Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft uses a naming taxonomy for threat actors aligned with the theme of weather. We intend to bring better clarity to customers and other security researchers with this taxonomy. We offer a more organized, articulate, and easy way to reference threat actors so that organizations can better prioritize and protect themselves. We also aim to aid security researchers, who are already confronted with an overwhelming amount of threat intelligence data.
Microsoft categorizes threat actors into five key groups:
Nation-state actors: cyber operators acting on behalf of or directed by a nation/state-aligned program, irrespective of whether for espionage, financial gain, or retribution. Microsoft observed that most nation state actors continue to focus operations and attacks on government agencies, intergovernmental organizations, nongovernmental organizations, and think tanks for traditional espionage or surveillance objectives.
Financially motivated actors: cyber campaigns/groups directed by a criminal organization/person with motivations of financial gain and aren't associated with high confidence to a known non-nation state or commercial entity. This category includes ransomware operators, business email compromise, phishing, and other groups with purely financial or extortion motivations.
Private sector offensive actors (PSOAs): cyber activity led by commercial actors that are known/legitimate legal entities, that create and sell cyberweapons to customers who then select targets and operate the cyberweapons. These tools were observed targeting and surveiling dissidents, human rights defenders, journalists, civil society advocates, and other private citizens, threatening many global human rights efforts.
Influence operations: information campaigns communicated online or offline in a manipulative fashion to shift perceptions, behaviors, or decisions by target audiences to further a group or a nation's interests and objectives.
Groups in development: a temporary designation given to an unknown, emerging, or developing threat activity. This designation allows Microsoft to track a group as a discrete set of information until we can reach high confidence about the origin or identity of the actor behind the operation. Once criteria are met, a group in development is converted to a named actor or merged into existing names.
In this taxonomy, a weather event or family name represents one of the above categories. For nation-state actors, we assigned a family name to a country/region of origin tied to attribution. For example, Typhoon indicates origin or attribution to China. For other actors, the family name represents a motivation. For example, Tempest indicates financially motivated actors.
Threat actors within the same weather family are given an adjective to distinguish actor groups with distinct tactics, techniques, and procedures (TTPs), infrastructure, objectives, or other identified patterns. For groups in development, we use a temporary designation of Storm and a four-digit number where there's a newly discovered, unknown, emerging, or developing cluster of threat activity.
The following table shows how the family names map to the threat actors that we track.
| Threat actor category | Type | Family name |
|---|---|---|
| Nation-state | China Iran Lebanon North Korea Russia South Korea Türkiye Vietnam |
Typhoon Sandstorm Rain Sleet Blizzard Hail Dust Cyclone |
| Nation-state | China Germany India Iran North Korea Lebanon Pakistan Palestinian Authority Russia Singapore South Korea Spain Syria Türkiye Ukraine United States Vietnam |
Typhoon Gale Monsoon Sandstorm Sleet Rain Whirlwind Lightning Blizzard Squall Hail Derecho Haze Dust Frost Tornado Cyclone |
| Financially motivated | Financially motivated | Tempest |
| Private sector offensive actors | PSOAs | Tsunami |
| Influence operations | Influence operations | Flood |
| Groups in development | Groups in development | Storm |
The following table lists publicly disclosed threat actor names with their origin or threat actor category, previous names, and corresponding names used by other security vendors where available. This page will be updated as more info on other vendors' names become available.
