Skip to content
Log in

Threat actor cluster

Definition

A named collection of observed activity linked by shared infrastructure, malware, and TTPs, without necessarily having confirmed the real-world identity of the operators. Cluster names (such as APT28 or Lazarus Group) are analytical constructs used by threat intelligence firms; different firms may use different names for what may be the same underlying group.

Related terms

Attribution
The process of identifying the threat actor responsible for a cyberattack. Attribution is a confidence-weighted analytical conclusion, not a binary fact. It...
Confidence level
An explicit label attached to an attribution assessment indicating how strongly the available evidence supports the conclusion. Standard tiers are low, medium,...
False flag
A deliberate deception in which an attacker plants indicators designed to make the intrusion appear to originate from a different actor. Common...
Technical vs. legal attribution
Technical attribution identifies the infrastructure and tooling used in an attack and may link it to a known cluster or actor profile....
TTPs (Tactics, Techniques, and Procedures)
The behavioural fingerprint of a threat actor: the broad goals and approaches they pursue (tactics), the specific methods they use to achieve...

Explained in

  • Attribution in Cyber InvestigationsA named collection of observed activity linked by shared infrastructure, malware, and TTPs, without necessarily having confirmed the real-world identity of the...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account