Microsoft has shifted to a brand new naming taxonomy for threat actors aligned with the theme of climate. With the brand new taxonomy, we intend to deliver higher readability to clients and different safety researchers already confronted with an amazing quantity of threat intelligence information and supply a extra organized, articulate, and simple strategy to reference threat actors in order that organizations can higher prioritize and shield themselves.
Microsoft categorizes threat actors into 5 key teams:
Nation-state actors: cyber operators performing on behalf of or directed by a nation/state-aligned program, regardless of whether or not for espionage, monetary achieve, or retribution. Microsoft has noticed that almost all nation state actors proceed to focus operations and assaults on authorities companies, intergovernmental organizations, non-governmental organizations, and assume tanks for conventional espionage or surveillance aims.
Financially motivated actors: cyber campaigns/teams directed by a prison group/particular person with motivations of monetary achieve and have not been related to excessive confidence to a identified non-nation state or business entity. This class contains ransomware operators, enterprise electronic mail compromise, phishing, and different teams with purely monetary or extortion motivations.
Private sector offensive actors (PSOAs): cyber exercise led by business actors which are identified/reputable authorized entities, that create and promote cyberweapons to clients who then choose targets and function the cyberweapons. These instruments threaten many international human rights efforts, as they’ve been noticed focusing on and surveilling dissidents, human rights defenders, journalists, civil society advocates, and different personal residents.
Influence operations: info campaigns communicated on-line or offline in a manipulative trend to shift perceptions, behaviors, or selections by goal audiences to additional a gaggle or a nation’s pursuits and aims.
Groups in improvement: a short lived designation given to an unknown, rising, or creating threat exercise that permits Microsoft to trace it as a discrete set of data till we will attain excessive confidence concerning the origin or identification of the actor behind the operation. Once standards are met, a gaggle in improvement is transformed to a named actor or merged into present names.
In our new taxonomy, a climate occasion or household title represents one of many above classes. In the case of nation-state actors, we’ve assigned a household title to a rustic of origin tied to attribution, like Typhoon signifies origin or attribution to China. For different actors, the household title represents a motivation. For instance, Tempest signifies financially motivated actors. Threat actors inside the identical climate household are given an adjective to tell apart actor teams with distinct ways, strategies, and procedures (TTPs), infrastructure, aims, or different recognized patterns. For teams in improvement, the place there’s a newly found, unknown, rising, or creating cluster of threat exercise, we use a short lived designation of Storm and a four-digit quantity, permitting us to trace it as a novel set of data till we will attain excessive confidence concerning the origin or identification of the actor behind the operation.
The desk beneath reveals how the brand new household names map to a sampling of the threat actors that we observe.
Actor class | Type | Family title |
---|---|---|
Nation-state | China Iran Lebanon North Korea Russia South Korea Turkey Vietnam | Typhoon Sandstorm Rain Sleet Blizzard Hail Dust Cyclone |
Financially motivated | Financially motivated | Tempest |
Private sector offensive actors | PSOAs | Tsunami |
Influence operations | Influence operations | Flood |
Groups in improvement | Groups in improvement | Storm |
Use the next reference desk beneath to know how our beforehand publicly disclosed outdated threat actor names translate to our new taxonomy.
Previous title | New title | Origin/Threat | Other names |
---|---|---|---|
ACTINIUM | Aqua Blizzard | Russia | UNC530, Primitive Bear, Gamaredon |
AMERICIUM | Pink Sandstorm | Iran | Agrius, Deadwood, BlackShadow, SharpBoys |
BARIUM | Brass Typhoon | China | APT41 |
BISMUTH | Canvas Cyclone | Vietnam | APT32, OceanLotus |
BOHRIUM | Smoke Sandstorm | Iran | |
BROMINE | Ghost Blizzard | Russia | Energetic Bear, Crouching Yeti |
CERIUM | Ruby Sleet | North Korea | |
CHIMBORAZO | Spandex Tempest | Financially motivated | TA505 |
CHROMIUM | Charcoal Typhoon | China | ControlX |
COPERNICIUM | Sapphire Sleet | North Korea | Genie Spider, BlueNoroff |
CURIUM | Crimson Sandstorm | Iran | TA456, Tortoise Shell |
DUBNIUM | Zigzag Hail | South Korea | Dark Hotel, Tapaoux |
ELBRUS | Sangria Tempest | Financially motivated | Carbon Spider, FIN7 |
EUROPIUM | Hazel Sandstorm | Iran | Cobalt Gypsy, APT34, OilRig |
GADOLINIUM | Gingham Typhoon | China | APT40, Leviathan, TEMP.Periscope, Kryptonite Panda |
GALLIUM | Granite Typhoon | China | |
HAFNIUM | Silk Typhoon | China | |
HOLMIUM | Peach Sandstorm | Iran | APT33, Refined Kitten |
