3CX Hackers Target Critical Infrastructure | Microsoft Hacker Taxonomy

3 minute read

April 2023

In this episode of GRXcerpts: 

  • 3CX hackers target critical infrastructure
  • A warning to critical infrastructure organizations in the UK 
  • The new hacker taxonomy announced by Microsoft

Watch now:

3CX Hackers Target Critical Infrastructure

The hacking group responsible for the supply chain attack targeting the software company 3CX has struck again. Several other organizations have been breached using the trojanized X_Trader application, at least two in the energy sector and two in financial services. According to Symantec, “The attackers behind these breaches clearly have a successful template for software supply chain attacks, and further similar attacks cannot be ruled out.” 

The North Korean hacking group Lazarus is believed to be behind the attacks and typically engages in espionage and financially-motivated attacks. The 3CX incident resulted from an employee downloading a trojanized installer of the X_TRADER software, which then deployed a multi-stage backdoor to execute shellcode, injecting a communication module into Chrome, Firefox, or Edge processes, then terminated itself. Once inside, attackers were able to steal corporate credentials from the employee’s device and used them to move laterally through 3CX’s network, eventually breaching both Windows and macOS build environments. In March, security researchers reported that the 3CX Desktop App had malware. Mandiant, who helped investigate the incident, also believes several organizations still don’t know they are compromised.

UK National Cyber Security Centre Alert

The UK National Cyber Security Centre (or NCSC) has issued an alert to critical national infrastructure organizations warning of an emerging threat from state-aligned groups. Organizations most likely to be targeted are those sympathetic to Russia’s invasion of Ukraine. 

The NCSC reports that a new class of Russian cyber adversaries appeared a year and a half ago, and their threats are ideologically motivated rather than financially driven. Additionally, these threat actors are not subject to formal state control, so their actions are less constrained and more unpredictable. The groups are expected to look for opportunities to disrupt operations and spread misinformation, and they prey on poorly protected systems. The NCSC recommends that larger organizations use the Cyber Assessment Framework to help identify areas for improvement.

Microsoft Hacker Naming Taxonomy

And in other news, Microsoft has announced a new naming taxonomy to track cyber attacks. Hackers will now be named after the weather instead of the old naming convention using trees, volcanos and elements. According to Microsoft, the new taxonomy will provide better context to customers and security researchers, offer a more organized and memorable way to reference adversary groups, and help organizations better prioritize threats and make well-informed decisions. 

The taxonomy will include five key groups, including nation-state actors, financially motivated actors, private sector offensive (or PSOA) actors, influence operations, and groups still in development. As an example, if a threat comes from an unknown source, Microsoft will give it the temporary name “storm” and a four-digit number. 

Nation-state hackers will receive names based on weather events where the groups are operating– Typhoon for China, Sandstorm for Iran, Sleet for North Korea, and Blizzard for Russia as examples.


Attack Origin Name
Russia Blizzard
China Typhoon
Iran Sandstorm
North Korea Sleet
Turkey Dust
Cyclone Vietnam
Lebanon Rain
South Korea Hail


Similarly, phishers and financially-driven hacking groups will be called “Tempest,” PSOAs will be called “Tsunamis,” and influence operations and manipulative information campaigns will be called “Floods.” 

Type of Attack Name
Financially Motivated Tempest
Private Sector / Offensive Attack Tsunami
Influence Operations / Manipulative information Flood
Unknown Source Storm

Microsoft says all existing threat actors have been reassigned to the new taxonomy. So Cozy Bear, also known as “APT29”, who is suspected of perpetrating the 2020 SolarWinds attack, is no longer called “Nobelium” but, under the new taxonomy, becomes “Midnight Blizzard.” 

The Russian-affiliated threat actor “Strontium,” which successfully disrupted Microsoft last year, is now called “Forest Blizzard.” And the hacker group “Laspsus$,” who attacked Microsoft, Nvidia, and Samsung, changes from “DEV-0537” to “Strawberry Tempest.” 

We can only imagine what boardroom conversations will be like now as you share you’ve been breached, and the perpetrator was Pumpkin Sandstorm.

All information is current as of April 24, 2023. Subscribe to receive future episodes as they are released.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.