Understanding how different vendors classify and track threat actor groups is essential for analysts, red teamers, and defenders working with threat intelligence. However, it can get confusing the same group might have multiple names depending on who’s doing the tracking. This inconsistency often stems from the fact that threat actors reuse infrastructure, borrow TTPs, or intentionally try to mislead attribution efforts.

Why Naming Conventions Matter

• Multiple names, same threat: One APT group may be known by different names across vendors.
• Tool reuse & false flags: Shared malware and deliberate deception can obscure attribution.
• Clarity in reports: Consistent naming helps organizations track threats across multiple intelligence sources.

CrowdStrike’s Animal Taxonomy

CrowdStrike classifies adversaries using animal-themed names, based on either their geopolitical origin (for nation-states) or intent/motivation (for non-nation-state actors).

Mandiant/FireEye Naming System

Mandiant (now part of Google Cloud) uses a more structured and numerical naming convention, relying on prefixes that reflect actor type or investigation status.

APT + Number (Nation-State Actors)

The number is often linked to an internal geographic or actor code used during initial attribution.

FIN + Number (Financial Threat Actors)

“FIN” groups represent financially-motivated threat actors who conduct cybercrime operations such as ATM heists, point-of-sale breaches, or ransomware campaigns.