{"id":127276,"date":"2023-04-18T08:00:00","date_gmt":"2023-04-18T15:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=127276"},"modified":"2024-07-03T08:09:06","modified_gmt":"2024-07-03T15:09:06","slug":"microsoft-shifts-to-a-new-threat-actor-naming-taxonomy","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/","title":{"rendered":"Microsoft shifts to a new threat actor naming taxonomy"},"content":{"rendered":"\n

May 2023 update<\/strong> \u2013 The actor that Microsoft tracks as Volt Typhoon targets US critical infrastructure with living-off-the-land techniques<\/a>.<\/p>\n\n\n\n

April 19, 2023 update<\/strong> \u2013 We have published a JSON file mapping old threat actor names with their new names in the updated taxonomy, summarized here: https:\/\/aka.ms\/threatactors<\/strong><\/a>. We also added hunting queries that Microsoft customers can use while transitioning to the new taxonomy. See the Resources<\/a> section.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Today, Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy<\/a> aligned to the theme of weather. The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity. With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data. It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name.<\/p>\n\n\n\n

\"graphical
Figure 1: Eight threat actor groups that Microsoft tracks represented in the new naming taxonomy<\/figcaption><\/figure>\n\n\n\n

The Microsoft Threat Intelligence community has spent over a decade discovering, tracking, and identifying targeted malicious activity and sharing that critical intelligence with customers. Our threat research has grown to track more than 300 unique threat actors, including 160 nation-state actors, 50 ransomware groups, and hundreds of others. A global multi-disciplinary assembly of threat intelligence analysts, pen testers, and data scientists work together alongside experts in geopolitics and disinformation to take a whole-of-adversary approach. This helps Microsoft Threat Intelligence teams fully understand the what<\/em> of an attack, make assessments on the why<\/em>, then forecast and implement protections for where<\/em> an attacker might go next. Our vision is that this new naming model helps our customers and the industry move to a more proactive approach to defense.<\/p>\n\n\n\n

We realize that other vendors in the industry also have unique naming taxonomies representing their distinct view of threats based on their intelligence. However, there are often overlaps or close alignments with tracked actors, and keeping track of these names can be challenging for defenders. Microsoft Threat Intelligence is committed to helping customers understand threats, no matter which naming taxonomy they are familiar with. Therefore, we will strive to also include other threat actor names within our security products to reflect these analytic overlaps and help customers make well-informed decisions.<\/p>\n\n\n\n

The Microsoft threat actor taxonomy explained<\/h2>\n\n\n\n

In our new taxonomy, threat actor groups will be named after weather events. A weather event or \u201cfamily name\u201d represents either a nation-state actor attribution (e.g., Typhoon indicates origin or attribution to China) or a motivation (e.g., Tempest indicates financially motivated actors). The table below shows the threat actor groups Microsoft tracks and their assigned weather events in the new naming convention.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Actor category<\/strong><\/td>Type<\/strong><\/td>Family Name<\/strong><\/td><\/tr>
Nation state<\/strong><\/td>China<\/td>Typhoon<\/td><\/tr>
Iran<\/td>Sandstorm<\/td><\/tr>
Lebanon<\/td>Rain<\/td><\/tr>
North Korea<\/td>Sleet<\/td><\/tr>
Russia<\/td>Blizzard<\/td><\/tr>
South Korea<\/td>Hail<\/td><\/tr>
Turkey<\/td>Dust<\/td><\/tr>
Vietnam<\/td>Cyclone<\/td><\/tr>
Financially motivated<\/strong><\/td>Financially motivated<\/td>Tempest<\/td><\/tr>
Private sector offensive actors<\/strong><\/td>PSOAs<\/td>Tsunami<\/td><\/tr>
Influence operations<\/strong><\/td>Influence operations<\/td>Flood<\/td><\/tr>
Groups in development<\/strong><\/td>Groups in development<\/td>Storm<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Threat actors within the same weather family are given an adjective to distinguish actor groups that have distinct TTPs, infrastructure, objectives, or other identified patterns. The examples below show how the naming system works for Russia and Iran.<\/p>\n\n\n\n

