SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Microsoft Will Name Threat Actors After Weather Events

Microsoft plans to use weather-themed naming of APT actors as part of a move to simplify the way threat actors are documented.

Microsoft is ditching the chemical elements in favor of weather-themed naming of APTs and other threat actors.

In a move designed to simplify the way APTs are publicly documented, Redmond said it would change the way advanced threat actors are named and will use weather events like Typhoon, Blizzard and Sleet to add better context to public APT disclosures.

Microsoft previously used an all-caps naming scheme linked to chemical elements like ACTINIUM and IRIDIUM to describe nation-state and other advanced malware tracking activity but now the company says the complexity, scale, and volume of threats demands a new naming taxonomy.

“With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data,” said John Lambert, Corporate Vice President, Microsoft Threat Intelligence.

He said the new naming scheme will provide “a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves.”

The new scheme will separate actors into categories — nation-state, financially motivated, private sector cyber-mercenaries, influence operations or groups in development — and pinpoint specific countries linked to malware operations.

“Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name,” Lambert said.

This is how Microsoft plans to publicly track and identify nation-state malware activity:

Advertisement. Scroll to continue reading.
ChinaTyphoon
IranSandstorm
LebanonRain
North KoreaSleet
RussiaBlizzard
South KoreaHail
TurkeyDust
VietnamCyclone

The company said financially motivated actors will be called Tempest while PSOA (private sector offensive actors) will be described as Tsunami. 

Microsoft will name actors linked to influence operations as Flood and groups in development as Storm.

“We believe this new approach makes it even easier to identify and remember Microsoft’s threat actors,” the company said. To help threat intelligence and incident responders manage the transition, Microsoft published guidance that maps the older chemical element naming scheme to the new taxonomy.

Related: Microsoft Announces Disruption of Russian Espionage APT

Related: Microsoft Catches Austrian Company Exploiting Windows, Adobe Zero-Days

Related: Microsoft Spots Multiple Nation-State APTs Exploiting Log4j Flaw

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

More from

Latest News

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Rethinking Endpoint Hardening for Today’s Attack Landscape
On Demand

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Virtual Event: Cloud & Data Security Summit
July 16, 2025

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.