Microsoft has shifted to a new naming taxonomy for threat actors aligned with the theme of weather. With the new taxonomy, we intend to bring better clarity to customers and other security researchers already confronted with an overwhelming amount of threat intelligence data and offer a more organized, articulate, and easy way to reference threat actors so that organizations can better prioritize and protect themselves.

Microsoft categorizes threat actors into five key groups:

Nation-state actors: cyber operators acting on behalf of or directed by a nation/state-aligned program, irrespective of whether for espionage, financial gain, or retribution. Microsoft has observed that most nation state actors continue to focus operations and attacks on government agencies, intergovernmental organizations, non-governmental organizations, and think tanks for traditional espionage or surveillance objectives.

Financially motivated actors: cyber campaigns/groups directed by a criminal organization/person with motivations of financial gain and haven’t been associated with high confidence to a known non-nation state or commercial entity. This category includes ransomware operators, business email compromise, phishing, and other groups with purely financial or extortion motivations.

Private sector offensive actors (PSOAs): cyber activity led by commercial actors that are known/legitimate legal entities, that create and sell cyberweapons to customers who then select targets and operate the cyberweapons. These tools threaten many global human rights efforts, as they have been observed targeting and surveilling dissidents, human rights defenders, journalists, civil society advocates, and other private citizens.

Influence operations: information campaigns communicated online or offline in a manipulative fashion to shift perceptions, behaviors, or decisions by target audiences to further a group or a nation’s interests and objectives.

Groups in development: a temporary designation given to an unknown, emerging, or developing threat activity that allows Microsoft to track it as a discrete set of information until we can reach high confidence about the origin or identity of the actor behind the operation. Once criteria are met, a group in development is converted to a named actor or merged into existing names.

In our new taxonomy, a weather event or family name represents one of the above categories. In the case of nation-state actors, we have assigned a family name to a country of origin tied to attribution, like Typhoon indicates origin or attribution to China. For other actors, the family name represents a motivation. For example, Tempest indicates financially motivated actors. Threat actors within the same weather family are given an adjective to distinguish actor groups with distinct tactics, techniques, and procedures (TTPs), infrastructure, objectives, or other identified patterns. For groups in development, where there is a newly discovered, unknown, emerging, or developing cluster of threat activity, we use a temporary designation of Storm and a four-digit number, allowing us to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the operation.

The table below shows how the new family names map to a sampling of the threat actors that we track.

Actor category	Type	Family name
Nation-state	China Iran Lebanon North Korea Russia South Korea Turkey Vietnam	Typhoon Sandstorm Rain Sleet Blizzard Hail Dust Cyclone
Financially motivated	Financially motivated	Tempest
Private sector offensive actors	PSOAs	Tsunami
Influence operations	Influence operations	Flood
Groups in development	Groups in development	Storm

Use the following reference table below to understand how our previously publicly disclosed old threat actor names translate to our new taxonomy.

Previous name	New name	Origin/Threat	Other names
ACTINIUM	Aqua Blizzard	Russia	UNC530, Primitive Bear, Gamaredon
AMERICIUM	Pink Sandstorm	Iran	Agrius, Deadwood, BlackShadow, SharpBoys
BARIUM	Brass Typhoon	China	APT41
BISMUTH	Canvas Cyclone	Vietnam	APT32, OceanLotus
BOHRIUM	Smoke Sandstorm	Iran
BROMINE	Ghost Blizzard	Russia	Energetic Bear, Crouching Yeti
CERIUM	Ruby Sleet	North Korea
CHIMBORAZO	Spandex Tempest	Financially motivated	TA505
CHROMIUM	Charcoal Typhoon	China	ControlX
COPERNICIUM	Sapphire Sleet	North Korea	Genie Spider, BlueNoroff
CURIUM	Crimson Sandstorm	Iran	TA456, Tortoise Shell
DUBNIUM	Zigzag Hail	South Korea	Dark Hotel, Tapaoux
ELBRUS	Sangria Tempest	Financially motivated	Carbon Spider, FIN7
EUROPIUM	Hazel Sandstorm	Iran	Cobalt Gypsy, APT34, OilRig
GADOLINIUM	Gingham Typhoon	China	APT40, Leviathan, TEMP.Periscope, Kryptonite Panda
GALLIUM	Granite Typhoon	China
HAFNIUM	Silk Typhoon	China
HOLMIUM	Peach Sandstorm	Iran	APT33, Refined Kitten
IRIDIUM	Seashell Blizzard	Russia	Sandworm
KNOTWEED	Denim Tsunami	Private sector offensive actor	DSIRF
KRYPTON	Secret Blizzard	Russia	Venomous Bear, Turla, Snake
LAWRENCIUM	Pearl Sleet	North Korea
MANGANESE	Mulberry Typhoon	China	APT5, Keyhole Panda, TABCTENG
MERCURY	Mango Sandstorm	Iran	MuddyWater, SeedWorm, Static Kitten, TEMP.Zagros
NEPTUNIUM	Cotton Sandstorm	Iran	Vice Leaker
NICKEL	Nylon Typhoon	China	ke3chang, APT15, Vixen Panda
NOBELIUM	Midnight Blizzard	Russia	APT29, Cozy Bear
OSMIUM	Opal Sleet	North Korea	Konni
PARINACOTA	Wine Tempest	Financially motivated	Wadhrama
PHOSPHORUS	Mint Sandstorm	Iran	APT35, Charming Kitten
PLUTONIUM	Onyx Sleet	North Korea	Silent Chollima, Andariel, DarkSeoul
POLONIUM	Plaid Rain	Lebanon
RADIUM	Raspberry Typhoon	China	APT30, LotusBlossom
RUBIDIUM	Lemon Sandstorm	Iran	Fox Kitten, UNC757, PioneerKitten
SEABORGIUM	Star Blizzard	Russia	Callisto, Reuse Team
SILICON	Marbled Dust	Turkey	Sea Turtle
SOURGUM	Caramel Tsunami	Private sector offensive actor	Candiru
SPURR	Tomato Tempest	Financially motivated	Vatet
STRONTIUM	Forest Blizzard	Russia	APT28, Fancy Bear
TAAL	Camouflage Tempest	Financially motivated	FIN6, Skeleton Spider
THALLIUM	Emerald Sleet	North Korea	Kimsuky, Velvet Chollima
ZINC	Diamond Sleet	North Korea	Labyrinth Chollima, Lazarus
ZIRCONIUM	Violet Typhoon	China	APT31

