Microsoft has now announced this (via desk modder). With the new naming, the group wants to improve the memorability to help security professionals and customers to “understand and prioritize the ever-increasing complexity and scope of the cyber threats they face”, it says in the announcement.
Under the new taxonomy, threat actor groups will be named after weather events. A weather event or “family name” represents either an affiliation with a national actor or a motivation.
For example, “Typhoon” indicates an origin or attribution to China, while “Tempest” indicates financially motivated actors. The table below shows the actor categories, types and family names according to the new naming convention:
For example:
- China: Typhoon / Typhoon
- Iran: Sandstorm / Sandstorm
- Lebanon: Regen / Rain
- North Korea: Sleet / Sleet
- Russia: Snowstorm / Blizzard
- South Korea: Hail / Hail
- Türkiye: Dust / Dust
- Vietnam: Hurricane / Cyclone
Threat actors within the same weather family are given an adjective to distinguish groups with different tactics, techniques, procedures (TTPs), infrastructure, targets, or other identified patterns.
New system to simplify
For newly discovered, unknown, or emerging groups of threat activity, Microsoft uses the temporary designation “Storm” and a four-digit number. The new taxonomy and associated icon system make it easier to identify and remember Microsoft’s threat actors. It replaces the previous naming approach that used elements, trees, volcanoes, and DEVs.
- Microsoft: new taxonomy for classifying and naming cyber threat actors
- Naming after weather events: typhoon for China, sandstorm for Iran, etc.
- Adjectives for groups within the same weather family
- Provisional designation “Storm” for new groups
- Symbol system for easy identification and reminder
- Replaces previous approach with elements, trees, volcanoes and DEVs
- Improved memorability for security professionals and customers
See also:
Microsoft, Microsoft Corporation, Microsoft Logo