Microsoft Security is making a big change in how it labels threat actors. Today, the company revealed that from now on, these threats will be labeled based on weather terms.
In its blog post, the company's Threat Intelligence team explains the reason for this change:
With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data. It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name.
A number of the new weather terms will identify the threat actors as coming from specific countries:
| China | Typhoon |
| Iran | Sandstorm |
| Lebanon | Rain |
| North Korea | Sleet |
| Russia | Blizzard |
| South Korea | Hail |
| Turkey | Dust |
| Vietnam | Cyclone |
Microsoft will also break down some more specific threats from certain nation states with additional sub-categories. For example, Russia has Blizzard as its main threat name, but it will also get Midnight Blizzard, Forest Blizzard, and Aqua Blizzard for more specific security issues.
The new weather terms will also extend to other threat actor issues:
| Financially motivated | Tempest |
| Private sector offensive actors | Tsunami |
| Influence operations | Flood |
| Groups in development |
Storm |
If a threat comes from an unknown source, or if one cannot be identified immediately, Microsoft will use the term Storm, followed by a four-digit number, as a preliminary label until it can be fully identified.
Microsoft also has established a new set of icons to go along with these new weather names for threat actors. It states:
We believe this new approach, along with the new icon system shown in some of the examples above, makes it even easier to identify and remember Microsoft’s threat actors. Each icon uniquely represents a family name, and where it makes sense will accompany the threat actor names as a visual aid. This new naming approach does not in any way change who the threat actors are that we are tracking, or our current analysis behind the names.
You can find out more about this new system on this Microsoft support page. All of Microsoft's in product pages that use security threat terminology will be updated with the new terms by September 2023.
16 Comments - Add comment