Jun 03, 2025 11:46:00

Microsoft and CrowdStrike launch project to unify names of hacker groups, citing concerns that the names used are too diverse and could slow down responses

When a cybercrime occurs, security companies and experts often refer to the attackers (threat actors) by a specific name and inform them of the threat. However, the names used by different parties vary, and it is not uncommon for the same threat actor to have three or four different names. As this situation could lead to delays in response, Microsoft and CrowdStrike have launched a project to unify the names and make them easier to understand.

Announcing a new strategic collaboration to bring clarity to threat actor naming | Microsoft Security Blog

https://www.microsoft.com/en-us/security/blog/2025/06/02/announcing-a-new-strategic-collaboration-to-bring-clarity-to-threat-actor-naming/

CrowdStrike and Microsoft Unite to Deconflict Cyber Threat Attribution

https://www.crowdstrike.com/en-us/blog/crowdstrike-and-microsoft-unite-to-deconflict-cyber-threat-attribution/

Threat actors often have different names. For example, the Russian threat actor that Microsoft calls ' Midnight Blizzard ' may be referred to by many aliases, such as 'UNC2452,' 'Cozy Bear,' and 'APT29.' When names are different, responses may be delayed when an attack actually occurs, and it may be difficult to gather information such as who the attacker is and what countermeasures are. To improve this situation, work is being done to consolidate the multiple names.

The naming scheme developed by Microsoft and CrowdStrike follows a weather theme and names the attacks based on the attacker's primary objective or the region in which they are based.

For example, nation-state associated threat actors will be given weather-related names for each country: Typhoon for China-related threat actors, Sandstorm for Iran, Blizzard for Russia, and so on.

Additionally, different adjectives are used depending on the tactics and techniques used by threat actors, and a combination of adjectives and meteorological phenomena is used to identify threat actors. In this naming scheme, threat actors with names such as UNC2452 and APT29 mentioned above are given the name Midnight Blizzard, while Chinese threat actors with names such as BARIUM and WICKED PANDA are referred to as Brass Typhoon.

Other non-nation-state threat actors will also be named with weather-related names: Tempest for financially motivated threat actors, Tsunami for private threat actors, Flood for information manipulation groups, and Storm for developing or unknown threat actors.

Under the rules, an Israeli private organization known as DEV-0236 will now be known as Caramel Tsunami, and financially motivated threat actors known as DEV-0401 and HighGround will now be known as Cinnamon Tempest.

How Microsoft names threat actors - Unified security operations | Microsoft Learn

https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming

These names are merely a dictionary to consolidate multiple names, and are not intended to encourage or enforce the use of any of the names.

Microsoft and CrowdStrike called the naming a 'Rosetta Stone,' saying, 'We will pool our resources to sustain and provide to all those fighting threat actors.'

Also contributing to the project are Google, Mandiant and Palo Alto Networks Unit 42. Microsoft and CrowdStrike are seeking additional contributors.