Microsoft's new naming convention for threat groups sound like an order at a cocktail bar
Strawberry Tempest, Night Tsunami, Aqua Blizzard or Circle Typhoon sound like something that you would order in a Cocktail bar, or a fancy coffee joint. These deliciously sounding constructs are, however, not the latest in-drinks at Starbuck, but the new names that Microsoft is using to describe threats and threat groups.
Microsoft announced the change today on its Microsoft 365 website. There, the company reveals how it is going to name threat actors and classifying threats going forward. It has "shifted to a new naming taxonomy for threat actors aligned with the theme of weather" to "bring better clarity to customers and other security researchers".
The following naming convention is now used by Microsoft to classify threats coming from specific regions or having specific targets:
- Russia -- Blizzard
- China -- Typhoon
- Iran -- Sandstorm
- North Korea -- Sleet
- Turkey -- Dust
- Vietnam -- Cyclone
- Lebanon -- Rain
- South Korea -- Hail
- Financially Motivated -- Tempest
- Private sector offensive actor -- Tsunami
- Influence operations -- Flood
- Groups in development -- Storm
Threat actors are categorized into five key groups. Nation-state actors act "on behalf of or directed by a nation/state-aligned program, irrespective of whether for espionage, financial gain, or retribution" Microsoft notes. These continue to target "government agencies, intergovernmental organizations, non-governmental organizations, and think tanks" predominantly.
Microsoft's previous naming convention was rather chaotic, as it used elements or codes among other things to name threat actors. Ruby Sleet from North Korea was known as Cerium, Iran's Peach Sandstorm as Holmium, and the China-based Lilac Tempest as DEV-0234.
The new naming convention is more orderly. The second word of the name links it to one of the five key groups that Microsoft identified for these types of threats.
Microsoft explains: "In our new taxonomy, a weather event or family name represents one of the above categories. In the case of nation-state actors, we have assigned a family name to a country of origin tied to attribution, like Typhoon indicates origin or attribution to China. For other actors, the family name represents a motivation."
Security experts are torn when it comes to the new names. Phil Walker, CEO of Network Solutions Provider told CRN that it would help customers understand threats better, even though some might feel that the names sound funny. Michael Goldstein, CEO of LAN Infotech, suggested that the new system could "downplay the seriousness of these threat actors or even give the actors a positive spin".
Security researchers and interested users find the full list of new and previous names on Microsoft's website.
Microsoft has not revealed how it is going to classic nation-state actors that originate from a region or country outside of the eight that it has assigned codenames to already.
Now You: what is your take on this decision?Advertisement