Threat actor profiling is the systematic process of characterizing the individuals, groups, or organizations behind cyber threats. Rather than focusing solely on individual attacks or indicators, profiling builds a comprehensive picture of who the adversary is, what motivates them, how they operate, and what they are likely to do next. For CTI analysts, profiling is essential for prioritizing threats, informing defensive strategies, and providing context that transforms raw technical data into actionable intelligence.
Learning Objectives
- Define threat actor profiling and explain its purpose in CTI
- Understand the major vendor naming conventions for threat groups
- Describe the key elements used to build a threat actor profile
- Distinguish between attribution and activity tracking
- Explain the challenges and limitations of attribution
- Understand how analysts cluster activity into intrusion sets and threat groups
What Is Threat Actor Profiling?
Threat actor profiling goes beyond individual incident analysis to build a durable, evolving picture of an adversary. A profile aggregates information across multiple campaigns, timeframes, and sources to characterize the threat in a way that enables prediction and prioritization.
Threat actor profile: A structured characterization of a cyber threat entity that includes its motivation, capability, infrastructure, targeting patterns, and observed TTPs, maintained and updated over time as new intelligence becomes available.
Profiling answers questions that individual IOCs cannot: Why is this group targeting us? What are they likely to do next? How sophisticated are their capabilities? Are they likely to escalate? These strategic and operational questions are what make profiling indispensable for security leadership and defensive planning.
Naming Conventions
One of the most confusing aspects of threat actor tracking for newcomers is the proliferation of names. The same threat group may be known by a dozen different names across different vendors and government agencies. Understanding the major naming schemes helps analysts cross-reference reporting.
Mandiant/Google — APT and FIN Numbering
Mandiant (now part of Google Cloud) assigns numerical designations based on assessed motivation:
- APT (Advanced Persistent Threat): State-sponsored groups engaged in espionage or destructive operations (e.g., APT28, APT29, APT41)
- FIN (Financially motivated): Criminal groups focused on financial gain (e.g., FIN7, FIN11)
- UNC (Uncategorized): Activity clusters not yet attributed to a defined group (e.g., UNC2452, which was later merged into APT29 reporting)
CrowdStrike — Animal Names by Country
CrowdStrike assigns animal-themed names based on assessed country of origin:
| Animal | Country/Region |
|---|---|
| BEAR | Russia |
| PANDA | China |
| KITTEN | Iran |
| CHOLLIMA | North Korea |
| SPIDER | Criminal (non-state) |
| JACKAL | Hacktivist |
| BUFFALO | Vietnam |
| LEOPARD | Pakistan |
Well-known examples include FANCY BEAR (Russia/APT28), COZY BEAR (Russia/APT29), WICKED PANDA (China/APT41), and WIZARD SPIDER (criminal group behind TrickBot and Conti ransomware).
Microsoft — Weather-Themed Names
In April 2023, Microsoft adopted a new naming taxonomy based on weather events, replacing their previous element-based system (which used names like HAFNIUM and NOBELIUM):
| Weather Type | Country/Region |
|---|---|
| Blizzard | Russia |
| Typhoon | China |
| Sandstorm | Iran |
| Sleet | North Korea |
| Tempest | Criminal (financially motivated) |
| Storm | Developing/unattributed clusters |
For example, NOBELIUM became Midnight Blizzard (Russia/APT29), HAFNIUM became Silk Typhoon (China), and DEV-0537 became Strawberry Tempest (criminal). The "Storm" prefix is used for activity clusters that have not yet been attributed to a known group.
Other Notable Naming Systems
- ESET uses named groups (Sednit, Sandworm, Turla)
- Kaspersky uses descriptive project names (Equation Group, Lazarus)
- Government agencies often use classified designations that differ from vendor names; publicly they may reference vendor names for clarity
Cross-Reference Resources
Because the naming landscape is fragmented, cross-reference resources are essential:
- MITRE ATT&CK Group pages list known aliases for each group
- Malpedia (by Fraunhofer FKIE) maintains a comprehensive actor name cross-reference
- ThaiCERT's Threat Group Cards provide visual cross-reference sheets
Clustering Activity: Intrusion Sets vs. Threat Groups
Before a set of malicious activities can be attributed to a named threat group, analysts must first cluster related activity together. This is the difference between an intrusion set and a threat group.
