Microsoft announced that it is switching from a taxonomy based on chemical elements to a new scheme based on weather themes.
“It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name,” the company explained in a blog post.
According to the new classification, threat groups now will be named after events like storms, typhoons, and blizzards. For example, the Iran-based Phosphorus (aka APT35 or Charming Kitten) state-sponsored hacker group from now on will be referred to as Mint Sandstorm, and the Russian group Nobelium (aka Cozy Bear) is now tracked as Midnight Blizzard.
Microsoft categorizes threat actors into five key groups: nation-state hackers, financially motivated groups (Tempest), private sector offensive actors (Tsunami), influence operations (Flood), and groups in development (Storm).
If a threat is new or from an unknown source, then Microsoft will assign it a temporary “Storm” designation and a four-digit number instead of the previous “DEV” moniker Microsoft used to use.
As for the nation-state threat groups, Microsoft says they have been assigned a family name to a country of origin tied to attribution as follows: China (Typhoon), Iran (Sandstorm), Lebanon (Rain), North Korea (Sleet), Russia (Blizzard), South Korea (Hail), Turkey (Dust), Vietnam (Cyclone).
Microsoft has also provided reference guide to ease the transition to the new naming taxonomy, and a JSON file that contains the most up-to-date and comprehensive mapping of old threat actor names with their new names.