Microsoft goes meteorological in defining cybercrook groups
Now here's Bill with the weather
Do you know your APT28 from your Fancy Bear? Your Pawn Storm from your Swallowtail? Your IRON TWILIGHT from your SNAKEMACKEREL? If you said yes, GTFO because they are all allegedly the same thing.
And therein lies the problem with the cybersecurity industry's naming conventions – they're shit. Companies investigating the same threat group will come up with different, though equally stupid, names then it's a whole thing when researchers realize, "Ohhh, your guys are also my guys! Everything makes sense now!"
Microsoft does its share of "threat intelligence" too, don't you know, and reckons it can make all this confusion go away if only people adopt its brand spanking new methods.
And what does it propose? To name various groups after weather conditions.
You know that xkcd comic where the guy is complaining that there are 14 competing standards so we need one universal standard?
Yeah. There are now 15 competing standards.
"The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity," lamented the software biz in an announcement.
"With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data. It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. Simply put, security professionals will instantly have an idea of the type of threat actor they are up against, just by reading the name."
That, at least, is the idea. So prepare to memorize that Blizzard means the threat group is believed to be from Russia! Sleet means North Korea! Typhoon means China! Sandstorm means Iran!
There are also weather warnings for severity, purpose, and modus operandi, like Storm for groups in development, Tempest if the group is financially motivated, Tsunami if primarily focused on the private sector, and Flood for "influence operations."
But Microsoft, we hear you cry, there are loads of threat groups from Russia and they all have different agendas and infrastructure and operating procedures! What do we do now?
Aha, let us complicate it for you further, says Microsoft.
When distinguishing one Russian threat group from another, they then become Midnight Blizzard, Forest Blizzard or perhaps even Aqua Blizzard. Clear who we're talking about? In Iran, we have Mint Sandstorm, Gray Sandstorm, and Hazel Sandstorm. For groups in development, we have temporary designations like Storm-0257 or Storm-0539.
- US citizens charged with pushing pro-Kremlin disinfo, election interference
- Russian snoops just love invading unpatched Cisco gear, America and UK warn
- Microsoft opens up Defender threat intel library with file hash, URL search
- US alleges China created troll army that tried to have dissidents booted from Zoom
Microsoft used the example of Mint Sandstorm, aka Phosphorus, aka Charming Kitten, aka Ajax Security, aka NewsBeef, aka TA453, aka APT35, aka APT42 – you know, the group aligned with Iran's Islamic Revolutionary Guard Corps that targets academics of interest to the state – to roll out its new taxonomy.
The Windows giant also took this moment to say the Mint Sandstorm cyber-crew last year moved from "reconnaissance to direct targeting of US critical infrastructure including seaports, energy companies, transit systems, and a major US utility and gas entity." This was possibly in retaliation to America and Israel disrupting Iran's computer systems.
To be fair to Redmond, Mint Sandstorm does neatly illustrate how chaotic tracking just one threat group has become, but whipping up yet another naming system will only truly help if everyone's on board. And what benefit of clarity does Storm-XXXX have over APTXX?
Microsoft justifies its stance thus:
We realize that other vendors in the industry also have unique naming taxonomies representing their distinct view of threats based on their intelligence. However, there are often overlaps or close alignments with tracked actors, and keeping track of these names can be challenging for defenders. Microsoft Threat Intelligence is committed to helping customers understand threats, no matter which naming taxonomy they are familiar with. Therefore, we will strive to also include other threat actor names within our security products to reflect these analytic overlaps and help customers make well-informed decisions.
Let us know what you think in the comments and if you have any clues about how it could be improved. For our part, we're disappointed that Sharknado and the Oncoming Storm (à la Doctor Who) are not currently included in the nomenclature. ®