MSFT-CrowdStrike 'Rosetta Stone' for Naming APTs: Meh? - Dark Reading

THREAT INTELLIGENCE CYBERSECURITY ANALYTICS CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS NEWS MSFT-CrowdStrike 'Rosetta Stone' for Naming APTs: Meh? Microsoft and CrowdStrike announced an effort to deconflict the overlapping names of threat groups and reduce confusion for companies, but we've been here before. Robert Lemos,Contributing Writer June 6, 2025 6 Min Read SOURCE: NELO2309 VIA SHUTTERSTOCK When the BlackTech cyber-espionage group planted malware in a firm providing telecommunications services for the 2022 FIFA World Cup, the China-linked threat group was largely unknown. Soon, it had many names: Circuit Panda according to CrowdStrike, Palmerworm according to Symantec, and Shrouded Crossbow by Trend Micro. The confusing array of names for a single group is behind CrowdStrike's and Microsoft's announcement to begin collaborating on harmonizing — or "deconflicting" — their naming conventions. On June 2, the companies published a list of equivalent names for more than 80 threat groups. Included in the list is Microsoft's name for BlackTech: Canary Typhoon. By clarifying the adversaries behind certain actions in cyberspace, the information-sharing initiative aims to allow security teams and threat analysts to predict future activity and prioritize response, says Adam Meyers, senior vice president of counter-adversary operations for CrowdStrike. Related:Inside Olympic Cybersecurity: Lessons From Paris 2024 to Milan Cortina 2026 "There's a whole set of factors that make [naming] complex, and there's really no way for us to unify the adversary naming and tracking across every company," he says. "But what this allows us to do is at least, say, if Microsoft publishes something, and CrowdStrike also has information on it, then we make it easier for our collective customers to immediately know what we're both talking about." Yet whether the initiative can have much impact remains to be seen, as the effort is only the latest attempt to tame the chaos that reigns among the naming of malicious entities. Threat intelligence firm Secureworks, now part of Sophos, maintains its own "Rosetta Stone" of more than 160 groups tracked by the firm, along with the corresponding names used by other companies. Rafe Pilling, director of threat intelligence with Sophos' Counter Threat Unit, argues that the company's list goes further than the one created by Microsoft and CrowdStrike. "We maintain a public Rosetta stone that attempts to align our names with those from other vendors, and we include a short profile for each," he says. "We refer to this as 'a Rosetta stone' rather than 'the Rosetta stone,' as we know we don't have all the information necessary to guarantee equivalency, and that is unlikely to change." What's in a Name? Threat actor names are a shorthand way for threat researchers and security teams to refer to threats. Most often, the names designate the actors' motivations, labeling them with a nation-state moniker — such as the Sleet (Microsoft) or Cholima (CrowdStrike) clusters that indicate the group's nation-state links (North Korea) — or a cybercriminal moniker, such as Tempest (Microsoft) or Spider (CrowdStrike). Related:Attackers Abuse LiveChat to Phish Credit Card, Personal Data Names also serve as a bucket for researchers to collect all the tactics, techniques, and procedures (TTPs) used by a group. Companies can use indicators of compromise to identify TTPs and, from there, identify the probable threat group. Proactive security teams will then use the threat group's known TTPs to look for further compromises in their environment or prepare for certain other actions, such as wiping data or stealing credentials, Pilling says. For threat intelligence teams, identifying the group and assigning a name is a slow process, he says. "As we see more things that look like they belong in the same cluster — or group or bucket — we expand our understanding of a group or campaign," Pilling says. "As this process is taking place, we learn more about the groups targeting, actions on objective and other details that can lead to an attribution assessment, linking the group to a state [or] cybercrime group." Problems can crop up. During their deconflicting process, CrowdStrike found that what the company tracks as Gossamer Bear, for example, Microsoft tracks as two different groups, so they left that threat cluster off the list, CrowdStrike's Meyers says. Related:The Data Gap: Why Nonprofit Cyber Incidents Go Underreported "That's really why I think that all of these companies can't use one naming system," he says. "You can't have NIST or MITRE come up with a standardization for adversary names ... because we all have different visibility, we have different telemetry, and different companies have different analytic rigor." Microsoft also stresses that the initiative does not intend to replace any existing taxonomy of threat actors or naming conventions, and the company does not intend to change its own approach, a Microsoft spokesperson told Dark Reading. "Imposing a single standard on the industry would be technologically challenging and may affect intelligence," the spokesperson said in an email response to questions from Dark Reading. "Mapping allows popular taxonomies to remain while simplifying their use for customers." Deconfliction Over Competition Other efforts to standardize threat names have not fared well in the past. In 2005, following the success of the Common Vulnerability Enumeration (CVE) program, the US Computer Emergency Readiness Team (US-CERT) and MITRE established the Common Malware Enumeration (CME) initiative to solve a problem in the world of viruses and worms similar to today's issues with naming threat groups. The Bagle worm that spread in November 2004, for example, became CME-245. The effort did not last long. In 2007, the program minted what appears to be its last number — CME-711, another name for the Small downloader — before transitioning the project to the Malware Attribute Enumeration and Characterization (MAEC, pronounced "Mike") language, which had a different focus. Today, that project appears to be defunct as well. MITRE did not respond to a request for comment. Aligning names is difficult, especially during the evolving analysis of a new group, or offshoot of a known group, Pilling says. Threat groups are discovered organically, behind closed doors, by companies that have their own naming schemes and intelligence process, and that leads to differing conclusions, he says. "A degree of alignment can be achieved after the fact, once enough of the overlapping data points and definition are shared — sometimes publicly, sometimes privately," Pilling says. "Microsoft and CrowdStrike are [currently] performing this exercise retrospectively — it's unclear how it will work for emerging threats or maintaining future group alignment." The group is unlikely to expand too far. While large providers of threat intelligence — Google's Mandiant, for example — may work with Microsoft and CrowdStrike on harmonization, sharing intelligence with a broad range of competitors, many who may not have much data to share, is not in the cards, CrowdStrike's Meyers says. Right now, the two companies are working on a governance structure so the collaboration can sustain sharing between a limited number of participants, he says. "If we could do something collectively that doesn't hurt our ability to compete, but it does hurt the adversary's ability to operate, then we're going to do it," Meyers says. "This is a continuing process, a continuing evolution. I'm still working directly with Microsoft and ... making sure that we're able to keep deconflicting things." Read more about: CISO Corner About the Author Robert Lemos Contributing Writer Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE What CISA's Red Team Disarray Means for US Cyber Defenses by Becky Bracken, Senior Editor, Dark Reading MAR 21, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE