Microsoft's new naming convention for threat groups sound like an order at a cocktail bar

Martin Brinkmann
Apr 19, 2023

Strawberry Tempest, Night Tsunami, Aqua Blizzard or Circle Typhoon sound like something that you would order in a Cocktail bar, or a fancy coffee joint. These deliciously sounding constructs are, however, not the latest in-drinks at Starbuck, but the new names that Microsoft is using to describe threats and threat groups.

Microsoft announced the change today on its Microsoft 365 website. There, the company reveals how it is going to name threat actors  and classifying threats going forward. It has "shifted to a new naming taxonomy for threat actors aligned with the theme of weather" to "bring better clarity to customers and other security researchers".

The following naming convention is now used by Microsoft to classify threats coming from specific regions or having specific targets:

  • Russia -- Blizzard
  • China -- Typhoon
  • Iran -- Sandstorm
  • North Korea -- Sleet
  • Turkey -- Dust
  • Vietnam -- Cyclone
  • Lebanon -- Rain
  • South Korea -- Hail
  • Financially Motivated -- Tempest
  • Private sector offensive actor -- Tsunami
  • Influence operations -- Flood
  • Groups in development -- Storm

Threat actors are categorized into five key groups. Nation-state actors act "on behalf of or directed by a nation/state-aligned program, irrespective of whether for espionage, financial gain, or retribution" Microsoft notes. These continue to target "government agencies, intergovernmental organizations, non-governmental organizations, and think tanks" predominantly.

Microsoft's previous naming convention was rather chaotic, as it used elements or codes among other things to name threat actors. Ruby Sleet from North Korea was known as Cerium, Iran's Peach Sandstorm as Holmium, and the China-based Lilac Tempest as DEV-0234.

The new naming convention is more orderly. The second word of the name links it to one of the five key groups that Microsoft identified for these types of threats.

Microsoft explains: "In our new taxonomy, a weather event or family name represents one of the above categories. In the case of nation-state actors, we have assigned a family name to a country of origin tied to attribution, like Typhoon indicates origin or attribution to China. For other actors, the family name represents a motivation."

Security experts are torn when it comes to the new names. Phil Walker, CEO of Network Solutions Provider told CRN that it would help customers understand threats better, even though some might feel that the names sound funny. Michael Goldstein, CEO of LAN Infotech, suggested that the new system could "downplay the seriousness of these threat actors or even give the actors a positive spin".

Security researchers and interested users find the full list of new and previous names on Microsoft's website.

Microsoft has not revealed how it is going to classic nation-state actors that originate from a region or country outside of the eight that it has assigned codenames to already.

Now You: what is your take on this decision?

Microsoft's new naming convention for threat groups sound like an order at a cocktail bar
Article Name
Microsoft's new naming convention for threat groups sound like an order at a cocktail bar
Microsoft announced that it is changing the naming convention for threat groups and actors to weather themed descriptors.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Paul(us) said on April 20, 2023 at 1:23 pm

    This is the way the users totally get disorientated on the most confusing humankind can think of.
    Well done Microsoft. You have become more dangerous than your opponent seen for the user side.
    Why not call it easy peasy – Russinan, financial, etc?

  2. PiedPiper said on April 19, 2023 at 10:45 pm

    Nobody at Microsoft appears to be actively working on anything useful. They are merely fidgeting and pondering their next idiotic scheme. This will actually cause more confusion. Why make it harder? Call it what it really is. Microsoft is sometimes all I can think of as a modern parody.

  3. basingstoke said on April 19, 2023 at 4:17 pm

    Russia gets “Blizzard” that’s pretty cool I can live with that :)

  4. TelV said on April 19, 2023 at 11:38 am

    Sounds like Microsoft has an obsession with the weather.

  5. Fritz said on April 19, 2023 at 11:38 am

    Why on earth does Microsoft feel this is relevant for the general public? They can do internally whatever they want, but why would anyone care whether you call Russia Russia, Blizzard, or Cyclone??? Am I missing something here?

  6. John G. said on April 19, 2023 at 11:22 am

    The alcohol is running throught the tables and computer at Microsoft offices. Probably.

    1. Frankel said on April 19, 2023 at 11:36 am

      Figures, they also “forgot” a name for the american nation state hackers.

      1. Tachy said on April 20, 2023 at 5:03 am

        “Dark Sunshine”.

      2. John G. said on April 19, 2023 at 12:56 pm

        @Frankel +10, LOL

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.