20 May 2025 – In a bid to reduce the fog of war in modern cyber defense, Microsoft and CrowdStrike have launched a shared threat actor glossary to standardize how cybercriminal groups are identified across security platforms. This pioneering collaboration addresses a critical issue: inconsistent threat actor naming that slows down incident response and complicates cybersecurity operations. With global threat volumes escalating, this alignment comes at a crucial time.
For years, threat actor naming inconsistencies have plagued defenders. A group identified as “Midnight Blizzard” by Microsoft might appear as “APT29,” “Cozy Bear,” or “UNC2452” in other vendors’ reports. These naming mismatches complicate attribution, delay investigations, and undermine trust among cybersecurity teams.
As highlighted in the NIST SP 800-1501 guidance on threat sharing, standardized communication of threat intelligence is key to improving collaboration and defense efficacy. Microsoft and CrowdStrike’s glossary directly aligns with this guidance.
H3: The New Glossary Explained
Announced on 20 May 2025, the glossary is a cross-reference table of known threat actors, mapping the names used by Microsoft and CrowdStrike to track identical or overlapping groups. It serves as a translation layer, allowing security teams to:
- Improve confidence in threat actor identification
- Correlate incident reports and telemetry faster
- Align cross-platform security awareness
- Minimize response time in the face of active attacks
Crucially, the glossary is not intended to replace existing naming conventions or enforce a global standard, but rather to bridge the gaps between security vendors.
Global Collaboration: Who’s Involved?
The effort is spearheaded by Microsoft Threat Intelligence and CrowdStrike Falcon Intelligence, two of the most prominent players in cybersecurity news. Their threat intel teams process billions of signals per day—with Microsoft alone analyzing over 84 trillion security signals daily across its platforms.
As per the official blog post, other major players are preparing to join:
- Google/Mandiant
- Palo Alto Networks (Unit 42)
This sets the stage for a vendor-agnostic coalition that may one day include government agencies, CERTs, and non-profits.
“The lack of standardized naming has been a persistent challenge. This glossary brings much-needed clarity and should be part of any organization’s threat intel toolkit.”
— Adam Meyers, Head of Intelligence at CrowdStrike (via CrowdStrike press release, 20 May 2025)
Regional Impact: What It Means for MEA
H3: Middle East and Africa: Playing Catch-Up
In regions like the Middle East and Africa (MEA), where incident response capabilities vary widely and multilingual environments increase complexity, this move could significantly streamline threat intelligence operations. Many regional SOCs and CERTs rely on feeds from multiple international vendors—often with conflicting naming conventions.
Countries like UAE, Saudi Arabia, South Africa, and Kenya are developing robust national cyber strategies. The glossary provides an opportunity to align regional cyber defense initiatives with global best practices, especially in regulated sectors such as:
- Telecom (regulated by CITC, NTRA)
- Banking (compliance with SAMA, CBK, FSCA)
- Energy & Oil (targeted by APT33 and other Iran-linked actors)
“Consistency in adversary naming across vendors will help African CSIRTs correlate reports and reduce the risk of response delays caused by confusion in attribution.”
— Lungile Masondo, Threat Intelligence Lead, CERT-SA (commented in regional briefing on 21 May 2025)
Global Context: A Timely, Needed Move
The timing is not accidental. 2024 saw a record-breaking number of state-aligned cyber incidents, with actors like APT28, Charming Kitten, and Scattered Spider launching brazen attacks against critical infrastructure.
By aligning their taxonomies, Microsoft and CrowdStrike aim to enhance the speed and accuracy of correlation across platforms, giving SOC analysts and threat hunters a clearer path to action.
This move echoes efforts like the MITRE ATT&CK framework, which provides standardized techniques and procedures (TTPs) for threat actors. The glossary complements this by addressing the naming and attribution layer—effectively covering the “who” behind the “how.”
Technical Snapshot: TTPs and Reference Mapping
MITRE ATT&CK Mapping & Notable Actors
The glossary includes well-known threat actors tracked across both vendors, such as:
| CrowdStrike Name | Microsoft Name | Known Aliases | MITRE Group |
|---|---|---|---|
| COZY BEAR | Midnight Blizzard | APT29, UNC2452 | G0016 |
| FANCY BEAR | Forest Blizzard | APT28, STRONTIUM | G0007 |
| CHARMING KITTEN | Peach Sandstorm | APT35, Phosphorus | G0060 |
| WIZARD SPIDER | Sangria Tempest | UNC1878, DEV-0193 | G0102 |
Key TTP Examples:
- Spear phishing via compromised cloud email accounts
- Credential theft via token replay and session hijacking
- Lateral movement using stolen credentials in hybrid environments
Boxed Tip:
Always correlate actor behavior with ATT&CK techniques (e.g., T1566.001 – Phishing: Spearphishing Attachment) and validate against endpoint logs.
Actionable Takeaways for Security Teams
- Integrate the glossary into SIEM, TIP, and threat intelligence platforms.
- Train SOC analysts to reference alternate actor names when triaging.
- Normalize naming conventions across internal and vendor-supplied reports.
- Enhance incident playbooks with mappings from the joint glossary.
- Use ATT&CK mapping for behavioral analysis in conjunction with the glossary.
- Subscribe to updates from Microsoft and CrowdStrike on new mappings.
- Cross-check threat feeds using the glossary during attribution analysis.
- Join public intel-sharing communities aligned with these taxonomies.
- Review past alerts where name mismatches may have impacted prioritization.
- Lobby for adoption of the glossary within regional cyber frameworks and compliance requirements.
Conclusion
The Microsoft-CrowdStrike threat actor glossary represents a landmark in cyber threat intelligence evolution. By improving clarity and alignment across vendors, it empowers security teams worldwide—including in emerging regions like MEA—to act faster and more confidently in the face of advanced threats. While not a universal standard, this effort lays the groundwork for a broader, community-driven solution to one of cybersecurity’s longest-standing friction points.
As cyberattacks grow in scale and sophistication, initiatives like this will be vital in helping defenders stay one step ahead.
Sources
- Microsoft Security Blog – Microsoft and CrowdStrike Align Threat Actor Naming (20 May 2025)
- CrowdStrike Official Blog – Unified Adversary Identification (20 May 2025)
- NIST SP 800-150 Revision 1 – Guide to Cyber Threat Information Sharing
- MITRE ATT&CK Group Listings
- CyberCory Threat Trends
- CyberCory Best Practices for Threat Intelligence Teams
- CyberCory Security Alerts on APT Activity
- SaintyNet Security Services
- SAMA Cybersecurity Compliance Guidelines
- CERT-SA Public Briefing – Threat Intelligence Consistency (21 May 2025)
