CrowdStrike & Microsoft unify naming for cyber threat actors
CrowdStrike and Microsoft have jointly introduced a new initiative aimed at standardising the way cyber threat actors are identified across the cybersecurity sector.
The collaboration has resulted in a shared mapping system, aligning threat actor aliases between the two companies and promoting clarity in cyber threat attribution. Both companies state that this initiative is designed to accelerate threat response and reduce confusion caused by the inconsistent nicknames used for hacker groups among different security vendors.
The cybersecurity industry has historically relied on disparate naming systems, each informed by distinct intelligence sources and analytical approaches. While these systems provide valuable context on adversaries, they can complicate cross-reference and response due to conflicting terminology. This increased complexity has prompted the need for a unified approach to threat actor attribution.
CrowdStrike and Microsoft's joint mapping project serves as a form of 'Rosetta Stone' for cyber threat intelligence, linking adversary identifiers across their respective ecosystems without imposing a single nomenclature. By connecting aliases—such as CrowdStrike's COZY BEAR and Microsoft's Midnight Blizzard, or VANGUARD PANDA and Volt Typhoon—the mapping facilitates quicker and better-coordinated responses to sophisticated adversaries.
According to CrowdStrike, the partners have already reconciled over 80 threat group aliases. The alignment expands to groups linked to major nation-state actors. For example, the companies have confirmed that Microsoft's Volt Typhoon and CrowdStrike's VANGUARD PANDA refer to the same China-nexus actor, while Secret Blizzard and VENOMOUS BEAR designate a Russia-linked group.
Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, commented on the significance of the collaboration. "This is a watershed moment for cybersecurity. Adversaries hide behind both technology and the confusion created by inconsistent naming. As defenders, it's our job to stay ahead and to give security teams clarity on who is targeting them and how to respond. This has been CrowdStrike's mission from day one," Meyers said. "CrowdStrike is the leader in adversary intelligence, and Microsoft brings one of the most valuable data sources on adversary behavior. Together, we're combining strengths to deliver clarity, speed, and confidence to defenders everywhere."
The initial phase of the collaboration involves specialist teams from both companies working together to harmonise adversary naming conventions. The effort has already demonstrated practical value by validating the identities of specific threat actors across the two ecosystems. The companies will seek to expand this initiative, inviting additional contributors to create and maintain a broader threat actor mapping resource accessible to the global cybersecurity community.
Vasu Jakkal, Corporate Vice President for Microsoft Security, emphasised the broader implications for the security sector. "Cybersecurity is a defining challenge of our time, especially in today's AI-driven era," Jakkal said. "Microsoft and CrowdStrike are in ideal positions to help our customers, and the wider defender community accelerate the benefits of actionable threat intelligence. Security is a team sport and when defenders can share and react to information faster it makes a difference in how we protect the world."
The companies note that their collaboration builds on an established history of threat intelligence activity and contributes towards a shared mission: prioritising customer outcomes and sector-wide defence, rather than market competition. The mapping initiative will continue to develop as more partners join to keep the threat actor taxonomy up to date and useful for the defender community.
