Microsoft goes meteorological in defining cybercrook groups

Do you know your APT28 from your Fancy Bear? Your Pawn Storm from your Swallowtail? Your IRON TWILIGHT from your SNAKEMACKEREL? If you said yes, GTFO because they are all allegedly the same thing.

And therein lies the problem with the cybersecurity industry's naming conventions – they're shit. Companies investigating the same threat group will come up with different, though equally stupid, names then it's a whole thing when researchers realize, "Ohhh, your guys are also my guys! Everything makes sense now!"

Microsoft does its share of "threat intelligence" too, don't you know, and reckons it can make all this confusion go away if only people adopt its brand spanking new methods.

And what does it propose? To name various groups after weather conditions.

You know that xkcd comic where the guy is complaining that there are 14 competing standards so we need one universal standard?

Yeah. There are now 15 competing standards.

"The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity," lamented the software biz in an announcement.

"With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data. It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name."

That, at least, is the idea. So prepare to memorize that Blizzard means the threat group is believed to be from Russia! Sleet means North Korea! Typhoon means China! Sandstorm means Iran!

There are also weather warnings for severity, purpose, and modus operandi, like Storm for groups in development, Tempest if the group is financially motivated, Tsunami if primarily focused on the private sector, and Flood for "influence operations."

But Microsoft, we hear you cry, there are loads of threat groups from Russia and they all have different agendas and infrastructure and operating procedures! What do we do now?

Aha, let us complicate it for you further, says Microsoft.

When distinguishing one Russian threat group from another, they then become Midnight Blizzard, Forest Blizzard or perhaps even Aqua Blizzard. Clear who we're talking about? In Iran, we have Mint Sandstorm, Gray Sandstorm, and Hazel Sandstorm. For groups in development, we have temporary designations like Storm-0257 or Storm-0539.

• US citizens charged with pushing pro-Kremlin disinfo, election interference
• Russian snoops just love invading unpatched Cisco gear, America and UK warn
• Microsoft opens up Defender threat intel library with file hash, URL search
• US alleges China created troll army that tried to have dissidents booted from Zoom

Microsoft used the example of Mint Sandstorm, aka Phosphorus, aka Charming Kitten, aka Ajax Security, aka NewsBeef, aka TA453, aka APT35, aka APT42 – you know, the group aligned with Iran's Islamic Revolutionary Guard Corps that targets academics of interest to the state – to roll out its new taxonomy.

The Windows giant also took this moment to say the Mint Sandstorm cyber-crew last year moved from "reconnaissance to direct targeting of US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity." This was possibly in retaliation to America and Israel disrupting Iran's computer systems.

To be fair to Redmond, Mint Sandstorm does neatly illustrate how chaotic tracking just one threat group has become, but whipping up yet another naming system will only truly help if everyone's on board. And what benefit of clarity does Storm-XXXX have over APTXX?

Microsoft justifies its stance thus:

So what you'll need to do is keep Microsoft's guide handy then cross-reference it with Mitre's equivalent or what have you, and maybe, just maybe, you'll have an idea of what you're up against.

Let us know what you think in the comments and if you have any clues about how it could be improved. For our part, we're disappointed that Sharknado and the Oncoming Storm (à la Doctor Who) are not currently included in the nomenclature. ®