Microsoft Gives Criminal Hackers New Names Like ‘Pistachio Tempest’
‘It gives a more personal feel and understanding to what is going on in the space,’ says one Microsoft partner.
Caramel Tsunami. Pumpkin Sandstorm. Pistachio Tempest.
No, these aren’t new Starbucks drinks. And they’re not ice cream flavors, either.
On Tuesday, Microsoft announced a new weather-themed naming taxonomy for cybersecurity threat actors, retiring its former naming approach of incorporating items such as elements, trees and volcanoes.
“The complexity, scale, and volume of threats is increasing, driving the need to reimagine not only how Microsoft talks about threats but also how we enable customers to understand those threats quickly and with clarity,” according to a blog post by the Redmond, Wash.-based vendor. “With the new taxonomy, we intend to bring better context to customers and security researchers that are already confronted with an overwhelming amount of threat intelligence data.”
Microsoft Changes Threat Naming System
CRN has reached out to Microsoft for comment.
Phil Walker, CEO of Manhattan Beach, Calif.-based Network Solutions Provider – a member of CRN’s 2023 Managed Service Provider 500 whose partners include Microsoft, Cisco and Sophos – told CRN in an interview that he likes the new naming system because it helps non-technical business operators understand threats.
Even if his customers think the names are funny, at least they will be more familiar with the important threats, he said.
“It gives a more personal feel and understanding to what is going on in the space,” Walker said.
Michael Goldstein, CEO of Fort Lauderdale, Fla.-based Microsoft partner and MSP500 member LAN Infotech, told CRN in an interview that naming systems like this could downplay the seriousness of these threat actors or even give the actors a positive spin.
“We need to call it what it is – they are criminals,” Goldstein said. “No sense in giving them a funny name or a superhero name.”
Microsoft’s New Naming System
The new naming system aims to give cybersecurity professionals a more organized and “memorable” way to reference hackers and adversary groups, with names communicating what the attack is, why the group is attacking and where the attacker might go next.
Under the new Microsoft naming system, Lapsus$, a hacker group that gained “limited access” to Microsoft in 2022, changes its Microsoft-designated name from “DEV-0537” to “Strawberry Tempest.”
Sandworm, a Russian state-sponsored threat actor that attacked Ukrainian organizations with ransomware last year, changes its Microsoft-designated name from “Iridium” to “Seashell Blizzard.” Sandworm is also known as Voodoo Bear, TeleBots and BlackEnergy.
Cozy Bear – a threat actor also known as APT29, associated with Russia’s foreign intelligence and suspected for perpetrating the 2020 SolarWinds attack – changes its Microsoft-designated name from “Nobelium” to “Midnight Blizzard.”
And “Strontium” – a Russia-affiliated threat actor also known as “Fancy Bear” and “APT28” successfully disrupted by Microsoft last year – is now called “Forest Blizzard” by the vendor.
To show geographical origin of a threat actor, Microsoft has developed the following “family names”:
*”Typhoon” for China
*”Sandstorm” for Iran
*”Rain” for Lebanon
*”Sleet” for North Korea
*”Blizzard” for Russia
*”Hail” for South Korea
*”Dust” for Turkey
*”Cyclone” for Vietnam
Microsoft has also rolled out the following family names to communicate motivations, targets and emerging threats:
*”Tempest” for phishers, extorters and other financially motivated actors who aren’t “associated with high confidence” to a commercial entity or non-nation-state
*”Tsunami” for private sector offensive actors (PSOAs) and commercial entities that create and sell cyberweapons
*”Flood” for influence operations and manipulative information campaigns
Microsoft will use “storm” and a four-digit number as a temporary name for unknown, emerging threats and groups in development – once Microsoft is highly confident with the origin or identity of the actor behind the operation, this becomes a named actor or merged with an existing one if appropriate.
Some examples of this include “Storm-0530,” which Microsoft previously called “DEV-0530” and also went by the name “H0lyGh0st.” “Storm-0257,” previously known as “DEV-0257” by Microsoft, also has the name “UNC1151.”
CrowdStrike, Mandiant Differ On Naming
Microsoft’s blog post acknowledges that “other vendors in the industry also have unique naming taxonomies representing their distinct view of threats based on their intelligence.” Microsoft will keep those other threat actor names in security products “to reflect these analytic overlaps and help customers make well-informed decisions.”
Microsoft security rival CrowdStrike, for example, uses a two-part name based on criminals’ motivation and national origin. “Fancy Bear,” “Voodoo Bear” and similar names come from the CrowdStrike system, which calls Russia-originated actors “Bears.”
Under the CrowdStrike system, China-originated actors “Panda,” finance-motivated criminals “Spiders” and groups focused on political disruption “Jackals.”
CRN has reached out to Mandiant for comment.
CrowdStrike Chief Business Officer Daniel Bernard said in a statement to CRN that “characterizing adversaries by origin makes a lot of sense – that’s why we pioneered it years ago.”
In a blog post last year, CrowdStrike explained its “funny” naming system helps security teams “reduce noise by filtering an overload of security data to focus on specific tactics” and “orient their actions toward specific actors that target the organization, create their behaviors and tools, and begin to communicate across all teams with a common language including the adversary’s name, attack steps and point of view.”
Kevin Mandia, CEO of Mandiant, has been known to speak out about the importance of standardized naming and artifact collecting when investigating attacker activity.
“There’s no ‘fluffy snuggle duck’ up here, there’s no ‘fuzzy bear,’” he said in 2018. “I’ve always wondered, how do you go into a boardroom and say, ‘Sir, I’m sorry you were breached. You’re in the headlines. And you were hacked by ‘fluffy snuggle duck.’ Just doesn’t work. We’re just integers.’
And if you’re wondering about those Starbucks-drink-sounding Microsoft threat actor names mentioned earlier:
*“Caramel Tsunami” is the new name for PSOA Sourgum, also known as Candiru
*”Pumpkin Sandstorm” is the new name for Iran-affiliated “DEV-0146,” also known as “ZeroCleare”
*And ”Pistachio Tempest” is the new name for financially motivated “DEV-0237,” also known as FIN12.