Connect with us

Hi, what are you looking for?



Microsoft Will Name Threat Actors After Weather Events

Microsoft plans to use weather-themed naming of APT actors as part of a move to simplify the way threat actors are documented.

Microsoft is ditching the chemical elements in favor of weather-themed naming of APTs and other threat actors.

In a move designed to simplify the way APTs are publicly documented, Redmond said it would change the way advanced threat actors are named and will use weather events like Typhoon, Blizzard and Sleet to add better context to public APT disclosures.

Microsoft previously used an all-caps naming scheme linked to chemical elements like ACTINIUM and IRIDIUM to describe nation-state and other advanced malware tracking activity but now the company says the complexity, scale, and volume of threats demands a new naming taxonomy.

“With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data,” said John Lambert, Corporate Vice President, Microsoft Threat Intelligence.

He said the new naming scheme will provide “a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves.”

The new scheme will separate actors into categories — nation-state, financially motivated, private sector cyber-mercenaries, influence operations or groups in development — and pinpoint specific countries linked to malware operations.

“Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name,” Lambert said.

Advertisement. Scroll to continue reading.

This is how Microsoft plans to publicly track and identify nation-state malware activity:

North KoreaSleet
South KoreaHail

The company said financially motivated actors will be called Tempest while PSOA (private sector offensive actors) will be described as Tsunami. 

Microsoft will name actors linked to influence operations as Flood and groups in development as Storm.

“We believe this new approach makes it even easier to identify and remember Microsoft’s threat actors,” the company said. To help threat intelligence and incident responders manage the transition, Microsoft published guidance that maps the older chemical element naming scheme to the new taxonomy.

Related: Microsoft Announces Disruption of Russian Espionage APT

Related: Microsoft Catches Austrian Company Exploiting Windows, Adobe Zero-Days

Related: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Threat Intelligence

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...