CrowdStrike & Microsoft unify naming for cyber threat actors

CrowdStrike and Microsoft have jointly introduced a new initiative aimed at standardising the way cyber threat actors are identified across the cybersecurity sector.

The collaboration has resulted in a shared mapping system, aligning threat actor aliases between the two companies and promoting clarity in cyber threat attribution. Both companies state that this initiative is designed to accelerate threat response and reduce confusion caused by the inconsistent nicknames used for hacker groups among different security vendors.

The cybersecurity industry has historically relied on disparate naming systems, each informed by distinct intelligence sources and analytical approaches. While these systems provide valuable context on adversaries, they can complicate cross-reference and response due to conflicting terminology. This increased complexity has prompted the need for a unified approach to threat actor attribution.

CrowdStrike and Microsoft's joint mapping project serves as a form of 'Rosetta Stone' for cyber threat intelligence, linking adversary identifiers across their respective ecosystems without imposing a single nomenclature. By connecting aliases—such as CrowdStrike's COZY BEAR and Microsoft's Midnight Blizzard, or VANGUARD PANDA and Volt Typhoon—the mapping facilitates quicker and better-coordinated responses to sophisticated adversaries.

According to CrowdStrike, the partners have already reconciled over 80 threat group aliases. The alignment expands to groups linked to major nation-state actors. For example, the companies have confirmed that Microsoft's Volt Typhoon and CrowdStrike's VANGUARD PANDA refer to the same China-nexus actor, while Secret Blizzard and VENOMOUS BEAR designate a Russia-linked group.

Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, commented on the significance of the collaboration. "This is a watershed moment for cybersecurity. Adversaries hide behind both technology and the confusion created by inconsistent naming. As defenders, it's our job to stay ahead and to give security teams clarity on who is targeting them and how to respond. This has been CrowdStrike's mission from day one," Meyers said. "CrowdStrike is the leader in adversary intelligence, and Microsoft brings one of the most valuable data sources on adversary behavior. Together, we're combining strengths to deliver clarity, speed, and confidence to defenders everywhere."

The initial phase of the collaboration involves specialist teams from both companies working together to harmonise adversary naming conventions. The effort has already demonstrated practical value by validating the identities of specific threat actors across the two ecosystems. The companies will seek to expand this initiative, inviting additional contributors to create and maintain a broader threat actor mapping resource accessible to the global cybersecurity community.

Vasu Jakkal, Corporate Vice President for Microsoft Security, emphasised the broader implications for the security sector. "Cybersecurity is a defining challenge of our time, especially in today's AI-driven era," Jakkal said. "Microsoft and CrowdStrike are in ideal positions to help our customers, and the wider defender community accelerate the benefits of actionable threat intelligence. Security is a team sport and when defenders can share and react to information faster it makes a difference in how we protect the world."

The companies note that their collaboration builds on an established history of threat intelligence activity and contributes towards a shared mission: prioritising customer outcomes and sector-wide defence, rather than market competition. The mapping initiative will continue to develop as more partners join to keep the threat actor taxonomy up to date and useful for the defender community.