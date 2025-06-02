Four of the biggest names in tech and cybersecurity—Microsoft, CrowdStrike, Palo Alto Networks, and Google’s cybersecurity team—announced on Monday that they’re working together on a public glossary of cyber threat actors.

Four of the biggest names in tech and cybersecurity announced that they’re working together on a public glossary of cyber threat actors.

Four of the biggest names in tech and cybersecurity—Microsoft, CrowdStrike, Palo Alto Networks, and Google’s cybersecurity team—announced on Monday that they’re working together on a public glossary of cyber threat actors. The goal? To reduce the chaos around the many quirky and confusing nicknames used to label state-backed hackers and cybercriminal groups.

The glossary is expected to bring more consistency to the way experts, companies, and even governments talk about these groups. Microsoft and CrowdStrike said they’re hoping to get more companies and even the U.S. government involved in this new effort to build a clearer picture of who’s who in the shadowy world of digital espionage.

“We do believe this will accelerate our collective response and collective defense against these threat actors,” said Vasu Jakkal, corporate vice president at Microsoft Security.

Too many names, not enough clarity

In cybersecurity, it’s always been tricky to prove exactly who’s behind a cyberattack. That’s why researchers started giving hacker groups code names—some technical, others wildly creative—to help keep track of them. Over time, though, this practice has led to a mess of overlapping aliases that often point to the same group.

Advertisement · Scroll to continue

Some of the early names were pretty straightforward. For instance, Mandiant labeled one Chinese group as “APT1,” while Proofpoint tracked another under the name “TA453.” But over the years, the naming style got a lot more colorful. TrendMicro, for example, named a group “Earth Lamia,” and Kaspersky dubbed another “Equation Group.”

CrowdStrike took things a step further with imaginative nicknames like “Cozy Bear” for a Russian group and “Kryptonite Panda” for a Chinese one. Other companies started following the same trend, creating a kind of nickname explosion.

When creativity causes chaos

All those creative names might make for fun headlines, but they’ve also made things confusing—especially when different companies use different names for the same hackers.

A good example of that came in 2016. The U.S. government released a report about Russian interference in the presidential election and included 48 different nicknames for various hacking groups and malicious software. The list was a jumble of names like “Sofacy,” “Pawn Storm,” “CHOPSTICK,” “Tsar Team,” and “OnionDuke.” It wasn’t exactly easy for readers—or even cybersecurity pros—to keep track.

Even within the same companies, the names have changed over time. Secureworks (now part of Sophos) once referred to a Russian hacker group as “TG-4127” before switching to the name “Iron Twilight.” Microsoft used to stick to element-themed names like “Rubidium” but recently shifted to weather-themed ones like “Lemon Sandstorm” and “Sangria Tempest.”

Industry reactions: mixed opinions

Palo Alto Networks’ top threat intelligence executive, Michael Sikorski, is calling the initiative a breakthrough.

“Disparate naming conventions for the same threat actors create confusion at the exact moment defenders need clarity,” Sikorski said, adding that this new glossary could be a real “game-changer.”

But not everyone in the industry is convinced.

Juan-Andres Guerrero-Saade, a leading researcher at SentinelOne, sounded doubtful. He said cybersecurity companies are often too protective of the information they collect, and unless that changes, a public glossary won’t make much of a difference.

“Unless that changed, this is branding-marketing-fairy dust sprinkled on top of business realities,” he said.

A small win already

Despite the mixed reactions, some experts are already seeing results. Adam Meyers, CrowdStrike’s senior vice president of counter adversary operations, said the glossary effort has already helped his team figure out that a group Microsoft called “Salt Typhoon” was the same one CrowdStrike referred to as “Operator Panda.”

That kind of clarity is exactly what the new glossary hopes to bring to the entire cybersecurity world.