Cybersecurity Giants Unite: Microsoft & CrowdStrike Standardize Hacker Group Naming
Do Son 
In the cybersecurity industry, each major player has long relied on its own nomenclature for threat groups that target corporations and government institutions. This practice has consistently posed challenges—analysts would often refer to the same adversary using entirely different names. As a result, investigations became protracted, and discussions among experts frequently resembled a game of broken telephone.
Against this backdrop, Microsoft and CrowdStrike have announced a joint initiative: the unification of their threat actor naming systems and the publication of a revised reference guide that maps each threat entity across multiple taxonomies. This approach does not homogenize the threat intelligence landscape into a monolithic entity but instead enables professionals to swiftly identify commonalities and speak a shared language—even when referring to the same group under different aliases.
According to Microsoft’s Head of Security, the new database serves as a launchpad for rapid adversary identification and enhances the efficiency of threat investigations. In scenarios where an organization receives reports from multiple vendors, there is no longer a need for laborious manual reconciliation—the information is now consolidated into a coherent, unified directory.
Future collaborators in this project include Google/Mandiant and Palo Alto Networks’ Unit 42, both of which plan to contribute their data to accelerate the identification process. Microsoft hopes that other key players will join the initiative, ushering in a new era of transparency in cyber threat intelligence and expediting incident response.
The companies emphasized that the primary goal is not to impose a rigid standard but to provide professionals with a practical tool for rapid alignment and cross-referencing. Already, the initiative has helped resolve naming inconsistencies for over 80 active threat groups—among the most dangerous and technically advanced actors operating worldwide.
Looking ahead, the alliance promises continued development: the database will be regularly updated with new entries, and an automated telemetry-sharing mechanism between participants is envisioned. This evolution will streamline workflows and enhance the interoperability of threat reports across the ecosystem.
Microsoft and CrowdStrike firmly believe the industry requires collaborative effort and voluntary harmonization—not unilateral frameworks. The initiative remains open to new participants and is designed to eliminate the chaos of fragmented naming conventions, sparing defenders the confusion of deciphering who is truly behind an attack.
Donate