Microsoft and CrowdStrike have announced a strategic collaboration to demystify the complex web of threat actor names. This initiative, soon to be joined by Google/Mandiant and Palo Alto Networks Unit 42, will establish a public “Rosetta Stone” mapping the myriad aliases used by different security vendors for the same hacking groups. The goal is to enhance clarity for security professionals, enabling faster correlation of threat intelligence and a more rapid response to global cyber threats, rather than imposing a single naming standard.
This collaborative effort directly addresses the “nickname overload” that often complicates cyber defense. For example, a single Russian-linked group might be known as “Midnight Blizzard” by Microsoft, “Cozy Bear” by CrowdStrike, or “APT29” by other researchers. Such discrepancies can introduce critical delays when quick understanding is needed. The first version of this joint threat actor mapping is now available through a Microsoft announcement, detailing common actors and their respective aliases.
The initiative has already deconflicted over 80 adversary names through direct analyst collaboration, according to CrowdStrike. Microsoft Security’s Corporate Vice President, Vasu Jakkal, explained the effort is designed to “help our customers and the broader security community align intelligence more easily, respond faster, and stay ahead of threat actors.” Adam Meyers, CrowdStrike’s SVP of counter adversary operations, emphasized the project’s core mission, stating their organizations chose to “put the customer first, because good versus evil is the true fight.”
A Unified Front Against Digital Adversaries
The challenge of varying naming conventions has long been a hurdle in cybersecurity. Individual firms historically assigned their own codenames, partly due to the difficulties in definitive attribution. CrowdStrike, for instance, uses evocative names like “FANCY BEAR” (which Microsoft maps to “Forest Blizzard”), while Microsoft recently transitioned its own taxonomy to weather-themed names like “Lemon Sandstorm,” as detailed by Reuters. An extensive list of Microsoft’s current names and some older aliases can be found on the Microsoft Learn portal.
This new “Rosetta Stone” aims to provide a clearer, more cohesive understanding across the industry. Michael Sikorski, CTO for Palo Alto’s threat intelligence unit, told Reuters how “disparate naming conventions for the same threat actors create confusion at the exact moment defenders need clarity.” A working group, co-led by Microsoft and CrowdStrike, will oversee the maintenance of this mapping and engage other trusted partners.
The operational advantages are significant, potentially streamlining threat hunting and enabling a shared understanding across diverse security tools. However, the initiative’s success will hinge on sustained commitment and its practical utility for analysts, especially during high-pressure incidents.
The participating companies are also active in strengthening their own security postures; Google is notably advancing its $32 billion acquisition of Wiz, and Palo Alto Networks acquired Protect AI to bolster its AI security capabilities. CrowdStrike itself underwent significant reviews following a major global IT outage in July 2024, an event that also involved collaboration with Microsoft for resolution.
Broader Implications for Cyber Defense
The creation of a shared threat actor naming reference is more than an academic exercise; it’s a practical step towards more effective collective defense. By easing the workload for security teams, organizations can better focus on understanding adversary TTPs (Tactics, Techniques, and Procedures) and fortifying their defenses.
While Juan Andres Guerrero-Saade of SentinelOne voiced skepticism to Reuters, suggesting it could be “this is branding-marketing-fairy dust sprinkled on top of business realities.” If information hoarding persists, the stated intent of the collaboration is to foster greater openness. The ongoing maintenance and expansion of this “Rosetta Stone” will be key to its enduring value in the dynamic field of cybersecurity.
