A new unified threat mapping system, spearheaded by Microsoft and Crowdstrike, aims to simplify naming conventions currently used to classify nation-state threat actors and other financially driven cybercriminal groups industrywide.
Fancy Bear, Volt Typhoon, Midnight Blizzard, Lazarus Group, and Charming Kitten.
While these monikers all may sound like they're part of a really cool kids' game, unfortunately, they are the official names coined by security researchers to identify some of the top nation-state threat groups in existence today.
In fact, there are so many multiple, random (and ridiculous-sounding) names for the exact same threat group that Cybernews even wrote a joke article on the subject as an April Fool's prank. (You can read it here.)
The two powerhouse tech companies announced the new taxonomy initiative on Monday, along with said contributors to the project, Google’s Mandiant and Palo Alto Networks' Unit 42 threat intelligence divisions.
We’re partnering with @CrowdStrike to streamline threat actor taxonomies. 🤝 Less confusion, stronger tracking, and faster response. Learn more: https://t.co/Q4yGxjldwk #ThreatIntelligence
undefined Microsoft Security (@msftsecurity) June 2, 2025
Also known as advanced persistent threats or APTs, Microsoft points out that the multiple names come about because more than one security intelligence organization engages in APT research.
The joint threat actor mapping will include a full list of common actors tracked and mapped by the two companies, as well as corresponding aliases gathered from their own taxonomy and eventually, from across the industry, the companies said.
Microsoft Security’s Corporate Vice President Vasu Jakkal – penning a blog about the news – believes aligning how the industry categorizes cyber threats will “improve understanding, coordination, and overall security posture.”
“By clarifying who is being referenced in threat reports, SOC analysts, incident responders, and CISOs can more quickly assess risk, prioritize response, and communicate with clarity across internal teams and external partners," Crowdstrike said in its own announcement.
Citing the National Institute of Standards and Technology’s (NIST) guidance on threat sharing, Jakkal also says the move will give “organizations the ability to connect insights faster and make decisions with greater confidence.”
What's in a name?
Some of the biggest offenders sponsoring these nation-state threats, coinciding with those mentioned above, include Russia (FancyBear), China (Volt Typhoon), North Korea (Lazarus Group), and Iran (Charming Kitten).
Also mentioned above is Midnight Blizzard – a known threat linked to Russia’s GRU, the not-so-secret elite military intelligence unit of hackers who take orders from the Kremlin.
Illustrating the industry-wide frustration, the Kremlin-backed espionage group is also interchangeably identified as Cozy Bear, APT29, The Dukes, Grizzly Steppe, UNC2452, and Nobelium, depending on which security company is referencing them.
The US Cybersecurity Infrastructure Security Agency (CISA) states the malicious cyber activity carried out by these groups involves prolonged infiltration of network systems, often targeting other governments and critical infrastructure to gather and steal sensitive data, as well as to disrupt or completely destroy the systems once inside.
Last month, a blog by Check Point identified Putin's Cozy Bear (and its multiple aliases) as the prime suspect in a new campaign targeting European politicians with fake wine-tasting and other social events.
And, another of China’s state-sponsored APTs, the notorious Salt Typhoon, is suspected of its attacks on the US Treasury and the US telecommunication sector, including hacking Verizon in an attempt to access the email accounts of Trump and Harris staffers during the 2024 Presidential election.
According to a profile on the group by Varonis, "Salt Typhoon is known by many names depending on which security vendor is being referenced – Ghost Emperor by Kaspersky, FamousSparrow by ESET, Earth Estrie by Trend Micro, and UNC2286 by Mandiant," and well, you get the picture.
"Rosetta Stone" of threat actors
Although CISA states there “is no ultimate arbiter of APT naming conventions,” Jakkal says the new threat mapping guide is not about creating a single naming standard.
“This reference guide serves as a starting point, a way to translate across naming systems so defenders can work faster and more efficiently, especially in environments where insights from multiple vendors are in play,” Jakkal explained.
Using their present taxonomy methods, Microsoft and Crowdstrike will continue to use five key groups to divide and categorize threat actors:
- Nation-state actors
- Financially motivated actors
- Private sector offensive actors (PSOAs)
- Influence operations
- Groups in development
Crowdstrike, in its post about the collaborative union “to harmonize cyber threat attribution," said adversary attribution has grown more urgent as security attacks increase and impact the business world and national security.
Calling the new guide a "Rosetta Stone," the cybersecurity company says that multiple naming systems have emerged over the past decade, creating “fragmentation, confusion, and complexity.”
“While a single universal naming standard is not practical and may not be possible, defenders shouldn’t have to spend countless cycles trying to delineate if COZY BEAR is the same as APT29, or UNC2452, or Midnight Blizzard," it said.
Crowdstrike says that while the initiative will start with just the four contributors, in the future, it expects to work with more organizations using analyst-driven collaboration and organizational governance to ensure availability to the broader security community.
Ready to work, the two companies have already “deconflicted more than 80 threat actors” representing the "most active and sophisticated adversaries" known worldwide, they said.
Your email address will not be published. Required fields are markedmarked