Highlights

  • New joint system maps cyber threat actor aliases across platforms for consistent attribution.
  • Over 80 adversary aliases deconflicted, including Chinese and Russian state-sponsored actors.
  • Collaboration aims to reduce decision-making delays for cybersecurity defenders worldwide

In an initiative aimed at streamlining threat intelligence, CrowdStrike (NASDAQ: CRWD) and Microsoft have announced a collaboration to align how cyber threat actors are identified and tracked. The effort addresses long-standing industry issues with disparate naming conventions across security vendors, which have made cross-platform adversary attribution complex and time-consuming.

The cybersecurity field has historically used a variety of naming systems to label threat actors, often derived from differing intelligence sources, methodologies, and perspectives. This inconsistency has created operational inefficiencies for defenders trying to correlate intelligence across platforms.

To address this, CrowdStrike and Microsoft are introducing a shared mapping framework—referred to as a “Rosetta Stone” for cyber threat intelligence—that links threat actor identifiers used by each company without enforcing a unified taxonomy. This approach allows security professionals to connect disparate names like “COZY BEAR” (commonly used by U.S. intelligence) and “Midnight Blizzard” (Microsoft’s designation), improving coordination and situational awareness during active threats.

According to the companies, the collaborative effort has already harmonized naming for over 80 adversary groups. These include significant validations, such as identifying Microsoft’s “Volt Typhoon” and CrowdStrike’s “VANGUARD PANDA” as aliases for the same Chinese state-sponsored group, and confirming “Secret Blizzard” and “VENOMOUS BEAR” are names for the same Russian-affiliated actor.

This unified attribution is expected to improve response times and help cybersecurity teams act on intelligence faster. Analysts across both organizations will continue to expand the mapping, with plans to include additional security partners in the future to maintain a more comprehensive and community-driven threat actor resource.

While the partnership does not eliminate differences in vendor-specific analysis or naming practices, it marks a significant step toward interoperability in threat intelligence and response coordination across the cybersecurity sector.