Microsoft Security Nomenclature Switches to Bad Weather Naming Scheme

Microsoft announced this week that it has scrapped its security threat nomenclature for a new weather-themed one.

The new approach has a kind of hierarchy and includes weather icons to quickly identify the overall threat family that's involved. The new scheme includes:

  • Threat-actor categories, namely "nation states," "financially motivated" (criminals), "private sector offensive actors" (legal corporations that sell spyware or malware), "influence operations" (propagandists) and "groups in development" (new or unknown actors)
  • Threat-actor types (such as the names of nations involved in cyberattacks or espionage), and
  • Threat-actor family names.

It's the threat-actor family name that gets the new bad weather-associated naming scheme, along with bad weather icons. Microsoft now tags China as "Typhoon," Iran as "Sandstorm" and "Russia as "Blizzard," for instance.

Microsoft also will affix an adjective before the family name to designate some particular group in a threat-actor family. These adjectives seem to be either food names or color names. The scheme is already in effect for Iran with this Microsoft April 18 post on "Mint Sandstorm," a nation-state threat group that Microsoft used to call "Phosphorus."

Microsoft described Mint Sandstorm as becoming more adept at exploiting published proof-of-concept vulnerabilities to target "private and public sectors." Microsoft explained that "Mint Sandstorm is a composite name used to describe several subgroups of activity with ties to the same organizational structure," principally Iran's military intelligence.

The stepped-up activity of Mint Sandstorm was said to be a reaction to cyberattacks on Iranian seaports and transport sectors that the Iranian government blamed on the Israel and the United States. Oddly, Microsoft's new weather-themed threat-actor nomenclature did not show names for Israel and the United States. Multiple other countries that may engage in cyberattacks also weren't included in Microsoft new naming scheme.

In any case, Microsoft's older naming scheme for threat actors has already been replaced. "The naming approach we have used previously (Elements, Trees, Volcanoes, and DEVs) has been retired," the announcement indicated.

Microsoft provides a table for befuddled security researchers trying to learn the new threat group names, compared with Microsoft's older scheme, in this document. The new name combinations can become somewhat interesting, such as "Spandex Tempest" for an older "Chimborazo" appellation and "Violet Typhoon" for "Zirconium" (China).

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube