Microsoft and CrowdStrike Unite to Solve Threat Actor Naming Confusion
Industry Giants Unite to Create “Rosetta Stone” for Cybersecurity Intelligence – Microsoft and CrowdStrike Announce Threat Actor Naming Alignment Initiative
Microsoft calls it Midnight Blizzard; CrowdStrike calls it Cozy Bear; others say APT29. In June 2025 the two vendors started mapping their names together - so defenders stop losing time in translation.
When two analysts describe the same attacker with two different names, minutes get lost to translation - and in a breach, minutes matter.
Threat-actor names are not just trivia. Each vendor tracks attackers through its own lens and assigns its own codename, so the same group ends up with a pile of aliases. During a live incident, that means one team's "Midnight Blizzard" alert and another's "Cozy Bear" advisory can describe the exact same threat without anyone realizing it. Here is why the mess exists, what Microsoft and CrowdStrike are doing about it, and why it helps you even if you never read a threat report.
Why One Group Has So Many Names
Each vendor built its own naming system - by theme.
Microsoft names groups after weather; CrowdStrike names them after animals - so the same actor gets a different codename from each.
Microsoft groups attackers by suspected origin using weather: Blizzard for Russia, Typhoon for China, Sandstorm for Iran, Sleet for North Korea, and Tempest for financially motivated crime. CrowdStrike uses animals: Bear for Russia, Panda for China, Kitten for Iran, Chollima for North Korea, and Spider for e-crime. Both systems are logical on their own - they just do not line up, which is exactly the problem.
The Translation Guide
A shared map of which names point to the same actor.
Microsoft and CrowdStrike have already deconflicted more than 80 adversaries - here are a few well-known examples.
| Microsoft name | CrowdStrike name | Also known as | Who it is |
|---|---|---|---|
| Midnight Blizzard | Cozy Bear | APT29, Nobelium, The Dukes | Russia (SVR) |
| Volt Typhoon | Vanguard Panda | - | China (state-sponsored) |
| Secret Blizzard | Venomous Bear | Turla | Russia-nexus |
The goal is not to crown one naming system the winner. It is to let a defender reading a CrowdStrike report instantly know which Microsoft alerts describe the same group - and vice versa. Other vendors are being invited to contribute to and maintain the shared mapping.
Why It Matters for Defenders
Faster attribution means faster, more confident response.
Even if you never read a threat report, this makes your security tools and partners quicker and more accurate.
- Less time lost in translation. During an incident, teams stop arguing over whether two advisories describe the same attacker.
- Clearer intelligence. Alerts, threat feeds, and reports from different vendors can be connected instead of read in isolation.
- Faster response. Recognizing the actor sooner means applying the right defenses and detections sooner.
- Fewer blind spots. Mapping the names surfaces cases where one vendor knows something the other does not.
- A shared community resource. As more vendors join, the whole industry gets a common reference instead of a dozen private glossaries.
When you are under attack, the last thing you want is two teams describing the same enemy with two different names. Mapping those names together is a small change that makes every defender a little faster.
Threat Intelligence, Translated for You
CinchOps monitors threats and turns vendor intelligence into action for Houston-area businesses - so you get the protection without needing to decode the codenames - through our cybersecurity and managed IT services.
Explore CinchOps cybersecurity →How CinchOps Helps Secure Your Business
CinchOps is a Katy, Texas managed IT services provider serving businesses across the Houston metro, turning threat intelligence into practical defense.
- Threat monitoring. 24/7 watch for the tactics used by the actors these reports track.
- Detection and response. Fast identification and containment when a known threat pattern appears.
- Intelligence-driven defense. We apply vendor threat intelligence so you benefit without decoding it yourself.
- Layered protection. Identity, endpoint, email, and network defenses against nation-state and criminal actors alike.
- Plain-English reporting. Clear updates on what matters to your business, without the jargon.
Want threat intelligence that actually protects you? Contact CinchOps to strengthen your defenses.
Frequently Asked Questions
Why do hacking groups have so many different names?
Each security vendor tracks attackers independently and assigns its own codename. Microsoft uses weather themes (like Blizzard and Typhoon), CrowdStrike uses animals (like Bear and Panda), and others use labels like APT29. The same group ends up with many aliases.
What did Microsoft and CrowdStrike announce?
On June 2, 2025, they announced a collaboration to map their threat-actor names to each other. It is a translation guide - not a single universal standard - showing when two names refer to the same group. They have already deconflicted more than 80 adversaries.
Is there now one standard name for each hacking group?
No. The effort deliberately keeps each vendor's naming system. It just publishes a shared mapping so defenders can connect the names, and it invites other vendors to contribute.
Can you give an example of the mapping?
Microsoft's Midnight Blizzard is CrowdStrike's Cozy Bear, also known as APT29 and The Dukes - a Russian state-sponsored group. Microsoft's Volt Typhoon maps to CrowdStrike's Vanguard Panda, a Chinese state-sponsored actor.
Why should a small business care?
Because it makes the security tools and partners you rely on faster and more accurate. Connecting intelligence across vendors means quicker attribution and quicker response when a real threat targets you.