Microsoft, CrowdStrike look to harmonize threat actor terminology

Editor's Note: Originally published June 2, this story was updated June 3 for clarification.

Microsoft and CrowdStrike are working to clear up any confusion when it comes to labeling threat actors.

The two cybersecurity giants said they want to develop a harmonized system for cybersecurity operations that can easily be used to identify and track threat actors.

"The cybersecurity industry has developed multiple naming systems for threat actors, each grounded in unique vantage points, intelligence sources, and analytic rigor. These taxonomies provide critical adversary context to help organizations understand the threats they face, who is targeting them, and why. But as the adversary landscape grows, so does the complexity of cross-vendor attribution," CrowdStrike said.

"Through this deeper collaboration, CrowdStrike and Microsoft have developed a shared mapping system — a ‘Rosetta Stone’ for cyber threat intelligence — that links adversary identifiers across vendor ecosystems without mandating a single naming standard."

The companies said the effort was designed to eliminate the complexity and confusion that comes with naming and tracking threat actors. Often, various security vendors and authorities will use different classifications or names for the same threat actor, which can make it hard for administrators and network defenders to identify a specific threat and install the needed patch or remediation. In turn, malware outbreaks will spread when they could have been easily contained had all parties involved been on the same page as to what the threat was and who was behind it.

"One major cause of delayed response is understanding threat actor attribution, which is often slowed by inaccurate or incomplete data as well as inconsistencies in naming across platforms,” Microsoft said in announcing the initiative.

“This, in turn, can reduce confidence, complicate analysis, and delay response.”

In rolling out the initiative, Microsoft acknowledged that naming threats has become something of a mess, to say the least.

“At Microsoft, we’ve published our own threat actor naming taxonomy to help researchers and defenders identify, share, and act on our threat intelligence, which is informed by the 84 trillion threat signals that we process daily,” Microsoft said.

“But the same actor that Microsoft refers to as Midnight Blizzard might be referred to as Cozy Bear, APT29, or UNC2452 by another vendor.”

For Microsoft's part, each country has a specific name to designate the threat actor’s nation of origin and aim. For example, a threat group based out of China will be designated a name followed by “Typhoon” while an operation backed by Ukraine will be called “Frost.”

Privately backed threat actors will be called “Tsunami" by Microsoft, while financially motived attacks will be designated “Tempest." Public influence attacks will be given the name “Flood.”

Microsoft's designation for an American action is “Tornado,” which seems appropriate because a U.S. cybersecurity operation being publicly identified happens about as often as cows fly.

In addition to CrowdStrike, Microsoft said that Google/Mandiant and Palo Alto Networks Unit 42 have signed on to the effort.

Microsoft is not alone in calling for better understanding when it comes to identifying threat actors and hacking campaigns.

Former CISA director Jen Easterly recently identified naming conventions as one of the pain points for organizations looking to secure their networks.

“We give them these names that imply power and charisma, like Fancy Bear and Volt Typhoon and Midnight Blizzard and Scattered Spider and the Lazarus Group, and we have no shortage of victims. Unfortunately, we name them, we shame them, we blame them, we stab the wounded, we fire the intern,” Easterly said.

“I think it's high time we stop glorifying the villains and vilifying the victims and start championing the visionaries.”