BlueVoyant Adopts a New Naming Convention to Bring Clarity to Cyber Threat Analysis

The lack of a universal standard for naming threat actors often creates confusion in the cybersecurity community. The same threat actor can be identified by multiple aliases depending on the vendor or team tracking it. For example, a Russian government-sponsored cyber threat group is referred to alternatively as “APT29”, “Cozy Bear”, “Midnight Blizzard” and “Nobelium”. This proliferation of aliases can make it difficult to correlate threat data and track adversary activity over time.  

To address this challenge, BlueVoyant’s Threat Fusion Cell (TFC) developed the Pirate Threat Naming Framework, a proprietary system that aims to cut through this complexity by providing a stable and descriptive naming methodology. This framework provides a significant advantage in threat analysis, moving beyond arbitrary labels to a system rooted in context and intelligence, with each internal name generated by BlueVoyant’s TFC offering valuable insights into the nature and origin of the threat actor, streamlining internal discussions and delivering context-rich analysis. 

Introducing the Pirate Naming Convention 

The Pirate Threat Naming Framework is built on a two-part structure:  

1. Behavioral Adjective: Describes the actor’s tactics, tecniques, and procedures (TTPs).
2. Origin-Based or Role-Based Pirate Noun: Indicates the actor’s suspected geographic origin or operational role. Together, this structure enables analysts to immediately grasp the nature of a threat actor while linking it to its BlueVoyant-specific analysis context. 

The nouns used in the naming convention are not arbitrary; they are carefully selected for their metaphorical or historical connection to the regions or roles associated with the threat actors.  

Below are some examples of how nouns are mapped based on actor types and origins. 

Nation-State Affiliated Actors 

For groups believed to be operating on behalf of a nation-state, the noun is typically a type of ship, a historical maritime term, or a culturally significant figure associated with that region: 

• Akula (Russia): Акула, meaning 'shark' is a regionally unique noun for Russian state-sponsored cyber actors within the Pirate naming convention. In Russian maritime and military history, “Akula” is well-known as the name of advanced Russian submarine classes, specifically the Akula-class (Project 971 Shchuka-B), famed for their stealth, speed, and offensive capabilities.
  • Example: Bold Akula (APT28/Fancy Bear)
• Dhow (Iran): As a traditional sailing vessel of the region, the dhow provides a direct and unambiguous geographical link to actors with a suspected Iranian nexus.
  • Example: Serpent Dhow (APT35/Charming Kitten)
• Corsair (North Korea): Historically, corsairs were often state-sanctioned privateers or pirates operating with political backing. This aligns perfectly with the typical operational model of North Korean state-sponsored threat groups.
  • Example: Fleeting Corsair (APT37/Ricochet Chollima)
• Reis (Türkiye): "Reis" is a Turkish and Arabic title that historically denoted a captain or leader of a ship. This choice directly ties into Türkiye’s rich maritime history and its historical position of command in naval activities.
  • Example: Audacious Reis (Marbled Dust/Sea Turtle)
• Sefinah (Israel): "Sefinah" is a Hebrew word for ship with deep historical and biblical roots. Crucially, post-biblical texts specifically mention "sefinot shel piraton"—pirate ships—creating a direct and fitting linguistic link to the pirate theme and the actor's suspected origin.
  • Example: Invasive Sefinah (Candiru/SOURGUM)
• Qasimi (United Arab Emirates): This noun is derived from the Al Qasimi, the primary actors involved in the 18th and 19th-century maritime raiding that led the British to designate the area as the "Pirate Coast." This provides a strong historical anchor for actors with a UAE nexus.
  • Example: Shadow Qasimi (FruityArmor/Stealth Falcon)
• Daryai (Pakistan): " Daryā'ī." is the Urdu word for "mariner" or "seafarer," providing a direct linguistic link to the national language of Pakistan.
  • Example: Venomous Daryai (APT36/Transparent Tribe)
• Lanteen (India): This noun is named after the lanteen sail, a type of triangular sail common on vessels in the waters around the Indian subcontinent.
  • Example: Swift Lanteen (Sidewinder/Razor Tiger)
• Crane (Vietnam): The crane is a revered bird in many East Asian cultures, symbolizing longevity, grace, and vigilance. These attributes metaphorically align with the persistent and patient characteristics often observed in threat actors from this region.
  • Example: Shadow Crane (DarkHotel/DUBNIUM)
• Junk (China): This term refers to the iconic regional ship type, which was often used by historical pirates in the area. Its selection immediately anchors the suspected nexus of the threat actor to China.
  • Example: Imperial Junk (APT27/Emissary Panda)

eCrime and Financially Motivated Actors 

For non-state actors driven by financial gain, the noun reflects their criminal role: 

• Brigantine (Ransomware/Extortion): A brigantine was a two-masted sailing ship, known for being well-suited for chasing down valuable merchant ships, engaging in combat, and transporting large amounts of stolen goods. This historical function is a powerful metaphor for modern ransomware and extortion groups that hunt high-value targets and abscond with their "booty" (data and money).
• Marauder (General eCrime): This is a broader term used to denote actors engaged in other forms of financially motivated cybercrime, such as those involving banking trojans, payment card theft, or business email compromise (BEC). The name itself implies plundering and raiding for profit. 

Other Actor Types 

When threat actors do not fit neatly into nation state or eCrime categories–such as transnational or unknown groups–the general term” Rover” is used. This signifies a wanderer or pirate without a fixed base, reflecting the ambiguity of their affiliation.  

• Example: Silent Rover 

The Pirate Threat Naming Framework Advantage: Clarity and Consistency 

The Pirate Threat Naming Framework offers several distinct advantages: 

• Clarity and Consistency: TFC analysts have a single, consistent name for each actor, which eliminates the confusion caused by multiple vendor aliases. This allows for more effective tracking and analysis.
• Descriptive Context: The names provide instant context about an actor's likely origin, motivation, and operational style, allowing analysts to make faster, more informed assessments.
• Flexibility: The system allows the TFC to create new, meaningful names for emerging threats based on TFC’s collection and analysis without waiting for external vendors to name them.
• Collaboration: While pirate names are used for internal analysis, they are mapped to the various vendor-assigned names in the TFC's threat intelligence platform. This ensures that TFC analysis can be easily correlated with external reporting. 

This system enhances the TFC’s ability to quickly identify, analyze, and respond to active threats, giving BlueVoyant and its clients a strategic edge. 

BlueVoyant’s Pirate Threat Naming Framework is a practical and effective system that enhances the clarity, speed, and accuracy of threat analysis. In an industry where naming inconsistencies are the norm, the TFC’s proprietary framework offers a structured approach to tracking adversaries, ensuring clients are better protected against the evolving threat landscape.