Threat actor groups are known by a variety of colorful nicknames, with different security companies referring to the same threats under different taxonomies. In an effort to streamline the naming system, Microsoft, CrowdStrike, Palo Alto Networks, and Google will publish a shared glossary that maps different aliases used for the same threat actor groups.
However, as Reuters reported, threat intelligence is often tied to proprietary research and brand reputation, which makes information sharing a sensitive issue among cybersecurity firms. Because of that, some experts question whether this initiative will meaningfully shift how companies collaborate.
Midnight Blizzard or Cozy Bear?
Different cybersecurity companies have chosen their naming systems for different reasons. Microsoft assigns weather-themed terms to classify threat actors, signaling factors like country of origin, type of activity, or whether the threat is newly emerging.
The same Russia-based group Microsoft calls Midnight Blizzard is called Cozy Bear by CrowdStrike and has the more formal name APT29 at MITRE. Another threat actor group, based in Iran, is known variously as Mint Sandstorm, Phosphorus, Charming Kitten, and APT35.
To help bridge these naming conventions, Microsoft and CrowdStrike have begun mapping aliases for threat groups tracked by both companies.
“This effort is not about creating a single naming standard,” said Vasu Jakkal, corporate vice president of Microsoft Security, in a June 2 blog post. “Rather, it’s meant to help our customers and the broader security community align intelligence more easily, respond faster, and stay ahead of threat actors.”
SEE: A new malware scam disguises itself as downloads for AI services, including a business-to-business sales tool and ChatGPT.
Jakkal also described the glossary as a “starting point” to help organizations translate across multiple naming systems and coordinate security efforts more effectively.
While Microsoft and CrowdStrike will be the first two companies to contribute to the glossary, Google (and its owned cybersecurity firm Mandiant) and Palo Alto Networks’ Unit 42 threat research team are expected to share input at an undisclosed future date.
This doesn’t mean security companies will share all of their information
Reuters noted that in one 2016 case, a single hacker network was associated with 48 different nicknames, underscoring how disjointed attribution has become. By offering a cross-referenced list of aliases, the glossary could help defenders link related threat actors more quickly and accurately.
Still, skepticism remains. SentinelOne Executive Director for Intelligence and Security Research Juan Andres Guerrero-Saade told Reuters the initiative sounded like just “branding-marketing-fairy dust” on top of business as usual, since cybersecurity companies tend to hoard information.
