Home Uncategorized Microsoft Introduces Weather-Themed Threat Actor Naming Taxonomy to Simplify and Strengthen Cybersecurity

Microsoft Introduces Weather-Themed Threat Actor Naming Taxonomy to Simplify and Strengthen Cybersecurity

The New System Aims to Help Security Professionals Better Understand and Prioritize Threats

Microsoft has announced a significant change in the way it classifies and names cyber threat actors, with the introduction of a weather-themed taxonomy. The new system aims to provide better context, organization, and memorability to help security professionals and customers understand and prioritize the ever-increasing complexity and volume of cyber threats they face.

John Lambert, Distinguished Engineer and Corporate Vice President of Microsoft Threat Intelligence, explained that the new naming taxonomy reflects the company’s commitment to helping customers understand cyber threats, regardless of which naming taxonomy they are familiar with. Microsoft will include other threat actor names within their security products to reflect overlaps and help customers make well-informed decisions.

Microsoft Security Experts

Under the new taxonomy, threat actor groups will be named after weather events. A weather event, or “family name,” represents either a nation-state actor attribution or a motivation. For example, “Typhoon” indicates an origin or attribution to China, while “Tempest” indicates financially motivated actors. The table below shows the actor categories, types, and family names under the new naming convention:

Actor category Type Family Name
Nation state China Typhoon
Iran Sandstorm
Lebanon Rain
North Korea Sleet
Russia Blizzard
South Korea Hail
Turkey Dust
Vietnam Cyclone
Financially motivated Financially motivated Tempest
Private sector offensive actors PSOAs Tsunami
Influence operations Influence operations Flood
Groups in development Groups in development Storm


Threat actors within the same weather family receive an adjective to distinguish groups with distinct tactics, techniques, procedures (TTPs), infrastructure, objectives, or other identified patterns.

For newly discovered, unknown, or emerging clusters of threat activity, Microsoft uses a temporary designation of “Storm” and a four-digit number. Once analysis reaches high confidence about the origin or identity of the actor, a Storm is converted to a named actor.

The new taxonomy, along with the accompanying icon system, will make it easier to identify and remember Microsoft’s threat actors. It will replace the previous naming approach, which used elements, trees, volcanoes, and DEVs.

The change in taxonomy will roll out over the next few weeks across public-facing content and in-product experiences, with prioritized in-product updates expected to be completed by September 2023. A reference guide at https://aka.ms/threatactors has been created to ease the transition from old names to new names.

Microsoft’s new threat actor naming taxonomy demonstrates the company’s dedication to simplifying and strengthening cybersecurity, making it more accessible and actionable for security professionals and customers alike.

Exit mobile version