Microsoft and CrowdStrike have announced that they are teaming up to align their individual threat actor taxonomies by publishing a new joint threat actor mapping.
“By mapping where our knowledge of these actors align, we will provide security professionals with the ability to connect insights faster and make decisions with greater confidence,” Vasu Jakkal, corporate vice president at Microsoft Security, said.
The initiative is seen as a way to untangle the menagerie of nicknames that private cybersecurity vendors assign to various hacking groups that are broadly categorized as a nation-state, financially motivated, influence operations, private sector offensive actors, and emerging clusters.
For example, the Russian state-sponsored threat actor tracked by Microsoft as Midnight Blizzard (formerly Nobelium) is also known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, and The Dukes.
Likewise, Forest Blizzard (previously Strontium) goes by other monikers such as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422. Microsoft shifted from using chemical elements-inspired names to a weather-themed threat actor nomenclature in April 2023.
In aligning these names across vendors, the idea is to make tracking overlapping threat actor activity a lot easier and avoid unwanted confusion when it comes to threat actor attribution that in turn, can reduce confidence, complicate analysis, and delay response.
While the unified threat mapping system is a two-party effort, Google and its Mandiant subsidiary as well as Palo Alto Networks Unit 42 are also expected to contribute to the effort. Other cybersecurity companies are likely to join the initiative in the future. That said, the collaboration does not aim to create a single naming standard.
CrowdStrike said the alignment has led to successfully deconflicting more than 80 adversaries, adding the alliance aims to better correlate threat actor aliases without sticking to a single naming scheme. It called the new glossary a “Rosetta Stone.”
“In addition, where telemetry complements one another, there’s an opportunity to extend attribution across more planes and vectors — building a richer, more accurate view of adversary campaigns that benefits the entire community,” CrowdStrike’s Adam Meyers said.