Previous name	New name	Origin/Threat	Other names
DEV-0146	Pumpkin Sandstorm	Iran	ZeroCleare
DEV-0193	Periwinkle Tempest	Financially motivated	Wizard Spider, UNC2053
DEV-0196	Carmine Tsunami	Private sector offensive actor	QuaDream
DEV-0198 (NEPTUNIUM)	Cotton Sandstorm	Iran	Vice Leaker
DEV-0206	Mustard Tempest	Financially motivated	Purple Vallhund
DEV-0215 (LAWRENCIUM)	Pearl Sleet	North Korea
DEV-0227 (AMERICIUM)	Pink Sandstorm	Iran	Agrius, Deadwood, BlackShadow, SharpBoys
DEV-0228	Cuboid Sandstorm	Iran
DEV-0234	Lilac Typhoon	China
DEV-0237	Pistachio Tempest	Financially motivated	FIN12
DEV-0243	Manatee Tempest	Financially motivated	EvilCorp, UNC2165, Indrik Spider
DEV-0257	Storm-0257	Group in development	UNC1151
DEV-0322	Circle Typhoon	China
DEV-0336	Night Tsunami	Private sector offensive actor	NSO Group
DEV-0343	Gray Sandstorm	Iran
DEV-0401	Cinnamon Tempest	Financially motivated	Emperor Dragonfly, Bronze Starlight
DEV-0500	Marigold Sandstorm	Iran	Moses Staff
DEV-0504	Velvet Tempest	Financially motivated
DEV-0530	Storm-0530	North Korea	H0lyGh0st
DEV-0537	Strawberry Tempest	Financially motivated	LAPSUS$
DEV-0586	Cadet Blizzard	Russia
DEV-0605	Wisteria Tsunami	Private sector offensive actor	CyberRoot
DEV-0665	Sunglow Blizzard	Russia
DEV-0796	Phlox Tempest	Financially motivated	ClickPirate, Chrome Loader, Choziosi loader
DEV-0832	Vanilla Tempest	Financially motivated
DEV-0950	Lace Tempest	Financially motivated	FIN11, TA505

Read our announcement about the new taxonomy for more information: https://aka.ms/threatactorsblog

Putting intelligence into the hands of security professionals

Intel profiles in Microsoft Defender Threat Intelligence bring crucial threat actor insights directly into defenders’ hands so that they can get the context they need as they prepare for and respond to threats.

Additionally, to further operationalize the threat intelligence you get from Microsoft, the Microsoft Defender Threat Intelligence Intel Profiles API provides the most up-to-date threat actor infrastructure visibility in the industry today, enabling threat intelligence and security operations (SecOps) teams to streamline their advanced threat hunting and analysis workflows. Learn more about this API in the documentation: Use the threat intelligence APIs in Microsoft Graph (preview).

Resources

Use the following query on Microsoft 365 Defender and other Microsoft security products supporting the Kusto query language (KQL) to get information about a threat actor using the old name, new name, or industry name:

let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json"] with(format="multijson", ingestionMapping='[{"Column":"PreviousName","Properties":{"Path":"$.Previous name"}},{"Column":"NewName","Properties":{"Path":"$.New name"}},{"Column":"Origin","Properties":{"Path":"$.Origin/Threat"}},{"Column":"OtherNames","Properties":{"Path":"$.Other names"}}]'); 
let GetThreatActorAlias = (Name: string) { 
TANames 
| where Name =~ NewName or Name =~ PreviousName or OtherNames has Name 
}; 
GetThreatActorAlias("ZINC")

The following files containing the comprehensive mapping of old threat actor names with their new names are also available:

• JSON format
• downloadable Excel