When Russian intelligence officers hacked the Democratic National Committee in 2016, they weren’t identified in headlines as Russian intelligence officers. They were called Fancy Bear. When hackers from the People’s Liberation Army were discovered burrowed deep inside U.S. critical infrastructure to launch disruptive attacks in the event of a crisis in Taiwan, they weren’t called Chinese military. They were called Volt Typhoon.
These names aren’t just confusing—they’re misleading. They obscure attribution, mystify the public, and often glamorize dangerous adversaries. That’s why we welcome the news that cybersecurity leaders Microsoft and CrowdStrike are teaming up to better align how they name and categorize cyber threat actors. Cooperation among vendors is an important and positive step. But to be clear: while this collaboration is a helpful start, it will ultimately fall short if it stops at cross-referencing proprietary names rather than fundamentally reforming the way we label and identify adversaries in cyberspace.
Microsoft and CrowdStrike describe their goal as “deconflicting adversary names” and creating a shared “Rosetta Stone” that maps their naming systems to one another. This is a meaningful gesture. As anyone in threat intelligence knows, working from misaligned taxonomies can delay response times and create confusion across Security Operations Centers, incident response teams, and executive leadership. Microsoft and CrowdStrike say they’ve already deconflicted more than 80 adversary groups—a noteworthy achievement. The companies also aim to provide a shared framework that supports frontline cyber defenders—enabling incident responders and Chief Information Security Officers to make faster determinations about attribution and how to respond. Speed is indeed a decisive advantage in patching vulnerabilities, containing the damage, and defending against future cyber attacks. And the planned roadmap for aligning taxonomies—starting with a small working group and a defined analytic process—suggests this private sector collaboration is being approached thoughtfully.
But here’s the problem: we still lack a shared, vendor-neutral, public taxonomy that enables global alignment and interoperability. And given Microsoft and Crowdstrike’s recent assertion that “a single universal naming standard is not practical and may not be possible,” it’s unlikely we’ll see one anytime soon. In the meantime, we’re still using names that sound more like comic book characters than what they really are: nation-state hackers and cybercriminals actively trying to disrupt hospitals, paralyze governments, and hold businesses hostage.
To be clear, threat actor naming isn’t a new problem. Every few years, the longstanding debate resurfaces—policymakers ask why vendors name threat actors differently and why we can’t directly call out those responsible. But while industry stakeholders previously have welcomed government help to align on threat reporting, including by proposing a “collaborative analytic process” modeled off the U.S. Intelligence Community’s National Intelligence Estimate System, such proposals have gained little traction. Instead, vendors point to the difficulty of attribution for cyber attacks, different levels of visibility across industry players, and how providers must adhere to divergent regulations concerning customer data protection or intellectual property considerations. On a global scale, these difficulties may be magnified across different legal and regulatory environments.
But let’s not pretend this is the best we can do. The oft-repeated claim that a single universal naming system is “not practical” or “not possible” simply isn’t credible. The international community has standardized complex naming systems in every domain from biology to medicine to defense. NATO has a universal designation system for aircraft and missiles. We have International Classification of Diseases codes to standardize language for recording and classifying health data. Foreign intelligence partners frequently develop common naming conventions for sharing information about security threats, including cyber actors. The Rosetta Stone unlocked ancient, lost languages. What we’re dealing with is a largely English-speaking, professional community working on the same problem set. What is really missing in cybersecurity is not feasibility—it’s collective will from both industry leaders and policymakers.
Part of the problem is that today’s naming conventions serve marketing purposes more than the cybersecurity mission. Giving an adversary a name like Wicked Panda or Salt Typhoon is a form of brand identity—it makes the group memorable and ties it to the firm that coined it. That’s good for marketing—but not necessarily for defenders, or the broader public trying to understand who the real bad actors are. Sometimes it’s incomplete or even misleading. Salt and Volt Typhoon—separated by two letters—sound like twins. But the former is a digital intelligence gathering campaign against the United States’ major telecommunications operators; the latter is a strategic military disruptive threat to hundreds if not thousands of American infrastructure operators. Responding to these threats requires radically different approaches.
To give another example, it turns out no one knows yet whether the cyber criminals behind the recent crisis in British retail really are Scattered Spider, whether they’re the same personnel who hacked Las Vegas casinos, or who they’re working with. “Scattered Spider and DragonForce unite to cash in on M&S hacking”—a recent headline from London’s Times newspaper—is, if you step back, an objectively ridiculous way to inform the public about how organized criminals have stopped one of the United Kingdom’s most iconic retailers from selling food and clothes to millions of customers for months.
It’s time we stopped naming these groups in ways that mystify, glamorize, or sanitize their nefarious activities. Fancy Bear isn’t a cartoon villain—it’s Russian military intelligence. Charming Kitten isn’t a meme-worthy hacker collective—it’s Iranian state-sponsored espionage. These actors don’t deserve clever names. Calling them dirtbags would frankly be more appropriate, or if creative branding is aimed at making them more memorable, we’d suggest names like Scrawny Nuisance, Weak Weasel, Feeble Ferret, or Doofus Dingo. But the truth is, we should aim for accuracy over branding. And when attribution is clear, we should say so: China, Russia, Iran, North Korea. Calling them by name isn’t inflammatory—it’s clarifying for the cybersecurity community and the public it seeks to defend.
The incentives to address this issue are weak, but smart policy design could change that. Most importantly, governments—which possess extensive visibility through intelligence, law enforcement, and national cyber defense capabilities—could promote standardization by cutting through bureaucracy and being much more agile in attributing attacks, working together and with relevant vendors to be “first to market” with confirmed attribution, using universal, non-glamorized naming taxonomies. Public-private threat-sharing programs could formally adopt and reward adherence to such standardized naming conventions. Regulators might incorporate naming clarity into emerging cybersecurity labeling schemes, such as those being developed for consumer Internet of Things (IoT) devices in the European Union and United States. Even modest steps—like encouraging alignment in public-sector contracts or through cyber insurance underwriting criteria—could begin to shift norms. The goal isn’t to penalize creativity; it’s to stop the branding of adversaries at the expense of clarity, coordination, and defense.
This matters not just for the security community, but for the broader society these actors are targeting. A ransomware group that takes down a hospital or school isn’t just a threat to IT infrastructure—it puts human lives and livelihoods at risk. And when we talk about them as if they were Bond villains or mythical creatures, we’re doing a disservice to the people they harm.
The Microsoft and CrowdStrike partnership is a welcome step toward greater clarity. But if we want real progress, we need to move beyond translation charts. The next step must be bolder: a single, transparent, standardized naming system that prioritizes accuracy over marketing, and clarity over cleverness. Let’s align on that—and finally build a threat actor naming system that serves defenders and protects the public.
FEATURED IMAGE: A visual depiction of prominent hacker naming conventions.
