Skip to main content

Microsoft is giving hackers weather-themed names like storm, typhoon, and blizzard

Microsoft is giving hackers weather-themed names like storm, typhoon, and blizzard


Crimson Sandstorm isn’t a fancy new Surface color — it’s Iranian state-aligned hackers.

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Microsoft’s new weather-themed naming for attackers.
Microsoft’s new weather-themed naming for attackers.
Image: Microsoft

Microsoft has started naming hackers after the weather in a new naming taxonomy update. Hackers will now be named after events like storms, typhoons, and blizzards, as part of eight groups that Microsoft is using to track cyber attacks. That means the Lapsus$ hacking group that has targeted companies like Nvidia, Samsung, and Microsoft will now be referred to as Strawberry Tempest (no, it’s not a $15 cocktail).

The new taxonomy will include five key groups: nation-state actors, financially motivated actors, private sector offensive actors (PSOAs), influence operations, and groups still in development. If a new cybersecurity threat is new or from an unknown source, then Microsoft will assign it a temporary “Storm” designation and a four-digit number. This replaces the previous “DEV” moniker Microsoft used to use.

Nation-state hackers will be named after a specific family of weather events, designed to indicate where the groups are being directed from. This includes:

  • China - Typhoon
  • Iran - Sandstorm
  • Lebanon - Rain
  • North Korea - Sleet
  • Russia - Blizzard
  • South Korea - Hail
  • Turkey - Dust
  • Vietnam - Cyclone

Cozy Bear, the Russian state hackers that breached the systems of the Republican National Committee and the Democratic National Committee, is now known as Midnight Blizzard instead of the NOBELIUM name that Microsoft used to describe the group when it disclosed an attack last year.

Financially motivated hacking groups will be named tempest, with PSOAs as tsunami and influence operations named after floods. “The naming approach we have used previously (Elements, Trees, Volcanoes, and DEVs) has been retired,” explains John Lambert, Microsoft’s CVP of threat intelligence. “We have reassigned all existing threat actors to the new taxonomy, and going forward will be using the new threat actor names.”

Microsoft tracks 160 nation-state hacking groups, 50 ransomware groups, 300 unique threat actors, and hundreds of other hackers alongside a larger community of cybersecurity professionals that use their other names for hacking groups.

“We realize that other vendors in the industry also have unique naming taxonomies representing their distinct view of threats based on their intelligence,” says Lambert. “Therefore, we will strive to also include other threat actor names within our security products to reflect these analytic overlaps and help customers make well-informed decisions.”

You can find a list of some of the hacking groups that Microsoft tracks and their new names here, including ones like Crimson Sandstorm or Denim Tsunami that sure sound like Microsoft’s latest Surface laptop colors.