When it comes to battling online attackers, if you can’t name them, you can’t shame them. In the digital world, hackers don’t just lurk in the shadows—they get branded, catalogued, and sometimes even rebranded thanks to an impressive parade of code names. How did we end up with 2,800 new cybercrime group monikers in just one year? Buckle up for a wild ride through the jungle of hacker aliases and the tangled logic behind them.
Why All the Names? The Art and Science of Cyber Aliases
- For around 20 years, coding catchy names for attacker groups has been a pillar of cybersecurity culture.
- Labeling isn’t only about showmanship. It’s about making sense of chaos and distinguishing targeted, organized APT (Advanced Persistent Threat) groups from the everyday automated attacks polluting the internet.
- As Cédric Pernet of Trend Micro explains, even in the early days, researchers began giving these groups operation-style names—sometimes plucking inspiration from a single folder label in the malware (see the infamous 2010 “Aurora” operation, christened after a suspect directory name spotted following a high-profile attack on Google).
But the need to name goes even further back. Take 1999’s Moonlight Maze, an early cyberespionage campaign targeting the U.S. government. While the naming game isn’t new, the last decade has seen an explosion, with cybersecurity firms establishing formal naming conventions for everything from groups to malware tools.
The Endless Naming Convention Buffet
- Security divisions at Microsoft opt for elements (Nobellium, Zirconium).
- CrowdStrike likes animal themes with adjectives (Fancy Bear, Wicked Panda).
- Trend Micro leans into mythological creatures plus elements (Earth Berberoka).
- Mandiant? More reserved: APT followed by a number for nation-backed espionage actors, FIN for financially motivated crooks, and a wild bunch of “UNC” (Uncategorized) labels—2,800 in 2021 alone!
Mandiant’s method may sound clinical, but it’s all about rules: espionage gets the “APT” badge, financially minded criminals wear “FIN.” Anything else? Bung it under UNC until it’s proven otherwise. Sometimes these UNC groups merge with established players, sometimes they remain the mysterious, unclassified outliers—decisions made collectively in the organization, not on a whim.
Too Many Names, Not Enough Clarity: Confusion in the Cyber Wild West
If you’re head is spinning with all these labels, you’re not alone. Clients and researchers struggle to keep up. Take APT28. Mandiant calls them APT28, CrowdStrike brands them Fancy Bear, Kaspersky likes Sofacy. All describe the same group, just with a different flair.
Some vigilant souls on the internet attempt to maintain Excel sheets mapping every name to each group, a demanding but necessary task. Many cybersecurity firms and CERTs now provide reference tables of these naming equivalences on their platforms to help everyone catch their breath.
You might wonder, can’t the industry just standardize like it did with CVEs for vulnerabilities? No dice. As William Turner of Equinix and Curated Intelligence explains, each company’s data and analysis standards differ, making unified naming for threat actors unworkable. The “six blind men and an elephant” fable fits perfectly: we each see a bit, draw our own conclusions, and end up with a menagerie of names for the very same digital beast.
- Recycling another company’s name can imply their research is better, causing awkward academic politics and sometimes outright disputes over who defines what.
Florian Roth points out, these naming tangles aren’t just technical but political and personal, too. Add a splash of corporate marketing, and things really get interesting: CrowdStrike’s Adversary Universe literally gives graphic-novel style villain makeovers to these groups. The line between technical clarity and glitzy branding can get fuzzy fast.
Hackers Market Themselves, Too: The Ransomware-as-a-Service Era
If you thought naming was just a job for threat researchers, surprise! Since the rise of Ransomware-as-a-Service (RaaS), cybercriminals now market themselves, picking names with recruitment and negotiation in mind. A name helps ransom haggling and draws in affiliates to hack for the brand. Maze, Ryuk—these ring bells, right?
But here’s the twist: what exactly do Maze, Conti, or REvil refer to? Sometimes the name means the malware, sometimes the supporting criminal community, sometimes a bit of both. Mandiant, for example, rejects the idea that “Conti” is a group—it’s the encryption malware, possibly tied to one or more attacker groups. As David Grout notes, clarity is often sacrificed for simplicity, especially in headlines.
Public understanding often stops at whatever is easiest to repeat. You’ll read a company was hit by Lockbit, attributing it to a “group,” when in reality, as Turner notes, affiliates carry out the attacks, not necessarily the developers or site owners themselves.
This muddy mix led Anssi, the French cyber agency, in 2021 to publish a report defining a unique group, Lockean, after tracking activity through multiple RaaS brands—a rare push for precise labeling beyond catchy ransomware marketing.
The Final Takeaway? Naming cyber adversaries is not an exact science. But good luck running a threat intel operation—or even reading the news—without it. Expect those infamous spreadsheets listing hacker pseudonyms to keep swelling for years to come. So next time someone drops “Charming Kitten” or “Fancy Bear” in conversation, know you’re dealing with a universe where names are cheap, but understanding who’s who is the neverending quest.