\"\"
Figure 2: Russian and Iranian nation state actor groups that Microsoft tracks<\/figcaption><\/figure>\n\n\n\n

Note: Our latest blog about the Iranian threat actor Mint Sandstorm (previously PHOSPHORUS) reflects the new naming taxonomy: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets<\/a>. <\/p>\n\n\n\n

Where there is a newly discovered, unknown, or emerging cluster of threat activity, we use a temporary designation of Storm (previously DEV) and a four-digit number, allowing us to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the operation. Once our analysis has developed to meet high confidence criteria, a Storm is converted to a named actor.<\/p>\n\n\n\n

\"text\"
Figure 3: Threat actor groups in development that Microsoft track<\/figcaption><\/figure>\n\n\n\n

We believe this new approach, along with the new icon system shown in some of the examples above, makes it even easier to identify and remember Microsoft\u2019s threat actors. Each icon uniquely represents a family name, and where it makes sense will accompany the threat actor names as a visual aid. This new naming approach does not in any way change who the threat actors are that we are tracking, or our current analysis behind the names.<\/p>\n\n\n\n

The naming approach we have used previously (Elements, Trees, Volcanoes, and DEVs) has been retired. We have reassigned all existing threat actors to the new taxonomy, and going forward will be using the new threat actor names. Over the next few weeks, you will start seeing changes across public facing content and in-product experiences. We estimate to complete prioritized in-product updates by September 2023. There will be some surfaces that will not be updated. To ease the transition from old names to new names, we developed a reference guide at https:\/\/aka.ms\/threatactors<\/a>. Make sure to bookmark it for future reference.<\/p>\n\n\n\n

Microsoft\u2019s approach to threat actor tracking<\/h2>\n\n\n\n

The way Microsoft Threat Intelligence approaches identifying and naming threat actors is outlined below in Figure 4. As is sometimes the case, when a new threat surfaces, we don\u2019t know all the details. We might know about a subset of victims and the malware they were infected with, and\/or the command-and-control infrastructure, but we sometimes don\u2019t immediately know the full scope of the actor\u2019s capability or victimology. Microsoft maintains an internal process for tracking these \u2018in-development\u2019 activity clusters (now Storm-###) for reference across our hunting teams. In-development names (e.g., Storm-0257) apply to all actor types (nation-state, financially motivated, PSOA, etc.).<\/p>\n\n\n\n

\"diagram\"
Figure 4: Threat actor naming lifecycle.
*Full attribution means known capabilities, techniques, infrastructure, scope, and intent of the activity<\/figcaption><\/figure>\n\n\n\n

Storm names may persist indefinitely, but we strive to progress our understanding of all clusters of threat activity to either merge them with existing fully named actors (thereby expanding the definition), or merge multiple in-development clusters together to define a new fully named actor.<\/p>\n\n\n\n

To meet the requirements of a full name, we aim to gain knowledge of the actor\u2019s infrastructure, tooling, victimology, and motivation. We expand and update the definitions supporting our actor names based on our own telemetry, industry reporting, and a combination thereof.<\/p>\n\n\n\n

The new centralized home of Microsoft threat actor intelligence<\/h2>\n\n\n\n

As a security industry leader, Microsoft has unique capabilities to track threats and the expectation to provide timely, consistent analysis will only increase. In a growing industry of complexity, confusion, and an overwhelming amount of data, we see an opportunity to provide customers with hyper relevant threat intelligence enabling them to implement even more proactive defenses.<\/p>\n\n\n\n

We know defenders benefit from context and actionable insight\u2013 they need to understand what threat actor is behind an attack and how they can take steps to mitigate the issue. This is where Intel Profiles<\/a> in Microsoft Defender Threat Intelligence<\/a> can bring crucial information and context about threats.  Integrated into Microsoft 365 Defender, Intel Profiles are updated daily and put the wealth of information tracked by the Microsoft Threat Intelligence community about threat actors and their tools and techniques directly into the hands of security operations professionals so that they can investigate, analyze, and hunt for threats.<\/p>\n\n\n\n

We\u2019re excited to share this new threat actor update with you, our defenders, and help bring clarity and relevance to the threat intelligence you are getting from Microsoft.<\/p>\n\n\n\n

