Adversary group naming
(also cyber threat actor naming, threat actor naming)
Adversary group naming definition
In cybersecurity, adversary group naming is the practice of assigning specific names (or labels) to organized groups of cybercriminals or malicious hackers. By giving these groups names, cybersecurity professionals, researchers, and law enforcement agencies can more effectively share information and communicate about threats.
How adversary group naming works
Cybersecurity experts first use a combination of technical indicators, behavioral patterns, and other intelligence sources to identify the actions of discrete adversary groups.
Once the experts are sure that a single adversary group is behind certain attacks, it is usually given a name following common naming conventions — for example, using alphanumeric codes, combining the names of famous malware or elements related to the attack, or using references (such as including “bear” in the name if the group has ties to Russia).
There can be disputes and controversies surrounding the naming of certain groups — different cybersecurity experts might give different names to the same threat actor based on their analysis and intelligence sources.
Examples of adversary group names
- SandWorm: A state-sponsored advanced persistent threat (APT) group believed to be associated with Russia and linked to the cyberattack against Ukraine’s power grid in 2015.
- DarkHotel: A sophisticated cyber espionage group that targets high-profile individuals (such as government officials and business executives) using hotel Wi-Fi networks.
- Cozy Bear: Another APT group believed to have ties with Russia. Their activities target government entities, defense contractors, and research organizations.
- Lazarus Group: A notorious state-sponsored cybercrime group associated with North Korea, Lazarus Group was behind the infamous WannaCry ransomware attack in 2017.