Hacker Group Names Are Now Absurdly Out of Control

What if a hacker group regarded as half of a nation’s intelligence company seems to be a hacker-for-hire contractor? Or cybercriminals quickly conscripted to work on behalf of a authorities? “Assessments change over time,” Lee says. “Like, ‘We told you it was Dirty Mustard and now it’s Swirling Tempest,’ and you’re like, what the fuck?” (Lee’s personal agency, Dragos, admittedly provides hacker teams mineral names which can be typically confusingly much like Microsoft’s previous system. But not less than Dragos has by no means known as anybody Gingham Typhoon.)

When I reached out to Microsoft about its new naming scheme, the pinnacle of its Threat Intelligence Center, John Lambert, defined the rationale behind the change: Microsoft’s new names are extra distinct, memorable, and searchable. In distinction to Lee’s level about selecting impartial names, the Microsoft workforce wished to offer clients extra context about hackers within the names, Lambert says, instantly figuring out their nationality and motive. (Instances that aren’t but absolutely attributed to a recognized group are given a short lived classifier, he notes.)

Microsoft’s workforce was additionally simply working out of components—there are, in any case, solely 118 of them. “We liked weather because it’s a pervasive force, it’s disruptive, and there’s a kindred spirit because the study of weather over time involves improvement in sensors, data, and analysis,” says Lambert. “That’s cybersecurity defenders’ world, too.” As for the adjectives previous these meteorological phrases—typically the true supply of the names’ inadvertent comedy—they’re chosen by analysts from a protracted record of phrases. Sometimes they’ve a semantic or phonetic connection to the hacker group, and typically they’re random. “There’s some origin story to each one,” Lambert says, “or it could just be a name out of a hat.”

There’s a sure, cussed logic behind the cybersecurity business’s ever-growing sprawl of hacker group handles. When a risk intelligence agency finds proof of a brand new workforce of community intruders, they cannot be certain they’re seeing the identical group that one other firm has already noticed and labeled, even when they do see acquainted malware, victims, and command-and-control infrastructure between the 2 teams. If your competitor is not sharing every little thing they see, it is higher to make no assumptions and observe the brand new hackers beneath your individual title. So Sandworm turns into Telebots, and Voodoo Bear, and Hades, and Iron Viking, and Electrum, and—sigh—Seashell Blizzard, as each firm’s analysts get a unique glimpse of the group’s anatomy.

But, sprawl apart, did these names should be fairly so on-their-face ridiculous? To a point, it could be sensible to offer names to hacker gangs that rob them of their malevolent glamour. Members of the Russian ransomware group EvilCorp, as an illustration, usually are not more likely to be proud of Microsoft’s rebranding them as Manatee Tempest. On the opposite hand, is it actually applicable to label a bunch of Iranian hackers that seeks to penetrate essential components of US civilian infrastructure Mint Sandstorm, as in the event that they’re an unique taste of air freshener? (The older title given to them by Crowdstrike, Charming Kitten, is definitely not any higher.) Did the Israeli hacker-for-hire mercenaries generally known as Candiru, who’ve bought their companies to governments focusing on journalists and human rights activists, actually must be renamed Caramel Tsunami, a model befitting a Dunkin’ beverage, and one which’s already taken by a pressure of hashish?