| Threat actor name | Origin/Threat actor category | Other names |
|---|---|---|
| Amethyst Rain | Lebanon | VolcanicTimber, Volatile Cedar |
| Antique Typhoon | China | Storm-0558 |
| Aqua Blizzard | Russia | ACTINIUM, PRIMITIVE BEAR, Gamaredon, Armageddon, UNC530, shuckworm, SectorC08 |
| Berry Sandstorm | Iran | Storm-0852 |
| Blue Tsunami | Israel, Private sector offensive actor | |
| Brass Typhoon | China | BARIUM, WICKED PANDA, APT41 |
| Brocade Typhoon | China | BORON, GOTHIC PANDA, UPS, APT3, OLDCARP, TG-0110, Red Sylvan, CYBRAN |
| Burgundy Sandstorm | Iran | REMIX KITTEN, Cadelle, Chafer |
| Cadet Blizzard | Russia | DEV-0586, EMBER BEAR |
| Canary Typhoon | China | CIRCUIT PANDA, APT24, Palmerworm, BlackTech |
| Canvas Cyclone | Vietnam | BISMUTH, OCEAN BUFFALO, OceanLotus, APT32 |
| Caramel Tsunami | Israel, Private sector offensive actor | DEV-0236 |
| Carmine Tsunami | Private sector offensive actor | |
| Charcoal Typhoon | China | CHROMIUM, AQUATIC PANDA, ControlX, RedHotel, BRONZE UNIVERSITY |
| Checkered Typhoon | China | CHLORINE, DEEP PANDA, ATG50, APT19, TG-3551, Red Gargoyle |
| Cinnamon Tempest | China, Financially motivated | DEV-0401, HighGround |
| Circle Typhoon | China | DEV-0322, EMISSARY PANDA, APT6, APT27 |
| Citrine Sleet | North Korea | Storm-0139, Storm-1222, LABYRINTH CHOLLIMA |
| Cotton Sandstorm | Iran | NEPTUNIUM, HAYWIRE KITTEN, Vice Leaker |
| CovertNetwork-1658 | Covert network | ORB07 |
| Crescent Typhoon | China | CESIUM |
| Crimson Sandstorm | Iran | CURIUM, IMPERIAL KITTEN, Tortoise Shell, HOUSEBLEND, TA456 |
| Cuboid Sandstorm | Iran | DEV-0228, IMPERIAL KITTEN |
| Denim Tsunami | Austria, Private sector offensive actor | DEV-0291 |
| Diamond Sleet | North Korea | ZINC, LABYRINTH CHOLLIMA, Black Artemis, Lazarus |
| Emerald Sleet | North Korea | THALLIUM, VELVET CHOLLIMA, RGB-D5, Black Banshee, Kimsuky, Greendinosa |
| Fallow Squall | Singapore | PLATINUM, PARASITE, RUBYVINE, GINGERSNAP |
| Flax Typhoon | China | Storm-0919, ETHEREAL PANDA |
| Forest Blizzard | Russia | STRONTIUM, FANCY BEAR, Sednit, ATG2, Sofacy, Blue Athena, Z-Lom Team, Operation Pawn Storm, Tsar Team, CrisisFour, HELLFIRE, APT28 |
| Ghost Blizzard | Russia | BROMINE, BERSERK BEAR, TG-4192, Koala Team, Blue Kraken, Crouching Yeti, Dragonfly |
| Gingham Typhoon | China | GADOLINIUM, KRYPTONITE PANDA, TEMP.Periscope, Leviathan, JJDoor, APT40, Feverdream |
| Granite Typhoon | China | GALLIUM, PHANTOM PANDA |
| Gray Sandstorm | Iran | DEV-0343 |
| Hazel Sandstorm | Iran | EUROPIUM, HELIX KITTEN, COLBALT GYPSY, Crambus, OilRig, APT34 |
| Heart Typhoon | China | HELIUM, AURORA PANDA, APT17, Hidden Lynx, ATG3, Red Typhon, KAOS, TG-8153, SportsFans, DeputyDog, Tailgater |
| Hexagon Typhoon | China | HYDROGEN, NUMBERED PANDA, Calc Team, Red Anubis, APT12, DNS-Calc, HORDE |
| Houndstooth Typhoon | China | HASSIUM, DRAGNET PANDA, isoon, deepclif |
| Jade Sleet | North Korea | Storm-0954, LABYRINTH CHOLLIMA |
| Lace Tempest | Financially motivated | DEV-0950 |
| Lemon Sandstorm | Iran | RUBIDIUM, PIONEER KITTEN |
| Leopard Typhoon | China | LEAD, WICKED PANDA, TG-2633, TG-3279, Mana, KAOS, Red Diablo, Winnti Group |
| Lilac Typhoon | China | DEV-0234 |
| Linen Typhoon | China | IODINE, EMISSARY PANDA, Red Phoenix, Hippo, Lucky Mouse, BOWSER, APT27, Wekby2, UNC215, TG-3390 |
| Luna Tempest | Financially motivated | |
| Magenta Dust | Türkiye | PROMETHIUM, StrongPity, SmallPity |
| Manatee Tempest | Russia | DEV-0243, INDRIK SPIDER |
| Mango Sandstorm | Iran | MERCURY, STATIC KITTEN, SeedWorm, TEMP.Zagros, MuddyWater |
| Marbled Dust | Türkiye | SILICON, COSMIC WOLF, Sea Turtle, UNC1326 |
| Marigold Sandstorm | Iran | DEV-500, VENGEFUL KITTEN |
| Midnight Blizzard | Russia | NOBELIUM, COZY BEAR, UNC2452, APT29 |
