A History of How We Name Hackers

Ever heard of a hacking group called APT28? What about FANCY BEAR? Or Strontium? Or Blizzard-28?

Here’s the thing: they’re all the same group.

It’s confusing, right? This is a massive challenge in cybersecurity. How we name our adversaries isn't just for show; it shapes how we track them, collaborate, and defend ourselves. But the history of how we got here is a bit of a wild ride, moving from simple technical notes to a creative, and sometimes chaotic, system of branded names.

I think we should go ahead and unpack how this all came to be.

The Problem of Tracking the Unseen

In the early days, we didn't track the hackers. We tracked their tools.

A threat was identified by its digital fingerprints: a malicious file's hash, an IP address, or a domain name used to control the attack. But there's a problem with that. Hackers can change their tools in minutes. They can switch servers, recompile their malware to get a new hash, and register new domains.

The tools are temporary, but the human group behind them is persistent. Security researchers needed a way to connect different attacks to the same group over months or even years. They needed a name. A simple handle for a complex, evolving human threat. It’s much easier to say, "FANCY BEAR is active again," than to list off a dozen new, unrelated technical indicators.

The Pioneers - Mandiant and the "APT"

The game changed in 2013. A company called Mandiant (now part of Google) published a groundbreaking report on a group called APT1.

"APT" stands for Advanced Persistent Threat, and the number was just a way to count the distinct groups they were tracking. It was a simple, neutral system. APT1 was the first one they documented in such massive public detail.

This report was a big deal. For the first time, a private security company publicly and methodically linked a hacking campaign directly to a foreign military unit: China's People's Liberation Army Unit 61398. It set the stage for a new era where private companies became the world's primary trackers and namers of state-sponsored hackers.

The Rise of Branded Taxonomies

After Mandiant set the precedent, other major security companies developed their naming systems. This is where things got creative and complicated.

Two systems became especially well-known.

1. CrowdStrike's Adversary Universe:

CrowdStrike went for a more memorable approach. Their names combine a descriptive word with an animal representing the group's suspected country of origin. It gives you a hint about the actor right from the name.

• BEAR = Russia (e.g., FANCY BEAR, COZY BEAR)
• PANDA = China (e.g., WICKED PANDA)
• KITTEN = Iran (e.g., REFINED KITTEN)
• SPIDER = Financially motivated criminal groups (no nation-state).

You can explore their whole list, giving you a quick sense of the threat landscape.

2. Microsoft's Weather System:

Microsoft also has a long history of tracking groups, initially using names of chemical elements (like Strontium for the Russian group we keep mentioning). In 2023, they updated their system to be themed around weather events to provide more clarity and consistency.

• Typhoon = China
• Blizzard = Russia
• Sleet = North Korea
• Tempest = Financially motivated groups.

Living in the Tower of Babel

So now we have several excellent, well-researched, but utterly different naming systems. This created a cybersecurity "Tower of Babel."

An analyst at one company might be writing a report about Blizzard-28, while another at a different company tracks FANCY BEAR. A government agency might be using the original APT28 designation. They're all talking about the same threat but using other languages.

This slows collaboration and makes it incredibly difficult for defenders on the front lines to consolidate intelligence. The industry created this problem for itself.

Frameworks like MITRE ATT&CK® have become popular for working around this. ATT&CK doesn't focus on the group's name. It focuses on its behavior, its Tactics, Techniques, and Procedures (TTPs). This allows defenders to say, "I see someone using TTPs X, Y, and Z," which is a behavior profile that matches the group known by many names.

A New Detente - An Alliance to Map the Threats

For years, it seemed like this confusion was here to stay. However, in an exciting development in June 2025, some of the most prominent players decided to build bridges.

Microsoft, CrowdStrike, and other security firms announced a collaboration to harmonize their threat actor naming.

They aren't getting rid of FANCY BEAR or Blizzard. Instead, they are working to map their internal naming systems to each other. Think of it as creating a Rosetta Stone for threat intelligence. The goal isn't one naming convention, but a way to translate between them easily. This allows each company to maintain its system while making it dramatically easier for everyone else to understand who they're talking about.

This is a game-changer for defenders.

Conclusion

The history of naming cyber adversaries is a story of evolution. It went from simple technical markers to a structured system (APT), then exploded into a creative but fractured universe of competing brands (Bears, Pandas, Typhoons).

The lack of a standard was a significant hurdle for a long time. However, the recent move toward collaboration shows the industry is maturing. We may never have one name for every adversary, but with a way to translate between them, we're finally starting to speak the same language. And in security, clear communication is everything.