Microsoft and CrowdStrike Launch Cross-Platform Threat Actor Naming Initiative

Microsoft and CrowdStrike announced a joint initiative to create a unified reference system for tracking nation-state hacking groups across different cybersecurity platforms. The partnership aims to reduce confusion caused by competing naming conventions while preserving each company’s proprietary threat intelligence methodologies¹.

Standardization Without Uniformity

The new system will map aliases between Microsoft’s weather-themed names (e.g., “Lemon Sandstorm”) and CrowdStrike’s animal-based nomenclature (e.g., “Fancy Bear”) without forcing either company to abandon their existing frameworks. This approach addresses a long-standing pain point for security teams who must reconcile different vendor labels for the same threat actors².

For example, the Russian group known as APT29 appears as “Cozy Bear” in CrowdStrike reports and “Nobelium” in Microsoft advisories. The Iranian group “Phosphorus” has at least eight aliases including “Magic Hound” and “TA453” across various platforms. The new reference system will automatically link these names in security alerts and reports³.

Industry Challenges and Criticism

The cybersecurity industry has struggled with inconsistent naming conventions for years. Palo Alto and Google have also participated in standardization efforts, but commercial competition has hindered progress. SentinelOne publicly dismissed the initiative as “branding-marketing-fairy dust,” reflecting skepticism about vendors collaborating effectively⁴.

Technical challenges include overlapping attributions where multiple vendors assign different names to the same activity clusters. The MITRE ATT&CK database has attempted to map these aliases, but the process remains manual and incomplete. The Microsoft-CrowdStrike partnership represents the first automated cross-platform solution⁵.

Operational Impact on Security Teams

For security operations centers, the naming confusion creates tangible risks. A 2024 survey found that 68% of analysts wasted significant time reconciling threat reports due to naming inconsistencies. The new reference system will integrate with SIEM platforms to automatically normalize group names in alerts and dashboards⁶.

The table below shows how the system maps aliases for three high-profile groups:

Common Attribution	Microsoft Name	CrowdStrike Name	Other Aliases
Russian Foreign Intelligence	Forest Blizzard	Fancy Bear	APT29, Cozy Bear, Nobelium
Chinese PLA Unit 61419	Volt Typhoon	Vixen Panda	APT41, Bronze Atlas
Iranian Revolutionary Guard	Mint Sandstorm	Charming Kitten	Phosphorus, TA453, Magic Hound

Implementation and Future Developments

The reference system will debut in June 2025 as a public glossary updated quarterly. Both companies will maintain their internal naming conventions while publishing cross-reference tables through their threat intelligence APIs. Future versions may incorporate naming schemes from additional vendors⁷.

Security teams should prepare for the change by:

Updating SIEM correlation rules to recognize all mapped aliases
Reviewing historical reports to identify groups affected by naming changes
Training analysts on the new reference materials

The initiative comes as CrowdStrike faces scrutiny following a 2024 global outage caused by a faulty update to its Falcon platform. Some analysts question whether naming standardization distracts from more pressing security challenges⁸.

Conclusion

The Microsoft-CrowdStrike partnership represents a pragmatic compromise in the long-running debate over threat actor naming conventions. While not eliminating proprietary naming systems, the automated alias mapping should reduce confusion for defenders tracking advanced persistent threats across multiple intelligence sources. The success of the initiative will depend on widespread adoption and continued maintenance as threat groups evolve their tactics.