Intrusion set: A cluster of adversary activity characterized by shared technical indicators, TTPs, infrastructure, and/or targeting that analysts assess to be conducted by a single organization, even if the organization's identity is unknown.
Threat group: A named entity (organization, unit, or individual) assessed to be responsible for one or more intrusion sets.
In practice, analysts first identify patterns that link separate incidents — shared malware families, overlapping infrastructure, consistent TTPs, or common targeting. This cluster becomes an intrusion set. If sufficient evidence accumulates to link the intrusion set to a specific entity (a government unit, a criminal organization), it may be designated as a threat group and given a name.
Sometimes intrusion sets merge (when analysts determine two clusters are actually the same group) or split (when closer analysis reveals what appeared to be one group is actually two). This fluidity is a natural part of intelligence analysis, and analysts should be comfortable with uncertainty in group boundaries.
Elements of a Threat Actor Profile
A comprehensive threat actor profile addresses several key dimensions:
Motivation
Understanding why a threat actor operates is essential for predicting their behavior and assessing risk to your organization.
| Motivation Category | Examples |
|---|---|
| Espionage | State-sponsored intelligence collection (APT29, APT10) |
| Financial gain | Ransomware, banking trojans, business email compromise (FIN7, Wizard Spider) |
| Destruction/Disruption | Wipers, DDoS, sabotage (Sandworm/APT44) |
| Hacktivism | Ideologically motivated defacement, leaks, DDoS (Anonymous, KillNet) |
| Insider threat | Disgruntled employees, recruited insiders |
Capability
Capability assessment evaluates the sophistication and resources available to the threat actor:
- Do they develop zero-day exploits or rely on publicly available tools?
- Do they use custom malware or commodity frameworks like Cobalt Strike?
- Can they maintain long-term persistent access in well-defended environments?
- Do they demonstrate the ability to adapt when detected?
- What is their operational tempo — how quickly do they operate once inside a network?
Infrastructure
Infrastructure analysis examines how the threat actor builds and manages their operational resources:
- Domain registration patterns (registrars, hosting providers, use of privacy services)
- IP address ranges and autonomous systems (ASNs) they favor
- Use of compromised infrastructure versus purpose-built infrastructure
- C2 protocols and communication patterns
- Use of bulletproof hosting, fast-flux DNS, or domain fronting
Targeting
Targeting analysis reveals the adversary's interests and objectives:
- Which sectors do they target (government, defense, healthcare, finance, energy)?
- Which geographies are affected?
- Do they target specific technologies, platforms, or supply chains?
- Is targeting broad (opportunistic) or narrow (strategic)?
- Has targeting shifted over time, and if so, what might that indicate?
TTPs (Tactics, Techniques, and Procedures)
TTP analysis, typically mapped to MITRE ATT&CK, characterizes how the adversary operates:
- Preferred initial access vectors (phishing, exploitation, supply chain)
- Post-compromise tradecraft (living-off-the-land, custom tooling, lateral movement methods)
- Persistence mechanisms
- Data collection and exfiltration methods
- Operational security practices (anti-forensics, log clearing, timestomping)
Tracking Actors Over Time
Threat actor profiles are not static documents — they are living analytic products that must be updated as new intelligence becomes available. Effective tracking involves:
- Maintaining a running profile that incorporates new campaigns, infrastructure changes, and capability developments
- Monitoring for TTP evolution as groups adopt new tools, techniques, or operational practices
- Tracking infrastructure patterns using passive DNS, WHOIS history, and certificate transparency data
- Correlating with vendor reporting to benefit from the broader community's visibility
- Noting periods of inactivity which may indicate operational pauses, retooling, or organizational changes within the threat group
Attribution vs. Tracking
A critical distinction that every CTI analyst must understand is the difference between tracking adversary activity and attributing it to a specific real-world entity.