| Mint Sandstorm | Iran | PHOSPHORUS, CHARMING KITTEN, Parastoo, Newscaster, APT35 |
| Moonstone Sleet | North Korea | Storm-1789, LABYRINTH CHOLLIMA |
| Mulberry Typhoon | China | MANGANESE, KEYHOLE PANDA, Backdoor-DPD, COVENANT, CYSERVICE, Bottle, Red Horus, Red Naga, Auriga, APT5, ATG48, TG-2754, tabcteng |
| Mustard Tempest | Financially motivated | DEV-0206, INDRIK SPIDER |
| Neva Flood | Russia, Influence operations | Storm-1516, CopyCop |
| Night Tsunami | Israel | DEV-0336 |
| Nylon Typhoon | China | NICKEL, VIXEN PANDA, Playful Dragon, RedRiver, ke3chang, APT15, Mirage |
| Octo Tempest | Financially motivated | SCATTERED SPIDER, 0ktapus |
| Onyx Sleet | North Korea | PLUTONIUM, SILENT CHOLLIMA, StoneFly, Tdrop2 campaign, DarkSeoul, Black Chollima, Andariel, APT45 |
| Opal Sleet | North Korea | OSMIUM, VELVET CHOLLIMA, Planedown, Konni, APT43 |
| Peach Sandstorm | Iran | HOLMIUM, REFINED KITTEN, APT33, Elfin |
| Pearl Sleet | North Korea | LAWRENCIUM |
| Periwinkle Tempest | Russia | DEV-0193, WIZARD SPIDER |
| Phlox Tempest | Israel, Financially motivated | DEV-0796 |
| Pink Sandstorm | Iran | AMERICIUM, SPECTRAL KITTEN, Agrius, Deadwood, BlackShadow, SharpBoys, FireAnt, Justice Blade |
| Pinstripe Lightning | NIOBIUM, RENEGADE JACKAL, Desert Falcons, Scimitar, Arid Viper | |
| Pistachio Tempest | Financially motivated | DEV-0237 |
| Plaid Rain | Lebanon | POLONIUM, INCENDIARY JACKAL |
| Pumpkin Sandstorm | Iran | DEV-0146 |
| Purple Typhoon | China | POTASSIUM, STONE PANDA, GOLEM, Evilgrab, AEON, LIVESAFE, ChChes, APT10, Haymaker, Webmonder, Foxtrot, Foxmail, MenuPass, Red Apollo |
| Raspberry Typhoon | China | RADIUM, LOTUS PANDA, LotusBlossom, APT30 |
| Red Sandstorm | Iran | Storm-0842, BANISHED KITTEN, Void Manticore |
| Ruby Sleet | North Korea | CERIUM, VELVET CHOLLIMA |
| Ruza Flood | Russia, Influence operations | |
| Salmon Typhoon | China | SODIUM, MAVERICK PANDA, APT4 |
| Salt Typhoon | China | OPERATOR PANDA, GhostEmperor, FamousSparrow |
| Sangria Tempest | Ukraine, Financially motivated | ELBRUS, CARBON SPIDER |
| Sapphire Sleet | North Korea | COPERNICIUM, STARDUST CHOLLIMA, Genie Spider, BlueNoroff, CageyChameleon, CryptoCore |
| Satin Typhoon | China | SCANDIUM, DYNAMITE PANDA, COMBINE, TG-0416, SILVERVIPER, Red Wraith, APT18, Elderwood Group, Wekby |
| Seashell Blizzard | Russia | IRIDIUM, VOODOO BEAR, BE2, UAC-0113, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, APT44 |
| Secret Blizzard | Russia | KRYPTON, VENOMOUS BEAR, Uroburos, Snake, Blue Python, Turla, WRAITH, ATG26 |
| Sefid Flood | Iran, Influence operations | |
| Shadow Typhoon | China | Storm-0062, DarkShadow, Oro0lxy |
| Silk Typhoon | China | HAFNIUM, MURKY PANDA, timmy |
| Smoke Sandstorm | Iran | IMPERIAL KITTEN, UNC1549 |
| Spandex Tempest | Financially motivated | MONTY SPIDER, TA505 |
| Star Blizzard | Russia | SEABORGIUM, COLDRIVER, Callisto Group, BlueCharlie, TA446 |
| Storm-0216 | Financially motivated | TUNNEL SPIDER, UNC2198 |
| Storm-0230 | Group in development | WIZARD SPIDER, Conti Team 1 |
| Storm-0247 | China | ToddyCat, Websiic |
| Storm-0252 | Group in development | CHATTY SPIDER |
| Storm-0288 | Group in development | FIN8 |
| Storm-0302 | Group in development | NARWHAL SPIDER, TA544 |
| Storm-0408 | Group in development | |
| Storm-0485 | Group in development | |
| Storm-0501 | Financially motivated | |
| Storm-0538 | Group in development | SKELETON SPIDER, FIN6 |
| Storm-0539 | Financially motivated | |
| Storm-0569 | Financially motivated | |
| Storm-0671 | Group in development | UNC2596, Tropicalscorpius |
| Storm-0940 | China | |
| Storm-0978 | Russia | RomCom, Underground Team |
| Storm-1101 | Group in development | |
