EXECUTIVE SUMMARY:

Last week, Microsoft’s cyber security division announced that it is changing its taxonomy for naming hacking groups. Previously, Microsoft assigned cyber criminal organizations the names of chemical elements, as listed in the periodic table. In the new system, Microsoft will assign hacker groups two-word names, including a weather-based descriptor.

The new names

The idea is for security professionals to be able to instantly have a sense of the type of threat actor that they’re up against by simply reading the name. The new names provide a certain level of context about the hacking groups.

In addition, the new names are more distinct, memorable and searchable than those of the past, says John Lambert, Head of Microsoft’s Threat Intelligence Center. Also, Microsoft’s team says that they were running out of chemical elements, as there are only 118 of them.

Microsoft’s Threat Intelligence community tracks more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and hundreds of others.

Taxonomy technique

Microsoft intends to name hacking groups after weather events, each of which will correspond to the hacking group’s typical motive. For example, to indicate financially motivated groups, the name ‘Tempest’ will be assigned. Private sector offensive actors will be labeled with the name ‘Tsunami’. Influence operations will be tagged with ‘Flood.’

A threat from a new or unknown source will be given the temporary designation ‘storm’ and a four digit number.

As for nation-state threat actors, Microsoft has correlated certain nations with specific weather phenomena. The attributions are currently as follows: China (Typhoon), Iran (Sandstorm), Lebanon (Rain), North Korea (Sleet), Russia (Blizzard), South Korea (Hail), Turkey (Dust) and Vietnam (Cyclone).

Examples in the wild

“To meet the requirements of a full name, we aim to gain knowledge of the actor’s infrastructure, tooling, victimology and motivation. We expand and update the definitions supporting our actor names based on our own telemetry, industry reporting and a combination thereof,” says Microsoft.

In real terms, as a result of the taxonomy change, Phosphorus, the Iranian group that has recently targeted critical infrastructure in the US, now has the innocuous-sounding name Mint Sandstorm. In a similar regard, Iridium (a.k.a. Sandworm), Russia’s most aggressive and dangerous cyber aggressor, will now have the name Seashell Blizzard.

System controversy

Some argue that the new naming system isn’t productive for actual cyber security analysts, as the system relies on educated guesses about hackers’ origins. It provides no indication of the analysts’ degree of confidence in their own assessments.

Hacker loyalties and motives can shift over time. What happens if a hacker group believed to be part of one type of operation is actually involved with another nation in a different set of activities? Will we move from Pumpkin Blizzard to Pumpkin Typhoon? Another critique of the new naming system is that it potentially trivializes the severity of cyber attacks.

More information

Microsoft says that because other vendors in the industry also have unique naming taxonomies, the company will strive to include other threat actor names within security products to reflect analytic overlaps and to enable customers to make well-informed decisions.

Find the full story here. Want to stay up-to-date with trends in technology? Check out the CyberTalk.org newsletter. Sign up today to receive top-notch news articles, best practices and expert analyses; delivered straight to your inbox.