Microsoft is ditching the chemical elements in favor of weather-themed naming of APTs and other threat actors.
In a move designed to simplify the way APTs are publicly documented, Redmond said it would change the way advanced threat actors are named and will use weather events like Typhoon, Blizzard and Sleet to add better context to public APT disclosures.
Microsoft previously used an all-caps naming scheme linked to chemical elements like ACTINIUM and IRIDIUM to describe nation-state and other advanced malware tracking activity but now the company says the complexity, scale, and volume of threats demands a new naming taxonomy.
“With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data,” said John Lambert, Corporate Vice President, Microsoft Threat Intelligence.
He said the new naming scheme will provide “a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves.”
The new scheme will separate actors into categories — nation-state, financially motivated, private sector cyber-mercenaries, influence operations or groups in development — and pinpoint specific countries linked to malware operations.
“Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name,” Lambert said.
This is how Microsoft plans to publicly track and identify nation-state malware activity:
China Typhoon Iran Sandstorm Lebanon Rain North Korea Sleet Russia Blizzard South Korea Hail Turkey Dust Vietnam Cyclone
The company said financially motivated actors will be called Tempest while PSOA (private sector offensive actors) will be described as Tsunami.
Microsoft will name actors linked to influence operations as Flood and groups in development as Storm.
“We believe this new approach makes it even easier to identify and remember Microsoft’s threat actors,” the company said. To help threat intelligence and incident responders manage the transition, Microsoft published guidance that maps the older chemical element naming scheme to the new taxonomy.
Related: Microsoft Announces Disruption of Russian Espionage APT
Related: Microsoft Catches Austrian Company Exploiting Windows, Adobe Zero-Days
Related: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
- Entro Raises $6M to Tackle Secrets Sprawl
- IBM Snaps up DSPM Startup Polar Security
- Huntress Closes $60M Series C for MDR Expansion
Latest News
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Amazon Settles Ring Customer Spying Complaint
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
