Published: 2025-06-03 03:05:13 ET MSFT

Published on 06/03/2025 at 03:05

By Nicolas Thomas

( with Reuters) As cybersecurity companies give hackers increasingly bizarre nicknames, the initiative to create a common glossary for naming threats seems welcome.

On Monday, several cybersecurity giants, including Microsoft, CrowdStrike, Palo Alto Networks, and Google (Alphabet), announced their intention to create a public glossary of state-sponsored and criminal hacking groups to clarify the jungle of often fanciful nicknames assigned to them.

The goal is to make it easier to identify hostile groups and improve coordination among defenders against digital threats. "We believe this will accelerate our collective response and defense capabilities," said Vasu Jakkal, vice president of Microsoft Security.

For years, cybersecurity companies have used coded aliases to refer to hacker groups, as they cannot formally attribute them to specific states or entities. While some names are technical and austere, such as "APT1" (Advanced Persistent Threat 1) or "TA453," others are more evocative, even esoteric: "Equation Group," "Earth Lamia," or "Cozy Bear" to refer to Russian actors, a name popularized by CrowdStrike.

Microsoft recently abandoned its chemical-based designations (such as "Rubidium") in favor of names inspired by the weather: "Lemon Sandstorm," "Sangria Tempest," and "Forest Blizzard."

But this proliferation of names ended up causing confusion. In 2016, an official US report listed no fewer than 48 different nicknames associated with Russian groups, such as "Sofacy," "Pawn Storm," "CHOPSTICK," "Tsar Team," and "OnionDuke," sometimes referring to the same actors or malware.

Palo Alto Networks CTO Michael Sikorski sees this as a "real paradigm shift," pointing out that the disparity in names complicated the work of analysts. Adam Meyers of CrowdStrike says the project has already paid off by allowing his teams to link Microsoft's "Salt Typhoon" to their own "Operator Panda."

But not everyone is convinced. Juan Andres Guerrero-Saade, director of cybersecurity research at SentinelOne, considers the initiative to be mainly cosmetic as long as companies refuse to fully share their information: "It's marketing smoke and mirrors sprinkled on economic realities."

The initiators of the glossary hope to rally other industry partners and the US government. The initiative aims to standardize the designation of groups to improve clarity and operational efficiency in a world where every minute counts in the face of sophisticated attacks.

Ultimately, this glossary could become a central tool in global cyber threat mapping, provided that the ecosystem agrees to look beyond its commercial interests to build a shared collective memory.

Nicolas Thomas