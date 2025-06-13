The former heads of the leading cybersecurity government agencies in the US and UK have called for an overhaul in threat actor naming conventions.

Cyber attribution and threat actor naming conventions have sparked long-lasting debates in cyber spheres, at least since Mandiant’s 2013 APT1 report, Exposing One of China’s Cyber Espionage Units, which attributed APT1 to China’s People’s Liberation Army (PLA) Unit 61398. APT1 would become a name that the whole cyber community could refer to.

From then on, each new threat actor has been tracked under many different names, some fairly prosaic, with Mandiant, now part of Google Cloud, and US non-profit MITRE generally using a strain of letters and numbers, while others prefer more inventive names.

In a June 12 column on the cyber news website Just Security, Ciaran Martin, the first director of the UK’s National Cyber Security Agency (NCSC), and Jen Easterly, the longest-serving director of the Cybersecurity and Infrastructure Security Agency (CISA), urged private and public sector cyber stakeholders to stop using “glamorized” names for cybercriminals and nation-state actors.

Instead, they called for a vendor-neutral, public taxonomy of threat actors that would enable global alignment and interoperability.

Read more: Understanding Threat Actor Naming Conventions

Current Threat Actor Taxonomy “Delays Response Times”

In the post, Martin and Easterly argued that the current approach to threat actor naming has detrimental effects, including:

Lacking practicality: There is a lack of a standardized taxonomy that would enable global alignment and interoperability, which can ultimately “delay response times and create confusion across Security Operations Centers (SOCs), incident response teams, and executive leadership”

Obscuring attribution: The current naming system obscures the true identity of threat actors, making it difficult to understand who is behind the attacks, and can be misleading, as similar-sounding names can refer to different types of threats (e.g. Salt Typhoon and Volt Typhoon)

Mystifying the public: The use of codenames like Fancy Bear and Volt Typhoon mystifies the public, making it harder for them to understand the real threat

Glamorizing adversaries: The current naming system often glamorizes threat actors, portraying them as cartoon villains or mythical creatures rather than malicious actors. The use of codenames can also downplay the severity of the threat and the harm caused by threat actors

Serving marketing purposes rather than accuracy: The current naming conventions serve marketing purposes more than the cybersecurity mission, making it a form of brand identity for the firm that coined it

“No one knows yet whether the cybercriminals behind the recent crisis in British retail really are Scattered Spider, whether they’re the same personnel who hacked Las Vegas casinos, or who they’re working with,” explained the authors.

They also argued that using names like ‘Scattered Spider’ in mainstream news headlines is "an objectively ridiculous way" to inform the public about how organized criminals have stopped one of the UK's most iconic retailers from operating some services for months.