Follow us on:
Share on:
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
RNZ News
2 days ago
- RNZ News
Leaked files reveal China is using AI to erase history of Tiananmen Square massacre
By Bang Xiao , ABC Photo: Getty Images Hundreds of pages of classified documents leaked to the ABC have offered an unprecedented glimpse into China's infamous censorship regime. It has grown faster, smarter and increasingly invisible, quietly erasing the memory of the 1989 Tiananmen Square massacre from public view. Thirty-six years on, Beijing still has not disclosed the official death toll of the bloody crackdown on a pro-democracy gathering on June 4, when more than 1 million protesters were in the square. Historians estimate that the People's Liberation Army (PLA) killed anywhere from 200 to several thousand people that day. More than 230 pages of censorship instructions prepared by Chinese social media platforms were shared by industry insiders with the ABC. They were intended to be circulated among multi-channel networks or MCNs - companies that manage the accounts of content creators across multiple social and video platforms like Douyin, the Chinese version of TikTok. The files reveal deep anxiety among Chinese authorities about the spread of any reference to the most violently suppressed pro-democracy movement in the country's history. The documents instruct MCNs to remove any content that depicts state violence and include compilations of text, images and video content for reference. The reference material includes graphic scenes of the People's Liberation Army opening fire on civilians, while others say students attacked the soldiers. The ABC understands that the material is being used by frontline content censors to train artificial intelligence tools to moderate vast amounts of content, under the direction of the Cyberspace Administration of China - the country's top internet regulator. China's vast censorship regime relies on hundreds of thousands of human moderators to keep social media platforms compliant. There is also a structured process for censoring posts. Every post is first scanned by AI systems - known as a machine review - which are particularly sensitive to any references to the Tiananmen anniversary. When the ABC asked the Chinese-made AI chatbot DeepSeek to tell us about the massacre, it answered: "That topic is beyond my current scope. Let's talk about something else." Chinese AI chatbot DeepSeek repeatedly refused to answer the ABC's questions about the Tiananmen Square massacre. Photo: ABC / Bang Xiao One of the documents, a 2022 training manual for censors working for Douyin directly referenced the world-famous Tank Man image, labelling it a "subversive picture". The document also said that any visual metaphor resembling the sequence of one man facing four tanks - even "one banana and four apples in a line" - could be instantly flagged by an algorithm designed to pick up references to the massacre, especially during the first week of June. And when an uploaded video gains traction or matches sensitive patterns, it enters a "traffic pool" and may be escalated through four levels of human checks. Lennon Chang, a cyber risk expert from Deakin University, told the ABC that AI had made the censorship of visual and symbolic references far more feasible in real-time. "Even if you replace the tank man image with bananas and apples, the algorithm has learned the pattern," Chang said. "They use computer vision, natural language processing and real-time filtering. It doesn't change the nature of censorship, but it makes it more powerful." The guidelines also prohibit seemingly innocuous symbols such as candles and flowers that could be interpreted as commemorative. Chang explains that this shift toward algorithmic filtering has deepened the risk of historical amnesia. "If censorship keeps going and is increasingly powered by AI, our future generations might not be able to know what happened," he said. "The data they see will already be filtered and sanitised. It creates a fake world - a fake history." The leaked documents also shed light on the lives of censors, who work under close oversight from the Cyberspace Administration. All censors are required to pass multiple exams to ensure they are vigilant and can respond swiftly to remove potentially risky content - a crucial safeguard to prevent platforms from being suspended or shut down by authorities. Everything visible online needs to be checked: videos, images, captions, live streams, comments and text. Algorithms are trained to detect visual cues, while human censors are on alert for coded language, disguised symbols and unusual emoji combinations that may signal dissent. Documents also show censors must meet strict productivity targets - some are expected to review hundreds of posts per hour. Their behaviour, accuracy and speed are tracked by internal monitoring software. Mistakes can result in formal warnings or termination. One former and three current workers at ByteDance, the owner of TikTok and Douyin, also spoke to the ABC about their jobs. The employees requested anonymity as they feared repercussions. They said their colleagues suffered from burnout, depression and anxiety due to constant exposure to disturbing, violent or politically sensitive content. One said working as a censor was like "reliving the darkest pages of history every day, while being watched by software that records every keystroke". They are normally paid with a modest salary - often less than $1,500 a month - though the psychological toll is severe. Even though TikTok and Douyin are both owned by Bytedance, they operate as separate platforms. TikTok serves a global audience and is governed by international laws and moderation standards, while Douyin is available only in mainland China and operates under domestic regulations, subject to heavy censorship and direct government oversight. In some cases, platforms in China allow low-risk content to remain online - but under a shadow ban. This means the content is visible to the user who posted it and a limited pool of users. The ABC has reached out to ByteDance for comment. For decades, the first week of June has coincided with routine "system maintenance" - often a euphemism for intensified censorship around the Tiananmen anniversary. Social media platforms like Weibo and WeChat also enforce heavy censorship, especially after a politically sensitive event. A 2022 manual for censors working on the Weibo platform said the Tiananmen massacre was a "sensitive incident" that must "never be shown". It grouped it with a wider ban on content critical of the Chinese Communist Party (CCP) or the party chief, President Xi Jinping. Liu Lipeng, a former content moderator for Weibo, says the lead-up to the anniversary is widely known in the industry as a "censorship season", where all staff are on duty and no mistakes are