Microsoft Adopts Weather-Themed Threat Actor Naming Taxonomy

Microsoft logo

Microsoft is adopting a new weather-themed taxonomy to describe threat actors across the world. Some nation-state actors such as Russia, North Korea, China, and Iran will be designated with a specific weather event in the new threat actor naming taxonomy, and the company will do the same for more specific threat actor groups. 

Microsoft currently tracks over 300 threat actors across the globe, and soon, the company’s threat research group will use terms such as “Midnight Blizzard” or “Hazel Sandstorm” to describe threat actors. And no, this really isn’t a late April Fool’s joke. 

“With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data,” explained John Lambert, Distinguished Engineer and CVP, Microsoft Threat Intelligence. “It will offer a more organized, memorable, and easy way to reference adversary groups so that organizations can better prioritize threats and protect themselves. 

How Microsoft’s new threat actor naming taxonomy works

Microsoft acknowledged that other security vendors use their own taxonomies to describe threat actors, and the company is committed to making its new system easy to understand for customers already familiar with other taxonomies. “We will strive to also include other threat actor names within our security products to reflect these analytic overlaps and help customers make well-informed decisions,” Lambert said.

You can see below the different threat actor groups that Microsoft tracks with the type of weather event assigned to them. 

Actor categoryTypeFamily Name
Nation stateChinaTyphoon
North KoreaSleet
South KoreaHail
Financially motivatedFinancially motivatedTempest
Private sector offensive actorsPSOAsTsunami
Influence operationsInfluence operationsFlood
Groups in developmentGroups in developmentStorm
Microsoft’s new weather-themed threat actor naming taxonomy (source:

To distinguish actor groups within the same weather family, Microsoft will be using adjectives. As an example, the Iranian threat actor PHOSPORUS is named “Mint Sandstorm” in the new taxonomy. For threat actor groups in development, however, Microsoft will use a weather event followed by a four-digit number instead of an adjective. 

Microsoft's threat actor naming taxonomy
Microsoft will use adjectives to distinguish threat actors within the same family (image credit: Microsoft)

“The naming approach we have used previously (Elements, Trees, Volcanoes, and DEVs) has been retired. We have reassigned all existing threat actors to the new taxonomy, and going forward will be using the new threat actor names, Lambert explained.

Microsoft’s new threat actor naming taxonomy will start appearing in public-facing content and Microsoft services over the coming weeks. The company expects the rollout of the new taxonomy to be complete by September 2023, though it also said that there will be “some surfaces that will not be updated.”