Keeping track of people determined to wreak havoc through computer hacks and cyber crime isn’t easy, but Microsoft officials say naming the groups is a small but important step in stopping them.
Microsoft explained its naming system for nation-state-affiliated threat entities during The National's exclusive tour of the company's cyber crime centre in Redmond, Washington.
Mint Sandstorm, Storm-2035, Sefid Flood, Salt Typhoon, Cotton Sandstorm and Taizi Flood are just a few of the many names given to groups operating out of Iran, China, Russia and North Korea, which Microsoft told The National are home to some of the most active actors in the nation-state cyber crime space.
“We used to track everything as an element from the periodic table − like barium, strontium and phosphorus,” said Steven Masada, assistant general counsel of Microsoft's digital crimes unit, which leads the company's efforts to combat cyber crime around the world.
Mr Masada, who also served as assistant US attorney for the western district of Washington state, said that due to the sheer number of hacker and cyber crime groups around the world, Microsoft ran out of elements from the periodic table.
“So, we switched to the storm system, which despite some naysayers, has really caught on,” he added.
“Sleet is North Korea, Typhoon is China, Sandstorm is Iran and Blizzard is Russia,” Mr Masada continued, saying that once Microsoft researches the cyber criminals from various countries and their differing techniques, they add more details to the name, such as Mint Sandstorm, which was given to a nation-state nefarious computer cyber crime actor originating out of Iran.
For groups that aren't necessarily nation-state affiliated, Mr Masada said that other names are given.
“We use the word 'tempest' for financially motivated groups … there's one called Vanilla Tempest, which is an incredibly active ransomware group.
He added that any group with the word “flood” included in the name, is likely a disinformation or influence operation group.
Mr Masada said around the world there has been a significant increase in nation-state actor cyber crime activity. The 2024 US presidential election, coupled with the Israel-Gaza war, saw an uptick in cyber crime efforts based out of Iran.
“One example is Mint Sandstorm, it's an Iranian actor that we've taken action against … Mint Sandstorm targeted Donald Trump's campaign leading up to the most recent US election and hacked some senior advisers,” said Mr Masada.
In addition to sharing information with the hack victims and the US government, Mr Masada said Microsoft's digital crimes unit provided a criminal referral to the US Department of Justice, which later indicted three Iranians accused of the nefarious cyber activity.
The three men were allegedly employed by Iran’s Islamic Revolutionary Guard Corps, and their activities included a range of targets − including government officials, members of the media and non-governmental organisations, according to Justice Department.
Iran denied any involvement in Mint Sandstorm, yet the name, which originated from Microsoft, largely caught on.
“We do this purely to make it easy for professionals in the [cyber security] field to understand it all,” said Andrew Conway, vice president of security marketing at Microsoft.
“We associated a certain type of weather with a particular threat actor and then we made up modifiers for the types of weather,” he explained. One Russian group was given the name Midnight Blizzard.'
“We don't do this to glorify or try to make things cool, it's done for information design … we were expanding the number of threat actors that we tracked and we needed a hierarchy in which to refer to them,” said Mr Conway.
Microsoft has gone from tracking approximately 300 nefarious cyber crime groups to more than 1,500, he said.
Mr Conway said that although this naming convention seems to be catching on outside of Microsoft to some extent, not all companies, governments and organisations use the same naming system.
“There's no global standard for it,” he said.
Meanwhile, according to Microsoft, by 2028, estimates show that approximately $13 trillion could be lost to cyber crime tactics.
To blunt such cyber attacks, the Microsoft's cyber crime centre seeks to utilise security response experts from across the company to help protect, detect and respond to threats around the world.
It also uses AI to quicken the process of identifying potential threats or vulnerabilities as they come in.
Inside the cyber crime facility, there are specific offices occasionally used by the FBI, Secret Service and Department of Homeland Security to expedite investigations and collaboration efforts, depending on the cyber crime threats.
“We're increasingly seeing the blurring of lines where nation-state threat actors are becoming more sophisticated,” Mr Masada said.
“Microsoft, effectively, is a security company at this point in time,” he added, noting that besides ample technical and cyber security experts, the company also uses lawyers, investigators, data analysts and business professionals to blunt and prevent cyber crime.
According to the company, its digital crimes unit has disrupted 30 malware families, nation-state threat actors and distributors of malicious tools through civil actions resulting in the “rescue of more than 500 million victim devices”.
