in the know
Receive updates about key events, news and recent insights from Infosecurity Europe.
Looking for something else?