Why Do Threat Intel Companies Track Threat Actors by Different Names?
T.Report content team
The T.Report content team has several years of experience in Threat Intelligence
Threat intelligence firms play a crucial role in identifying and tracking cyber threat actors, but if you’ve ever compared reports from different vendors, you’ve probably noticed that the same actors often go by different names. Why does this happen? The reality is that no single intelligence firm has the full picture—each one sees a piece of the puzzle based on their data sources and analysis techniques.
The Fragmented View of Threat Actors
Different Vendors, Different Data
Threat intelligence firms collect data from various sources, such as:
- Private network telemetry
- Open-source intelligence (OSINT)
- Government partnerships
- Incident response cases
Each company builds its own intelligence using a mix of these sources, leading to different perspectives on the same actors. One firm may focus on financially motivated groups, while another specializes in nation-state threats. Since their data inputs differ, their analysis and naming conventions do too.
Lack of a Centralized Naming Authority
Unlike vulnerabilities (which are cataloged using CVEs), there is no single organization standardizing the names of threat actors. As a result, companies create their own naming conventions based on their research methodology. Some examples include:
- Mandiant (Google Cloud) uses names like APT28 and APT41 for advanced persistent threats.
- Microsoft Threat Intelligence prefers element-based names like “Storm-0558.”
- CrowdStrike names actors based on their country and type, such as “Fancy Bear” or “Wizard Spider.”
This variation can create confusion, but it also reflects the differences in each firm’s perspective.
How the Diamond Model Helps Bring Clarity
The Diamond Model of Intrusion Analysis
To organize threat intelligence more effectively, many firms use the Diamond Model, which classifies attacks based on four key dimensions:
- Adversary – Who is conducting the attack (e.g., a state-sponsored group or cybercriminal gang)?
- Capability – What tools, malware, or techniques are being used?
- Infrastructure – Where is the attack coming from (e.g., command-and-control servers, phishing domains)?
- Victim – Who is being targeted (e.g., government agencies, financial institutions)?
By using this model, threat intelligence teams can compare their findings and recognize patterns across different naming conventions. For example:
- If multiple reports describe attacks using the same malware, techniques, and infrastructure, it suggests they’re tracking the same actor, even if the names differ.
- Security teams can correlate intelligence from different vendors to get a more complete picture of the threat landscape.
The Importance of Cross-Vendor Intelligence Sharing
Despite differences in naming conventions, organizations benefit from correlating intelligence across multiple sources. Open frameworks like MITRE ATT&CK and Threat Intelligence Platforms (TIPs) help standardize how threats are described, making it easier to map different actor names to the same entity.
Conclusion
Threat intelligence vendors track threat actors differently because each company has unique data sources, focuses, and methodologies. However, frameworks like the Diamond Model and MITRE ATT&CK help bring structure to this fragmented view, enabling organizations to map disparate threat reports to a unified intelligence picture.
For security teams, the key takeaway is to not rely on a single vendor’s naming but to cross-reference reports, use structured analysis models, and integrate intelligence from multiple sources to get the full picture.