Microsoft summons weather events to name threat actors - Cybersecurity Dive

Microsoft summons weather events to name threat actors Under the new taxonomy, a blizzard or typhoon designation represents a nation-state actor, and financially motivated threat actors fall under the family name Tempest. Published April 19, 2023 Matt Kapko Senior Reporter Share License Add us on Google People wade in a flooded street after typhoon Fitow made landfall on October 8, 2013, in Shanghai, China. Getty Images via Getty Images Microsoft is changing tack in how it names threat actors, adopting a taxonomy inspired by weather. Gone are the days of Microsoft naming threat actors elements, trees, volcanoes and DEVs, John Lambert, distinguished engineer and corporate VP at Microsoft Threat Intelligence, said Tuesday in a blog post. Threat intelligence firms, Microsoft included, put their mark on the threat actors they track by assigning unique names to the adversaries. This practice has resulted in a naming convention that inadvertently conceals researchers tracking and sharing insights on the same group. Microsoft’s new threat actor naming taxonomy doesn’t reduce the amount of names applied to the same threat actors by threat researchers at large, but rather organizes threat actor groups into weather-themed categories. “With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data,” Lambert said in the blog post. “Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name,” Lambert said. Under the new taxonomy, weather events represent a nation-state actor attribution or a motivation. Nation-state actors originating or attributed to China are now assigned the family name Typhoon, while financially motivated threat actors fall under the family name Tempest. Microsoft’s threat actor naming conventions take inspiration from extreme weather Affiliation Family name China Typhoon Iran Sandstorm Lebanon Rain North Korea Sleet  Russia  Blizzard South Korea Hail Turkey  Dust Vietnam Cyclone Financial motivated Tempest Private sector offensive actors  Tsunami Influence operations Flood Groups in development Storm SOURCE: Microsoft The naming system distinguishes threat actor groups within the same weather family by assigning an adjective to the weather event. This includes threat actors with distinct tactics, techniques and procedures, infrastructure or other patterns identified by Microsoft. Microsoft is now tracking some nation-state actors linked to Russia (blizzard), for example, as Midnight Blizzard, Forest Blizzard and Aqua Blizzard. Nation-state actors linked to Iran include Mint Sandstorm, Gray Sandstorm and Hazel Sandstorm. Microsoft will temporarily designate newly discovered, unknown or emerging clusters of threat activity as storm and a four-digit number. DEV-1101, for example, is now Storm-1101. A storm gets converted to a named actor once Microsoft reaches high confidence about the origin or identity of the actor. Microsoft Defender Threat Intelligence will update the profiles of threat actors, including tools, techniques and steps organizations can take to mitigate the threat, daily. Keep up with the story. Subscribe to the Cybersecurity Dive free daily newsletter Email: Sign up “Microsoft has unique capabilities to track threats and the expectation to provide timely, consistent analysis will only increase,” Lambert said. “In a growing industry of complexity, confusion and an overwhelming amount of data, we see an opportunity to provide customers with hyper relevant threat intelligence enabling them to implement even more proactive defenses.” Add us on Google Share PURCHASE LICENSING RIGHTS Filed Under: Threats