IRIDIUM | Seashell Blizzard | Russia | Sandworm |
KNOTWEED | Denim Tsunami | Private sector offensive actor | DSIRF |
KRYPTON | Secret Blizzard | Russia | Venomous Bear, Turla, Snake |
LAWRENCIUM | Pearl Sleet | North Korea | |
MANGANESE | Mulberry Typhoon | China | APT5, Keyhole Panda, TABCTENG |
MERCURY | Mango Sandstorm | Iran | MuddyWater, SeedWorm, Static Kitten, TEMP.Zagros |
NEPTUNIUM | Cotton Sandstorm | Iran | Vice Leaker |
NICKEL | Nylon Typhoon | China | ke3chang, APT15, Vixen Panda |
NOBELIUM | Midnight Blizzard | Russia | APT29, Cozy Bear |
OSMIUM | Opal Sleet | North Korea | Konni |
PARINACOTA | Wine Tempest | Financially motivated | Wadhrama |
PHOSPHORUS | Mint Sandstorm | Iran | APT35, Charming Kitten |
PLUTONIUM | Onyx Sleet | North Korea | Silent Chollima, Andariel, DarkSeoul |
POLONIUM | Plaid Rain | Lebanon | |
RADIUM | Raspberry Typhoon | China | APT30, LotusBlossom |
RUBIDIUM | Lemon Sandstorm | Iran | Fox Kitten, UNC757, PioneerKitten |
SEABORGIUM | Star Blizzard | Russia | Callisto, Reuse Team |
SILICON | Marbled Dust | Turkey | Sea Turtle |
SOURGUM | Caramel Tsunami | Private sector offensive actor | Candiru |
SPURR | Tomato Tempest | Financially motivated | Vatet |
STRONTIUM | Forest Blizzard | Russia | APT28, Fancy Bear |
TAAL | Camouflage Tempest | Financially motivated | FIN6, Skeleton Spider |
THALLIUM | Emerald Sleet | North Korea | Kimsuky, Velvet Chollima |
ZINC | Diamond Sleet | North Korea | Labyrinth Chollima, Lazarus |
ZIRCONIUM | Violet Typhoon | China | APT31 |
Previous title | New title | Origin/Threat | Other names |
---|---|---|---|
DEV-0146 | Pumpkin Sandstorm | Iran | ZeroCleare |
DEV-0193 | Periwinkle Tempest | Financially motivated | Wizard Spider, UNC2053 |
DEV-0196 | Carmine Tsunami | Private sector offensive actor | QuaDream |
DEV-0198 (NEPTUNIUM) | Cotton Sandstorm | Iran | Vice Leaker |
DEV-0206 | Mustard Tempest | Financially motivated | Purple Vallhund |
DEV-0215 (LAWRENCIUM) | Pearl Sleet | North Korea | |
DEV-0227 (AMERICIUM) | Pink Sandstorm | Iran | Agrius, Deadwood, BlackShadow, SharpBoys |
DEV-0228 | Cuboid Sandstorm | Iran | |
DEV-0234 | Lilac Typhoon | China | |
DEV-0237 | Pistachio Tempest | Financially motivated | FIN12 |
DEV-0243 | Manatee Tempest | Financially motivated | EvilCorp, UNC2165, Indrik Spider |
DEV-0257 | Storm-0257 | Group in improvement | UNC1151 |
DEV-0322 | Circle Typhoon | China | |
DEV-0336 | Night Tsunami | Private sector offensive actor | NSO Group |
DEV-0343 | Gray Sandstorm | Iran | |
DEV-0401 | Cinnamon Tempest | Financially motivated | Emperor Dragonfly, Bronze Starlight |
DEV-0500 | Marigold Sandstorm | Iran | Moses Staff |
DEV-0504 | Velvet Tempest | Financially motivated | |
DEV-0530 | Storm-0530 | North Korea | H0lyGh0st |
DEV-0537 | Strawberry Tempest | Financially motivated | LAPSUS$ |
DEV-0586 | Cadet Blizzard | Russia | |
DEV-0605 | Wisteria Tsunami | Private sector offensive actor | CyberRoot |
DEV-0665 | Sunglow Blizzard | Russia | |
DEV-0796 | Phlox Tempest | Financially motivated | ClickPirate, Chrome Loader, Choziosi loader |
DEV-0832 | Vanilla Tempest | Financially motivated | |
DEV-0950 | Lace Tempest | Financially motivated | FIN11, TA505 |
Read our announcement concerning the new taxonomy for extra info: https://aka.ms/threatactorsblog
Putting intelligence into the arms of safety professionals
Intel profiles in Microsoft Defender Threat Intelligence deliver essential threat actor insights straight into defenders’ arms in order that they’ll get the context they want as they put together for and reply to threats.
Additionally, to additional operationalize the threat intelligence you get from Microsoft, the Microsoft Defender Threat Intelligence Intel Profiles API offers probably the most up-to-date threat actor infrastructure visibility within the business in the present day, enabling threat intelligence and safety operations (SecOps) groups to streamline their superior threat searching and evaluation workflows. Learn extra about this API within the documentation: Use the threat intelligence APIs in Microsoft Graph (preview).
Resources
Use the next question on Microsoft 365 Defender and different Microsoft safety merchandise supporting the Kusto question language (KQL) to get details about a threat actor utilizing the outdated title, new title, or business title:
let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json"] with(format="multijson", ingestionMapping='[{"Column":"PreviousName","Properties":{"Path":"$.Previous name"}},{"Column":"NewName","Properties":{"Path":"$.New name"}},{"Column":"Origin","Properties":{"Path":"$.Origin/Threat"}},{"Column":"OtherNames","Properties":{"Path":"$.Other names"}}]');
let GetThreatActorAlias = (Name: string) the place Name =~ NewName or Name =~ PreviousName or OtherNames has Name
;
GetThreatActorAlias("ZINC")
The following recordsdata containing the excellent mapping of outdated threat actor names with their new names are additionally accessible:
- JSON format
- downloadable Excel
…. to be continued
Read the Original Article
Copyright for syndicated content material belongs to the linked Source : Hacker News – https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide