Microsoft has announced a significant change in the way it classifies and names cyber threat actors, with the introduction of a weather-themed taxonomy. The new system aims to provide better context, organization, and memorability to help security professionals and customers understand and prioritize the ever-increasing complexity and volume of cyber threats they face.
John Lambert, Distinguished Engineer and Corporate Vice President of Microsoft Threat Intelligence, explained that the new naming taxonomy reflects the company’s commitment to helping customers understand cyber threats, regardless of which naming taxonomy they are familiar with. Microsoft will include other threat actor names within their security products to reflect overlaps and help customers make well-informed decisions.
Under the new taxonomy, threat actor groups will be named after weather events. A weather event, or “family name,” represents either a nation-state actor attribution or a motivation. For example, “Typhoon” indicates an origin or attribution to China, while “Tempest” indicates financially motivated actors. The table below shows the actor categories, types, and family names under the new naming convention:
| Actor category | Type | Family Name |
|---|---|---|
| Nation state | China | Typhoon |
| Iran | Sandstorm | |
| Lebanon | Rain | |
| North Korea | Sleet | |
| Russia | Blizzard | |
| South Korea | Hail | |
| Turkey | Dust | |
| Vietnam | Cyclone | |
| Financially motivated | Financially motivated | Tempest |
| Private sector offensive actors | PSOAs | Tsunami |
| Influence operations | Influence operations | Flood |
| Groups in development | Groups in development | Storm |
Threat actors within the same weather family receive an adjective to distinguish groups with distinct tactics, techniques, procedures (TTPs), infrastructure, objectives, or other identified patterns.
For newly discovered, unknown, or emerging clusters of threat activity, Microsoft uses a temporary designation of “Storm” and a four-digit number. Once analysis reaches high confidence about the origin or identity of the actor, a Storm is converted to a named actor.
The new taxonomy, along with the accompanying icon system, will make it easier to identify and remember Microsoft’s threat actors. It will replace the previous naming approach, which used elements, trees, volcanoes, and DEVs.
The change in taxonomy will roll out over the next few weeks across public-facing content and in-product experiences, with prioritized in-product updates expected to be completed by September 2023. A reference guide at https://aka.ms/threatactors has been created to ease the transition from old names to new names.
Microsoft’s new threat actor naming taxonomy demonstrates the company’s dedication to simplifying and strengthening cybersecurity, making it more accessible and actionable for security professionals and customers alike.
