Microsoft Threat Intelligence has announced a new principle for naming groups of cybercriminals, using a classification system based on weather phenomena. The aim of the new taxonomy system is to simplify the work of cybersecurity professionals and eliminate confusion surrounding hundreds of hacker associations. The classification system will enable cybersecurity analysts to immediately understand which country a group is from and the type of malicious activity it carries out.
The new taxonomy system uses an adjective to distinguish between groups of subjects that have different techniques and methods, infrastructure, goals, or other identified patterns. For instance, subjects of threats in the same family of weather conditions are given an adjective. This system will simplify the identification and memorization of threat subjects.
Microsoft has stated that it will include other unique classifications of names used by cybersecurity companies to reflect analytical coincidences and help customers make reasonable decisions. The company also clarified that it would no longer use previous classification methods, and all famous associations of attackers have been renamed.
Furthermore, the company stated that its specialists always seek to get all possible knowledge about the infrastructure of the group in question, its instruments, victimology, and motivation. The company quickly expands and updates information about attackers based on its own telemetry as well as on the basis of reports by other suppliers in the industry.
The table below illustrates Microsoft’s new principle of taxonomy for naming groups of cybercriminals.
| Weather Phenomenon | Adjective |
| — | — |
| Hurricane | Adversary is a nation-state actor |
| Tropical Storm | Adversary is a hackers-for-hire group |
| Thunderstorm | Adversary is a financially motivated criminal group |
| Sleet | Adversary is a hacktivist group |
| Hailstorm | Adversary is a cyber-espionage group |
Dev clusters of malicious activity will now be designated with the temporary title of Storm, followed by a four-digit number. Upon collecting more information from researchers, Storm will convert into a specific name according to the new classification. Microsoft’s cybersecurity professionals believe that this taxonomic approach, coupled with a new badging system, will help customers make informed decisions about threats.
To eliminate confusion, Microsoft has created a separate table that indicates both the old and new names of famous attack groups. The table is available on the company’s website.