Microsoft and CrowdStrike will lead a cooperative effort to map out the overlapping web of hacker groups that their researchers have disclosed and named, the companies said on Monday.
For years, the companies’ different naming conventions for various criminal and state-linked threat groups have created unnecessary confusion and delays in the sharing of threat intelligence.
Microsoft and CrowdStrike released an initial version of their threat actor matrix on Monday, listing the groups they track and each one's corresponding aliases from other researchers.
Palo Alto Networks and Google’s Mandiant unit are joining the collaborative effort on streamlining threat group taxonomy.
Vasu Jakkal, corporate vice president of Microsoft Security, said that even delays of a few seconds can make a difference in whether an attack is thwarted or successful.
“One major cause of delayed response is understanding threat actor attribution, which is often slowed by inaccurate or incomplete data as well as inconsistencies in naming across platforms,” Jakkal said in a blog post.
Microsoft and CrowdStrike have collaborated on more than 80 adversaries so far, according to Adam Meyers, senior vice president for counter adversary operations at CrowdStrike.
"Aligning on naming conventions isn’t just a nice-to-have but a game-changer for defenders trying to act fast,” Michael Sikorski, CTO and head of threat intelligence at Palo Alto Networks’ Unit 42, told Cybersecurity Dive. “A shared baseline for threat actor names means faster attribution, improved cyberattack response, and fewer blind spots.”
Microsoft, for example, tracks the criminal threat group known widely as Scattered Spider as Octo Tempest, while Palo Alto Networks tracks it as Muddled Libra.
Microsoft and CrowdStrike are also working on a plan to create a small, focused group of contributors who will help define a process of updating and maintaining attribution mappings, Meyers said in a blog post.
Meyers said there will be no change in how the companies name and identify threat actors, as each company will retain its own methods, telemetry and naming system.
Naming conventions in the cybersecurity space have long been a source of controversy, not only because different firms track the same groups slightly differently but also because of how companies sometimes mythologize the capabilities of threat actors.
Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency, criticized some of the naming conventions during a 2024 speech at Black Hat, saying companies have almost made it seem like hacker groups have immortal superpowers.