Resources<\/h2>\n\n\n\n

To ease the transition to the new naming taxonomy, use this reference guide to look up the old and new names of Microsoft threat actors: https:\/\/aka.ms\/threatactors<\/a>.<\/p>\n\n\n\n

In addition to the reference guide, we have also published a JSON file that contains the most up-to-date and comprehensive mapping of old threat actor names with their new names:  https:\/\/github.com\/microsoft\/mstic\/blob\/master\/PublicFeeds\/ThreatActorNaming\/MicrosoftMapping.json<\/a><\/p>\n\n\n\n

Microsoft customers can use the following queries to transition to the new taxonomy.<\/p>\n\n\n\n

Name lookup<\/strong><\/p>\n\n\n\n

Use this query on Microsoft Sentinel, Microsoft 365 Defender, Azure Data Explorer, and other products that support Kusto Query Language (KQL) to get information about a threat actor using the old name, new name, or industry name:<\/p>\n\n\n\n

let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@\"https:\/\/raw.githubusercontent.com\/microsoft\/mstic\/master\/PublicFeeds\/ThreatActorNaming\/MicrosoftMapping.json\"] with(format=\"multijson\", ingestionMapping='[{\"Column\":\"PreviousName\",\"Properties\":{\"Path\":\"$.Previous name\"}},{\"Column\":\"NewName\",\"Properties\":{\"Path\":\"$.New name\"}},{\"Column\":\"Origin\",\"Properties\":{\"Path\":\"$.Origin\/Threat\"}},{\"Column\":\"OtherNames\",\"Properties\":{\"Path\":\"$.Other names\"}}]');\nlet GetThreatActorAlias = (Name: string) {\nTANames\n| where Name =~ NewName or Name =~ PreviousName or OtherNames has Name\n};\nGetThreatActorAlias(\"ZINC\")\n<\/pre>\n\n\n\n
\"graphical
Figure 5: Sample name lookup query for ZINC<\/figcaption><\/figure>\n\n\n\n
TI indicator rename<\/strong><\/p>\n\n\n\n
Use this query on Microsoft Sentinel to look up TI indicators that have been tagged with threat actor name to get the new name.<\/p>\n\n\n\n
let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@\"https:\/\/raw.githubusercontent.com\/microsoft\/mstic\/master\/PublicFeeds\/ThreatActorNaming\/MicrosoftMapping.json\"] with(format=\"multijson\", ingestionMapping='[{\"Column\":\"PreviousName\",\"Properties\":{\"Path\":\"$.Previous name\"}},{\"Column\":\"NewName\",\"Properties\":{\"Path\":\"$.New name\"}},{\"Column\":\"Origin\",\"Properties\":{\"Path\":\"$.Origin\/Threat\"}},{\"Column\":\"OtherNames\",\"Properties\":{\"Path\":\"$.Other names\"}}]');\nlet TIIndicatorNewTAName = (T:(Tags: string)) {\nTANames\n| join kind=inner T on $left.PreviousName == $right.Tags\n};\nTIIndicatorNewTAName((ThreatIntelligenceIndicator\n| mv-expand todynamic(Tags) | extend Tags = tostring(Tags)))\n| extend Indicator = case(NetworkSourceIP != \"\", NetworkSourceIP, \nNetworkIP != \"\", NetworkIP, \nDomainName != \"\", DomainName, \nFileHashValue != \"\", FileHashValue, \nUrl != \"\", Url,\n\"\")\n| project IndicatorId, Type, Indicator, ConfidenceScore, ExpirationDateTime, PreviousName, NewName, Origin, OtherNames\n<\/pre>\n\n\n\n
\"\"
Figure 6: Sample TI indicator query on Microsoft Sentinel<\/figcaption><\/figure>\n\n\n\n
Further reading<\/h2>\n\n\n\n
Our latest blog about the Iranian threat actor Mint Sandstorm (previously PHOSPHORUS) reflects the new naming taxonomy: Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets<\/a>.<\/p>\n\n\n\n
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https:\/\/aka.ms\/threatintelblog<\/a>.<\/p>\n\n\n\n
For additional insights into the threat landscape, visit the Microsoft Security Insider<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather. The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity.<\/p>\n","protected":false},"author":68,"featured_media":127295,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[3690,3698],"threat-intelligence":[3738],"tags":[3905,3927,3928],"coauthors":[2838],"class_list":["post-127276","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","products-microsoft-defender","products-microsoft-defender-threat-intelligence","threat-intelligence-threat-actors","tag-mint-sandstorm-phosphorus","tag-tsunami","tag-typhoon","review-flag-1694638264-948","review-flag-1694638265-576","review-flag-1694638271-781","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-6-1694638266-691","review-flag-and-o-1694638265-458","review-flag-new-1694638263-340"],"yoast_head":"\nMicrosoft shifts to a new threat actor naming taxonomy | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Microsoft shifts to a new threat actor naming taxonomy | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-04-18T15:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-03T15:09:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MIcrosoft-Threat-Intelligence-threat-naming-taxonomy.