tolerated. "It's the most important event in the whole censorship system. Nothing is as significant," he told the ABC. "Censors must flag any objects arranged in parallel like the tanks, before there was AI. "If a censor can't understand something, they'll send it to a group chat for team discussions." Another document outlines that there is no permanent rule book for censors, as instructions from the government can change daily, with new keywords and forbidden terms added to content filters at any time. Censors are trained to err on the side of caution. One internal memo summarised the approach bluntly: Chang warns that the implications of AI censorship extend beyond China. "If misleading data continues to flow outward, it could influence the AI models the rest of the world relies on," he said. "We need to think hard about how to maintain databases that are neutral, uncensored and accurate - because if the data is fake, the future will be fake too." Despite China's increasing use of AI to automate censorship, Liu believes Chinese people's intelligence will continue to outsmart the technology. While he worries future generations may struggle to access truthful information, he believes people will find new ways to express dissent - even under an airtight system. "After working as a censor for years, I found human creativity can still crush AI censors many times over," he said. The ABC contacted DeepSeek and Weibo for comment. - ABC
Techday NZ
3 days ago
- Techday NZ
Exclusive: Yubico's Ronnie Manning discusses the importance of 'the human touch'
Artificial intelligence may be taking centre stage when it comes to digital innovation - but when it comes to cybersecurity, Ronnie Manning says the strongest defence remains "reassuringly human." "From a security standpoint, it still holds that we have to be able to prove in this world of AI that we're still human," Manning, Chief Brand Advocate at Yubico, explained during a recent interview. Manning highlighted the increasing sophistication of phishing, deepfakes, and identity spoofing powered by AI - threats that traditional security measures like passwords and SMS codes can no longer withstand. "Basic authentication just isn't enough," he said. "Traditional passwords are reused, stolen, and easily guessed. One-time passcodes can be intercepted or socially engineered out of someone. But you can't trick a YubiKey." The YubiKey, a small USB or NFC-enabled device, provides what's called phishing-resistant authentication. Unlike password-based systems, it cannot be accessed or triggered remotely. The key must be physically tapped or inserted to function. "There's no extractable code that can be stolen or shared," Manning explained. "It 100% requires that human touch." As Chief Brand Advocate, Manning is focused on awareness and education around how physical keys are emerging as a first line of defence. The push comes at a time when AI is reshaping both cybercrime and cybersecurity alike. "Everything at RSA this year was about AI," he said, referring to the global security conference held in San Francisco. "But among all that innovation, the question remains: how do we prove we're real people accessing our own accounts?" Yubico's answer is a physical key that seamlessly integrates with enterprise and consumer services. Platforms like Microsoft, Google, Okta, and countless others have adopted native support for security keys. "It's like a house key," Manning said. "You have to physically have it to get in." Two-factor authentication with a physical key is already seeing adoption beyond the tech sector. Cathay Pacific, the Hong Kong-based airline, introduced passkey login for its loyalty programme in May this year, bringing passwordless access to its customers. Meanwhile, Air New Zealand has supported physical security keys for over a year - and explicitly lists YubiKey as a recommended device for securing accounts. "Security keys are devices or features used to enhance the security of your online account," Air New Zealand's own guidance reads. "A physical security key, like YubiKey, is a small and portable hardware device that you can carry with you to verify your identity." The airline provides step-by-step instructions for linking a YubiKey to a frequent flyer account - including purchasing a key, enabling the security feature, and completing log-in via a physical tap. For Yubico, this kind of adoption is a major milestone. "You love to hear that," said Manning. The appeal is growing as AI-driven scams evolve rapidly. Whether it's cloned voices used in social engineering calls or websites mimicking familiar services with near-perfect accuracy, Manning said the pace of attack sophistication is outstripping traditional defences. "We're seeing deepfake video, phishing emails, fake reset pages - all of this can now be spun up instantly," he explained. "But if I don't use passwords or one-time codes, those attacks fall flat." Manning emphasised that YubiKey technology goes beyond just human interaction - it also verifies the authenticity of the services being accessed. "It actually checks if the login page is the correct origin before sending a credential," he said. "So even if an attacker builds a perfect replica of, say, a Google sign-in page, the key won't trigger unless the destination is verified." Crucially, the YubiKey ecosystem is expanding. Manning noted the steady rise in support for passkeys - cryptographic credentials designed to replace usernames and passwords altogether. Stored either on a YubiKey or securely in device-based password managers, passkeys remove the weakest link in digital authentication: the password itself. "We want to eliminate passwords. We want people to have the highest level of security delivered in an extremely easy experience," he said. "With a YubiKey, all I have to do is touch the device and I'm securely logged in." Enterprises are beginning to take note, with many deploying YubiKeys across their entire workforce. "The goal is to make every employee phishing resistant, which ultimately makes the enterprise phishing resistant," Manning said. And the strategy works just as well at home. Yubico encourages individuals to use YubiKeys for personal accounts and even secure their password managers with the device. "Good hygiene at the office can blend with good hygiene at home," Manning explained. Looking ahead, Yubico is focused on further expanding passkey support. "We're working with partners to get passkeys into as many apps and services as possible," Manning said. "Every week, new platforms are coming on board." But no matter how advanced the tools or how rapid the AI breakthroughs, Yubico's core philosophy remains rooted in the physical - and personal. "We want organisations to feel confident that the people accessing their systems are the right people," said Manning. "In a world of AI, the human touch still matters most."
