Microsoft is changing tack in how it names threat actors, adopting a taxonomy inspired by weather.
Gone are the days of Microsoft naming threat actors elements, trees, volcanoes and DEVs, John Lambert, distinguished engineer and corporate VP at Microsoft Threat Intelligence, said Tuesday in a blog post.
Threat intelligence firms, Microsoft included, put their mark on the threat actors they track by assigning unique names to the adversaries. This practice has resulted in a naming convention that inadvertently conceals researchers tracking and sharing insights on the same group.
Microsoft’s new threat actor naming taxonomy doesn’t reduce the amount of names applied to the same threat actors by threat researchers at large, but rather organizes threat actor groups into weather-themed categories.
“With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data,” Lambert said in the blog post.
“Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name,” Lambert said.
Under the new taxonomy, weather events represent a nation-state actor attribution or a motivation.
Nation-state actors originating or attributed to China are now assigned the family name Typhoon, while financially motivated threat actors fall under the family name Tempest.
Microsoft's threat actor naming conventions take inspiration from extreme weather
| Affiliation | Family name |
|---|---|
| China | Typhoon |
| Iran | Sandstorm |
| Lebanon | Rain |
| North Korea | Sleet |
| Russia | Blizzard |
| South Korea | Hail |
| Turkey | Dust |
| Vietnam | Cyclone |
| Financial motivated | Tempest |
| Private sector offensive actors | Tsunami |
| Influence operations | Flood |
| Groups in development | Storm |
SOURCE: Microsoft
The naming system distinguishes threat actor groups within the same weather family by assigning an adjective to the weather event. This includes threat actors with distinct tactics, techniques and procedures, infrastructure or other patterns identified by Microsoft.
Microsoft is now tracking some nation-state actors linked to Russia (blizzard), for example, as Midnight Blizzard, Forest Blizzard and Aqua Blizzard. Nation-state actors linked to Iran include Mint Sandstorm, Gray Sandstorm and Hazel Sandstorm.
Microsoft will temporarily designate newly discovered, unknown or emerging clusters of threat activity as storm and a four-digit number. DEV-1101, for example, is now Storm-1101. A storm gets converted to a named actor once Microsoft reaches high confidence about the origin or identity of the actor.
Microsoft Defender Threat Intelligence will update the profiles of threat actors, including tools, techniques and steps organizations can take to mitigate the threat, daily.
“Microsoft has unique capabilities to track threats and the expectation to provide timely, consistent analysis will only increase,” Lambert said. “In a growing industry of complexity, confusion and an overwhelming amount of data, we see an opportunity to provide customers with hyper relevant threat intelligence enabling them to implement even more proactive defenses.”