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"John Lambert\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MIcrosoft-Threat-Intelligence-threat-naming-taxonomy.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"John Lambert\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/john-lambert\/\",\"@type\":\"Person\",\"@name\":\"John Lambert\"}],\"headline\":\"Microsoft shifts to a new threat actor naming taxonomy\",\"datePublished\":\"2023-04-18T15:00:00+00:00\",\"dateModified\":\"2024-07-03T15:09:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\"},\"wordCount\":1525,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/threat-actor-naming-taxonomy-featured.png\",\"keywords\":[\"Mint Sandstorm (PHOSPHORUS)\",\"Tsunami\",\"Typhoon\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\",\"name\":\"Microsoft shifts to a new threat actor naming taxonomy | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/threat-actor-naming-taxonomy-featured.png\",\"datePublished\":\"2023-04-18T15:00:00+00:00\",\"dateModified\":\"2024-07-03T15:09:06+00:00\",\"description\":\"Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/threat-actor-naming-taxonomy-featured.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/threat-actor-naming-taxonomy-featured.png\",\"width\":1200,\"height\":800,\"caption\":\"Photo of ISO (chief information security officer) collaborating with practitioners in a security operations center.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft shifts to a new threat actor naming taxonomy\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Microsoft shifts to a new threat actor naming taxonomy | Microsoft Security Blog","description":"Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/","og_locale":"en_US","og_type":"article","og_title":"Microsoft shifts to a new threat actor naming taxonomy | Microsoft Security Blog","og_description":"Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/","og_site_name":"Microsoft Security Blog","article_published_time":"2023-04-18T15:00:00+00:00","article_modified_time":"2024-07-03T15:09:06+00:00","og_image":[{"width":1200,"height":628,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MIcrosoft-Threat-Intelligence-threat-naming-taxonomy.png","type":"image\/png"}],"author":"John Lambert","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MIcrosoft-Threat-Intelligence-threat-naming-taxonomy.png","twitter_misc":{"Written by":"John Lambert","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/john-lambert\/","@type":"Person","@name":"John Lambert"}],"headline":"Microsoft shifts to a new threat actor naming taxonomy","datePublished":"2023-04-18T15:00:00+00:00","dateModified":"2024-07-03T15:09:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/"},"wordCount":1525,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/threat-actor-naming-taxonomy-featured.png","keywords":["Mint Sandstorm (PHOSPHORUS)","Tsunami","Typhoon"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/","name":"Microsoft shifts to a new threat actor naming taxonomy | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/threat-actor-naming-taxonomy-featured.png","datePublished":"2023-04-18T15:00:00+00:00","dateModified":"2024-07-03T15:09:06+00:00","description":"Microsoft is excited to announce that we are shifting to a new threat actor naming taxonomy aligned to the theme of weather.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/threat-actor-naming-taxonomy-featured.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/threat-actor-naming-taxonomy-featured.png","width":1200,"height":800,"caption":"Photo of ISO (chief information security officer) collaborating with practitioners in a security operations center."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft shifts to a new threat actor naming taxonomy"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/127276"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=127276"}],"version-history":[{"count":1,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/127276\/revisions"}],"predecessor-version":[{"id":134929,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/127276\/revisions\/134929"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/127295"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=127276"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=127276"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=127276"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=127276"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=127276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=127276"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=127276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}