| Storm-1113 | Financially motivated | APOTHECARY SPIDER |
| Storm-1152 | Financially motivated | |
| Storm-1175 | China, Financially motivated | |
| Storm-1194 | Group in development | MONTI |
| Storm-1249 | Group in development | |
| Storm-1516 | Russia, Influence operations | |
| Storm-1567 | Financially motivated | PUNK SPIDER |
| Storm-1674 | Financially motivated | |
| Storm-1679 | Influence operations | |
| Storm-1811 | Financially motivated | CURLY SPIDER |
| Storm-1865 | Group in development | |
| Storm-1982 | China | SneakyCheff, UNK_SweetSpecter |
| Storm-2035 | Iran, Influence operations | |
| Storm-2077 | China | TAG-100 |
| Storm-2372 | Group in development | |
| Strawberry Tempest | Financially motivated | DEV-0537, SLIPPY SPIDER, LAPSUS$ |
| Sunglow Blizzard | DEV-0665 | |
| Swirl Typhoon | China | TELLURIUM, STALKER PANDA, Tick, Bronze Butler, REDBALDKNIGHT |
| Taffeta Typhoon | China | TECHNETIUM, TURBINE PANDA, TG-0055, Red Kobold, JerseyMikes, APT26, BEARCLAW |
| Taizi Flood | China, Influence operations | Dragonbridge, Spamouflage |
| Tumbleweed Typhoon | China | THORIUM, Karst |
| Twill Typhoon | China | TANTALUM, MUSTANG PANDA, BRONZE PRESIDENT, LuminousMoth |
| Vanilla Tempest | Financially motivated | DEV-0832, VICE SPIDER, Vice Society |
| Velvet Tempest | Financially motivated | DEV-0504, ALPHA SPIDER |
| Violet Typhoon | China | ZIRCONIUM, JUDGMENT PANDA, Chameleon, APT31, WebFans |
| Void Blizzard | Russia | Laundry Bear |
| Volga Flood | Russia, Influence operations | Storm-1841, Rybar |
| Volt Typhoon | China | VANGUARD PANDA, BRONZE SILHOUETTE |
| Wheat Tempest | Financially motivated | GOLD, Gatak |
| Wisteria Tsunami | India, Private sector offensive actor | DEV-0605, MintedSoil |
| Yulong Flood | China, Influence operations | Storm-1852 |
| Zigzag Hail | Korea | DUBNIUM, SHADOW CRANE, Nemim, TEMPLAR, TieOnJoe, Fallout Team, Purple Pygmy, Dark Hotel, Egobot, Tapaoux, PALADIN, APT-C-60 |
Read our announcement about this taxonomy for more information: https://aka.ms/threatactorsblog
Putting intelligence into the hands of security professionals
Intel profiles in Microsoft Defender Threat Intelligence bring crucial insights about threat actors. These insights enable security teams to get the context they need as they prepare for and respond to threats.
Additionally, the Microsoft Defender Threat Intelligence Intel Profiles API provides the most up-to-date threat actor infrastructure visibility in the industry today. Updated information is crucial in enabling threat intelligence and security operations (SecOps) teams to streamline their advanced threat hunting and analysis workflows. Learn more about this API in the documentation: Use the threat intelligence APIs in Microsoft Graph (preview).
Resources
Use the following query on Microsoft Defender XDR and other Microsoft security products supporting the Kusto query language (KQL) to get information about a threat actor using the old name, new name, or industry name:
let TANames = externaldata(PreviousName: string, NewName: string, Origin: string, OtherNames: dynamic)[@"https://raw.githubusercontent.com/microsoft/mstic/master/PublicFeeds/ThreatActorNaming/MicrosoftMapping.json"] with(format="multijson", ingestionMapping='[{"Column":"PreviousName","Properties":{"Path":"$.Previous name"}},{"Column":"NewName","Properties":{"Path":"$.New name"}},{"Column":"Origin","Properties":{"Path":"$.Origin/Threat"}},{"Column":"OtherNames","Properties":{"Path":"$.Other names"}}]');
let GetThreatActorAlias = (Name: string) {
TANames
| where Name =~ NewName or Name =~ PreviousName or OtherNames has Name
};
GetThreatActorAlias("ZINC")
The following files containing the comprehensive mapping of old threat actor names with their new names are also available: