APT designation

An APT designation is the threat-intelligence industry's convention for assigning a label-name to clustered intrusion activity attributed (or candidate-attributed) to a single state-sponsored or state-tolerated cyber actor. The label is not the institutional reality. The underlying entity — when it can be identified — is typically a military or intelligence-service unit, a contractor working under one, or a multi-vendor cooperative arrangement under state direction. The label is the descriptive cover the threat-intel industry has placed over that institutional reality, using each vendor's chosen taxonomy. "APT" itself stands for advanced persistent threat, a term-of-art that originated in 2006 within the United States Air Force to describe sustained intrusion campaigns attributed to People's Republic of China collection programmes; the term entered general use after the Aurora intrusions of 2010 and Mandiant's concurrent M-Trends 2010 report (The Advanced Persistent Threat) together popularised it across the security industry.¹

The principal vendor taxonomies in current use carry distinct conventions:

Mandiant (now Google Cloud) uses sequential numbering — APT1, APT10, APT28, APT29, APT41, and so on — assigned in the order Mandiant first characterised the activity cluster as a distinct entity. Mandiant's 2013 report on the People's Liberation Army's Unit 61398 (designated APT1) is the canonical example of the convention and the report that established the institutional-attribution methodology now standard across the threat-intel industry.²

CrowdStrike uses an animal taxonomy keyed to country of attribution — Bear for Russia (Fancy Bear, Cozy Bear, Voodoo Bear, Berserk Bear), Panda for China (Comment Panda, Stone Panda, Wicked Panda), Kitten for Iran (Charming Kitten, Helix Kitten, Static Kitten), Chollima for North Korea (Silent Chollima, Stardust Chollima), Buffalo for Vietnam, and Spider for financially-motivated non-state actors. The animal carries the country attribution; the modifier names the specific cluster. The convention was introduced by CrowdStrike co-founder Dmitri Alperovitch in the early 2010s and is the most widely-recognised threat-intel naming system in the journalistic and security literature.³

Microsoft (Threat Intelligence) completed a sweeping rename of its threat-actor taxonomy in April 2023, replacing the prior element-themed names (STRONTIUM, IRIDIUM, PHOSPHORUS, NOBELIUM, ZINC) with a weather-and-meteorological family. Russia-attributed actors became Blizzards (Forest Blizzard for APT28, Midnight Blizzard for APT29, Seashell Blizzard for Sandworm). China-attributed actors became Typhoons (Volt Typhoon, Salt Typhoon, Brass Typhoon). Iran became Sandstorms (Mint Sandstorm for APT35). North Korea became Sleets (Diamond Sleet, Citrine Sleet). Financially-motivated actors became Tempests. The rename roughly doubled the alias surface for every major state-sponsored actor overnight and added a layer of vocabulary that has not yet stabilised across the security and journalistic literature.⁴

Kaspersky Lab uses themed cluster names without a single overarching taxonomy — Equation Group (the cluster attributed to NSA's Tailored Access Operations), Lazarus Group (the umbrella under which most North Korean cyber activity has been historically aggregated), Turla (an SVR-attributed cluster with a long collection history). Trend Micro uses themed cluster names — Pawn Storm for APT28, Earth Lusca for APT41-adjacent activity. Recorded Future uses Sofacy for APT28. ESET uses Russia-themed names — Sednit for APT28. The proliferation reflects the absence of an industry-wide standards body for threat-actor naming.⁵

The mapping between vendor labels is mostly tight but not always cleanly one-to-one. Fancy Bear (CrowdStrike), APT28 (Mandiant), Sofacy (Recorded Future), Pawn Storm (Trend Micro), Sednit (ESET), STRONTIUM → Forest Blizzard (Microsoft) all refer to the same underlying entity — Russia's GRU Unit 26165, formally designated the 85th Main Special Service Centre of the General Staff Main Intelligence Directorate, a confirmation that rests on the October 2018 United States Department of Justice indictment of seven GRU officers and on the joint attribution by the Five Eyes intelligence partners between 2018 and 2020.⁶ But other clusters are split or merged differently across vendors — Lazarus Group is treated by some vendors as an umbrella over what others split into APT37 (the Reaper / ScarCruft cluster), APT38 (the financial-crimes arm), and APT43 (the Kimsuky / Velvet Chollima cluster). The pre-2016 Cozy Bear label covered activity that has since been re-attributed between FSB Center 16 and SVR Center for Active Measures depending on the time-period and the assessing vendor. The labels are descriptive heuristics; the institutional reality is the underlying referent and is independently established (or contested) on a separate documentary base.