Techday NZ
3 days ago
- Techday NZ
CrowdStrike & Microsoft unify naming for cyber threat actors
CrowdStrike and Microsoft have jointly introduced a new initiative aimed at standardising the way cyber threat actors are identified across the cybersecurity sector. The collaboration has resulted in a shared mapping system, aligning threat actor aliases between the two companies and promoting clarity in cyber threat attribution. Both companies state that this initiative is designed to accelerate threat response and reduce confusion caused by the inconsistent nicknames used for hacker groups among different security vendors. The cybersecurity industry has historically relied on disparate naming systems, each informed by distinct intelligence sources and analytical approaches. While these systems provide valuable context on adversaries, they can complicate cross-reference and response due to conflicting terminology. This increased complexity has prompted the need for a unified approach to threat actor attribution. CrowdStrike and Microsoft's joint mapping project serves as a form of 'Rosetta Stone' for cyber threat intelligence, linking adversary identifiers across their respective ecosystems without imposing a single nomenclature. By connecting aliases—such as CrowdStrike's COZY BEAR and Microsoft's Midnight Blizzard, or VANGUARD PANDA and Volt Typhoon—the mapping facilitates quicker and better-coordinated responses to sophisticated adversaries. According to CrowdStrike, the partners have already reconciled over 80 threat group aliases. The alignment expands to groups linked to major nation-state actors. For example, the companies have confirmed that Microsoft's Volt Typhoon and CrowdStrike's VANGUARD PANDA refer to the same China-nexus actor, while Secret Blizzard and VENOMOUS BEAR designate a Russia-linked group. Adam Meyers, Head of Counter Adversary Operations at CrowdStrike, commented on the significance of the collaboration. "This is a watershed moment for cybersecurity. Adversaries hide behind both technology and the confusion created by inconsistent naming. As defenders, it's our job to stay ahead and to give security teams clarity on who is targeting them and how to respond. This has been CrowdStrike's mission from day one," Meyers said. "CrowdStrike is the leader in adversary intelligence, and Microsoft brings one of the most valuable data sources on adversary behavior. Together, we're combining strengths to deliver clarity, speed, and confidence to defenders everywhere." The initial phase of the collaboration involves specialist teams from both companies working together to harmonise adversary naming conventions. The effort has already demonstrated practical value by validating the identities of specific threat actors across the two ecosystems. The companies will seek to expand this initiative, inviting additional contributors to create and maintain a broader threat actor mapping resource accessible to the global cybersecurity community. Vasu Jakkal, Corporate Vice President for Microsoft Security, emphasised the broader implications for the security sector. "Cybersecurity is a defining challenge of our time, especially in today's AI-driven era," Jakkal said. "Microsoft and CrowdStrike are in ideal positions to help our customers, and the wider defender community accelerate the benefits of actionable threat intelligence. Security is a team sport and when defenders can share and react to information faster it makes a difference in how we protect the world." The companies note that their collaboration builds on an established history of threat intelligence activity and contributes towards a shared mission: prioritising customer outcomes and sector-wide defence, rather than market competition. The mapping initiative will continue to develop as more partners join to keep the threat actor taxonomy up to date and useful for the defender community. Follow us on: Share on:
