Microsoft has introduced a new naming scheme for international security threats. Although the Redmond company has concocted pretty icons in addition to well-sounding names, there is silence about certain attacker groups.
Alkali metal becomes forest storm
Microsoft’s security team has developed a new namespace to designate cybercriminal groups. Where previously there was a proliferation of chemical elements, trees and volcanoes, the security experts are now using weather phenomena combined with unique additional designations. The Redmond company distinguishes between pro-government actors from different countries, but also attackers from the private sector and purely financially motivated cyber gangsters.
As soon as a new type of malware or a major cyber attack emerges, the security community goes in search of who is responsible. Since attackers rarely appear in public – the professional appearance including LockBit logo branding is quite unusual – the origin of a threat is often unclear. The names for “threat actors”, i.e. groups or individual perpetrators, are often assigned by the discoverer, based on code snippets or other characteristics of the attack. In many cases, security specialists simply choose the abbreviation “APT” (Advanced Persistent Threat), followed by a sequential number, in order to be able to tell their opponents apart. But more flowery names are also common – the North Korean cybergang “Lazarus” has the name “APT38” and the pseudonym “Hidden Cobra” in addition to its biblical name.
In the new naming scheme, for example, the Russian group “Fancy Bear”, which was previously called “Strontium” at Microsoft, is renamed “Forest Blizzard”, the North Koreans from Lazarus (previously called “Zinc”) are now called “Diamond Sleet”. The software manufacturer’s designers have also come up with something for the eyes: there is a suitable icon for every weather phenomenon, which enables assignment to an attacker group at a glance. To make it easier for users and security experts to get used to it, there is a translation table for the most well-known cybergangs.
With this naming scheme, Microsoft is making a direct connection between attacker groups and their nationality for the first time. Other providers of security solutions, such as CrowdStrike, take a similar approach, pointing to the often political and military dimensions of cyber attacks.
The elephant in the room
However, the Redmonders are blind in several eyes. State-directed attackers from “friendly” states such as the US, Israel, and the UK are not given identifiers. It has long been known that threat actors from these states carry out targeted attack campaigns and do not shy away from attacks on friendly nations.
Uniform nomenclature for security threats is not a new concept – in 2005 US-CERT had already played a leading role in the CME project, which was intended to provide a better overview when naming malware.