The institutional attribution of an APT-designated cluster typically rests on five evidence categories considered jointly: technical infrastructure overlap (command-and-control servers, certificate fingerprints, domain registration patterns); tooling overlap (custom malware families, specific exploit techniques); operational tradecraft overlap (target-selection patterns, working-hours analysis, language-pack residue in builds); contextual signals (timing relative to diplomatic or military events of interest to a specific state); and ultimately government-source disclosure (indictments, joint attribution statements, declassified intelligence assessments). The strongest attributions stand on all five; the weakest stand on technical overlap alone. The methodology was substantially developed at SRI International, FireEye/Mandiant, CrowdStrike, and the United States and United Kingdom government cyber agencies across the 2008–2018 period.⁷

How this reference handles APT designations

Plausible Denial's editorial convention treats the institutional unit as the canonical entry and the APT designations as aliases on it. The entry on Russia's GRU Unit 26165 carries an aka frontmatter list including Fancy Bear, APT28, Sofacy, Pawn Storm, Sednit, and Forest Blizzard — searches for any of those labels surface the same entry. The exception is Lazarus Group, which carries its own entry because the underlying institutional attribution within the North Korean Reconnaissance General Bureau is genuinely diffuse across multiple subordinate bureaus and the Lazarus label has become the canonical referent in the forensic and journalistic record in a way no single RGB unit has.

See also

• Cybint — cyber intelligence, the broader collection-discipline category
• Sigint — the parent intelligence discipline most of the actors named under APT designations operate within
• Cryptonym — the parallel codename convention within the Central Intelligence Agency for institutional internal use
• False flag — the operational technique that complicates threat-attribution methodology
• Tradecraft — the broader operational-craft category APT-style intrusion sets belong to

Sources & Further Reading

1. Mandiant, APT1: Exposing One of China's Cyber Espionage Units (February 2013) — the report that established the institutional-attribution methodology now standard across the threat-intel industry. The "advanced persistent threat" term-of-art was in use in United States Air Force contexts from 2006 onward and entered general security-industry vocabulary through Mandiant's 2010 incident-response work.
2. Mandiant, op. cit., 2013; FireEye and Mandiant (now Google Cloud) APT reports published through the FireEye / Mandiant / Google Cloud Threat Intelligence research stream.
3. CrowdStrike, Adversary Universe — public taxonomy index; Dmitri Alperovitch, Operation Aurora incident-response context (2010); CrowdStrike Global Threat Report series (annual).
4. Microsoft Threat Intelligence, How Microsoft names threat actors (April 2023, revised April 2024) — Microsoft's announcement of the weather-themed naming convention and the prior-name mapping table.
5. Kaspersky, APT Groups and Operations index (industry-wide cross-reference maintained at ThaiCERT); Trend Micro Research; Recorded Future Insikt Group reporting; ESET Research blog.
6. United States Department of Justice, U.S. Charges Russian GRU Officers (October 2018) — indictment naming seven GRU officers attached to Unit 26165 and Unit 74455; United Kingdom National Cyber Security Centre, joint attribution statements (2018, 2020); Five Eyes joint attribution of NotPetya (February 2018).
7. Thomas Rid, Active Measures: The Secret History of Disinformation and Political Warfare (Farrar, Straus and Giroux, 2020); Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers (Doubleday, 2019); Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (Crown, 2014); United States National Counterintelligence and Security Center annual Foreign Threats reports.