‘Cozy Bear’, Nobelium, ‘Midnight Blizzard’, we’ve all heard various names used to identify cyber threat groups, and these three in particular refer to the same group.
It’s all rather confusing at times, prompting cybersecurity professionals and laymen alike to ponder who exactly they’re dealing with or reading about.
You mean to tell me this group is the same one that hit a separate company months ago, just with a different name?
The reason for this is based on how they’re tracked. These groups are given identifiers based on which company detects and tracks certain activities. Given the number of big tech companies and threat intelligence firms keeping tabs on the cybersecurity landscape, there’s not exactly been a sense of unity or alignment– at least until now.
Microsoft and CrowdStrike have announced a first-of-its-kind collaboration to build a shared mapping system for naming cyber threat actors. CrowdStrike believes the move will “bring clarity and coordination” in how threat actors are both identified, and crucially, tackled by cybersecurity professionals.
“By reducing ambiguity in how adversaries are labeled, this mapping enables defenders to make faster, more confident decisions, correlate threat intelligence across sources, and better disrupt threat actor activity before it causes harm,” CrowdStrike said in a statement confirming the move.
Essentially, by making it easier to join the dots with these naming conventions, cybersecurity defenders across the industry can make a concerted, unified effort to tackle ongoing threats.
Adam Meyers, SVP, Counter Adversary Operations, CrowdStrike, describes the move as a “watershed moment” for the cybersecurity industry, and one that’s been a long time coming.
“Adversaries hide behind both technology and the confusion created by inconsistent naming,” he said. “As defenders, it’s our job to stay ahead and to give security teams clarity on who is targeting them and how to respond.”
Meyers said that combining CrowdStrike’s deep expertise in threat intelligence with Microsoft’s “valuable data sources on adversary behavior” will ultimately prove beneficial to the broader industry.
“Together, we’re combining strengths to deliver clarity, speed, and confidence to defenders everywhere,” he added.
How will the naming convention changes work?
To begin with, CrowdStrike said the collaboration has started with a “shared analyst-led effort to harmonize adversary naming” between the two company’s threat research teams.
This deeper level of information sharing has delivered results so far, according to CrowdStrike, with the companies having already “deconflicted” more than 80 adversaries.
These include threat groups such as Microsoft’s ‘Volt Typhoon’ and CrowdStrike’s ‘Vanguard Panda’ - both of which are names used to refer to Chinese state-sponsored threat actors.
Volt Typhoon has wreaked havoc on US critical infrastructure in recent years, with analysis in March detailing how it was able to remain undetected in the US national electric grid for nearly a year.
Similarly, ‘Secret Blizzard’ and ‘Venomous Bear’, two separate names used to identify a Russian threat group, have been deconflicted.
Analysis from Tanium shows Secret Blizzard has links to ‘Center 16’ of the FSB and specializes in global corporate espionage.
Big tech partners chime in
Microsoft and CrowdStrike aren’t the only organizations leading the charge on this change on adversary naming practices. Google has also agreed to contribute to the scheme alongside its Mandiant threat intelligence group.
Similarly, Palo Alto Networks’ Unit 42 has committed to the naming convention approach.
Ilia Kolochenko, CEO of ImmuniWeb, welcomed the move as a proactive step to creating a more aligned cyber defense ecosystem.
However, he questioned whether complete alignment can be achieved. The industry has “long lasting” issues with regard to unified defense efforts, he said.
“The creation of a unified naming framework for cyber threat actors is certainly a laudable idea, however, whether all other vendors will follow it remains largely uncertain,” he told ITPro.
“The cybersecurity industry knows many similar and long-lasting issues with unification, for example, vulnerability scoring frameworks remain a largely heterogeneous patchwork across different vendors and platforms,” Kolochenko added.
“Having said this, the existing diversity is not necessarily bad: it provides more ground for critical thinking and flexibility in sophisticated and ofttimes subjective questions of attack attribution or risk scoring.”
MORE FROM ITPRO
-
Women in tech are plagued by imposter syndromeNews Imposter syndrome among female tech workers gets worse as careers progress
-
Fresh Microsoft layoffs hit more software engineering roles, documents showNews The latest batch of layoffs at Microsoft's Washington headquarters mark the second in the space of a month.
-
A flaw in OneDrive’s File Picker feature could give access to hundreds of appsNews The OneDrive File Picker flaw could affect hundreds of apps, researchers warn
-
Microsoft ramps up zero trust capabilities amid agentic AI pushNews The move from Microsoft looks to bolster agent security and prevent misuse
-
CrowdStrike announces integration with Nvidia Enterprise AI FactoryNews Organizations can now leverage CrowdStrike protection within Nvidia Enterprise AI Factory deployments
-
CrowdStrike prepares for battle as Delta given go-ahead for outage lawsuitNews Delta Air Lines has been told it can take CrowdStrike to court to seek damages after last summer's outage forced the airline to cancel 7,000 flights.
-
Malware-free attacks surged in 2024 as attackers drop malicious software for legitimate toolsNews Cyber attacks leveraging trusted services to conduct malicious activities are becoming the norm, according to new research, as malware takes a backseat among hackers.
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
