Microsoft and Crowdstrike team up to bring clarity to threat actor naming

To better deal with cyberattacks, it’s important to describe and categorize cyberthreats as best as possible. That’s why Microsoft and Crowdstrike have decided to join forces and come up with a way to harmonize the naming of threat actors.

So many hacking groups, so many names. At times, it can be quite confusing, especially when cybersecurity firms use a variety of names while they’re talking about the same cyber threat.

For example, Microsoft calls them Forest Blizzard, while Crowdstrike has named the Russia-linked hacking group Fancy Bear. And to make things even more confusing, the members of the group are also referred to as BlueDelta, unit 26165, APT28, as well as a variety of other identifiers.

Another example: Microsoft talks about Midnight Blizzard, while other vendors speak of Cozy Bear, APT29, or UNC2452. And they’re all talking about the same threat actor.

The inconsistencies in naming across platforms are not only unnecessarily complicated, but it is also one of the causes of delayed response when a security incident occurs.

That’s why Microsoft and Crowdstrike have decided to team up to create alignment across their individual threat actor taxonomies. “By mapping where our knowledge of these actors aligns, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence,” Microsoft says in a blog post.

Both companies have come up with a collaborative reference guide to threat actor mapping. Threat actors are categorized into five key groups: nation-state actors, financially motivated actors, private sector offensive actors, influence operations, and groups in development.

In this taxonomy, a weather event or family name represents one of the above categories. For example, state-sponsored actors from China are referred to as Typhoon. If nation-state hackers operate from North Korea, they are called Sleet. If these hackers are financially motivated at the same time, they are called Sleet Tempest.

Crowdstrike is calling this reference guide a ‘Rosetta Stone’. Although this has been tried unsuccessfully in the past, the cybersecurity firm promises this collaboration is different. “Through mutual effort and analyst-led deconfliction, we will combine resources to maintain a mapping for the community, and make it available to all those who engage these adversaries on the cyber battlefield,” the company says.

“Security is a shared responsibility, requiring community-wide efforts to improve defensive measures. We are excited to be teaming up with CrowdStrike and we look forward to others joining us on this journey,” Microsoft concludes its blog post.