Microsoft and CrowdStrike announced on Monday that they are spearheading an industry initiative to map threat actor names. Their objective is to simplify the process for the cybersecurity community to align intelligence effectively.
Numerous threat groups exist, each commonly known by various names assigned by researchers and cybersecurity firms studying their actions. For example, the group linked to China, often called APT41, is also identified as Bronze Atlas, Earth Baku, Wicked Panda, and Winnti, among others. Similarly, the Russia-linked APT28 goes by at least a dozen different names, such as Fancy Bear, Forest Blizzard, Sednit, Sofacy, and Tsar Team. Microsoft employs a weather-themed naming system (e.g., Blizzard for Russia, Typhoon for China), while CrowdStrike uses animal-themed names (e.g., Panda for China, Bear for Russia, and Spider for cybercriminals). Google Cloud’s Mandiant utilizes the APT[number] and UNC[number] naming format. Currently, achieving industry-wide agreement on a single name for each threat group is impractical and might even be impossible; however, CrowdStrike emphasizes the need for greater clarity in threat attribution among different vendors.
For instance, the China-linked group often referred to as APT41 is also tracked as Bronze Atlas, Earth Baku, Wicked Panda and Winnti, among others. The Russia-linked APT28 has at least a dozen other names, including Fancy Bear, Forest Blizzard, Sednit, Sofacy, and Tsar Team.
Microsoft has been using a weather-themed naming taxonomy (eg, Blizzard for Russia, Typhoon for China). CrowdStrike has been using an animal-themed naming convention (eg, Panda for China, Bear for Russia, and Spider for cybercriminals). Google Cloud’s Mandiant is known for using the APT[number] and UNC[number] format.
At this point, getting the entire cybersecurity industry to use a single name for each threat group is not practical and may not be possible, CrowdStrike noted, but it’s important to bring clarity to threat attribution across vendors.
As part of the new initiative, Microsoft has assigned names to threat actors, and these names are being mapped to other names assigned to the same actors by CrowdStrike and other vendors.
“The alliance will help the industry better correlate threat actor aliases without imposing a single naming standard. It will grow in the future to include other organizations that also practice the art of attribution,” CrowdStrike explained.
Microsoft stated that the initiative aims to enhance confidence in identifying threat groups, streamline correlation processes, and speed up defender actions.
“This effort is not about creating a single naming standard,” Microsoft said. “Rather, it’s meant to help our customers and the broader security community align intelligence more easily, respond faster, and stay ahead of threat actors.”
Google (Mandiant) and Palo Alto Networks will also contribute to the project.