Tracking: Clustering and monitoring related adversary activity based on technical and behavioral indicators — something every CTI team can and should do.
Attribution: Identifying the specific real-world entity (government agency, military unit, criminal organization, or individual) responsible for the activity — something that typically requires intelligence capabilities beyond what most private-sector organizations possess.
Why Attribution Is Hard
- False flags: Sophisticated actors deliberately mimic other groups' TTPs, infrastructure patterns, or malware to mislead analysts
- Shared tooling: Multiple groups may use the same malware, exploit kits, or infrastructure providers
- Contractor ecosystems: Some governments use private contractors or shared offensive platforms, blurring group boundaries
- Limited visibility: No single organization sees the full picture; attribution often requires intelligence from multiple sources including classified sources
- Evolving tradecraft: Groups change their TTPs, infrastructure, and tooling over time, making historical comparisons less reliable
Practical Guidance
For most CTI teams, the priority should be tracking rather than attribution. You can effectively defend against a threat group by understanding and detecting their TTPs without knowing whether they operate out of a specific building in a specific city. Attribution is valuable for geopolitical context and strategic planning, but it is not required for effective defense.
When attribution is assessed, always express it with appropriate confidence language (see Lesson 10 on ICD 203 confidence levels) and clearly distinguish between what is observed (technical evidence) and what is assessed (analytic judgment).
Key Takeaways
- Threat actor profiling builds a comprehensive, evolving characterization of adversaries across multiple dimensions
- The major vendor naming conventions (Mandiant APT/FIN numbers, CrowdStrike animal names, Microsoft weather themes) each reflect assessed country of origin or motivation
- Cross-reference resources like MITRE ATT&CK Groups and Malpedia are essential for navigating the naming landscape
- Intrusion sets are clusters of related activity; threat groups are named entities assessed to be responsible for those clusters
- A complete profile covers motivation, capability, infrastructure, targeting, and TTPs
- Attribution (identifying the real-world entity) is distinct from tracking (monitoring activity clusters) and is significantly harder
- Most CTI teams should prioritize tracking over attribution — you can defend effectively without knowing the adversary's real-world identity
Practical Exercise
Build a Threat Actor Profile:
Choose a well-documented threat group from MITRE ATT&CK (e.g., APT28, APT41, FIN7, Lazarus Group, or Sandworm).
- Visit the group's page on attack.mitre.org and review documented techniques and software
- Search for 2-3 public vendor reports about the group (Mandiant, CrowdStrike, Microsoft, Recorded Future, Talos, etc.)
- Build a structured profile with these sections:
- Names/Aliases (list all known names with the vendor that uses each)
- Assessed Origin (country/affiliation, with confidence level)
- Motivation (espionage, financial, destructive, etc.)
- Active Since (earliest known activity)
- Targeting (sectors, geographies, specific organizations if public)
- Notable Capabilities (custom malware, zero-days, supply chain compromise, etc.)
- Key TTPs (map at least 5 to MITRE ATT&CK technique IDs)
- Recent Activity (most recent publicly reported campaign)
- Identify one area where vendor reports disagree or where your profile has significant gaps
This exercise practices the core CTI skill of synthesizing multiple sources into a structured, useful analytic product.
Further Reading
- MITRE ATT&CK Groups — documented threat group profiles with aliases, techniques, and software (https://attack.mitre.org/groups/)
- Malpedia by Fraunhofer FKIE — comprehensive threat actor and malware knowledge base with cross-vendor name mapping (https://malpedia.caad.fkie.fraunhofer.de/)
- APT Groups and Operations spreadsheet — community-maintained Google Sheet tracking threat group names across vendors (search for "APT Groups and Operations" by Florian Roth)
- Intelligence-Driven Computer Network Defense by Eric M. Hutchins, Michael J. Cloppert, and Rohan M. Amin (Lockheed Martin, 2011) — the foundational paper introducing the intelligence-driven defense model that underpins modern threat actor tracking