What if a group of hackers thought to be part of a nation’s intelligence agency turns out to be a hacker-for-hire contractor? Or cybercriminals temporarily recruited to work on behalf of a government? “Assessments change over time,” says Lee. “Like, ‘We told you it was Dirty Mustard and now it’s Swirling Tempest,’ and you’re like, what the hell?” (Lee’s own firm, Dragos, certainly gives hacker groups mineral names that are often confusingly similar to Microsoft’s old system. But at least Dragos has never called anyone Gingham Typhoon.)
When I contacted Microsoft about its new naming scheme, the head of its Threat Intelligence Center, John Lambert, explained the reason behind the change: Microsoft’s new names are more distinct, easier to remember, and easier to search for. In contrast to Lee’s point about choosing neutral names, the Microsoft team sought to give clients more context about the hackers in the names, Lambert says, immediately identifying their nationality and motive. (Instances that are not yet fully attributed to a known group are given a temporary classifier, she notes.)
The Microsoft team was also running low on items; after all, there are only 118 of them. “We liked weather because it’s a pervasive, disruptive force, and there’s a kindred spirit because studying climate over time means improving sensors, data, and analytics,” says Lambert. “That is also the world of cybersecurity advocates.” As for the adjectives that precede those weather terms, often the real source of the inadvertent comedy of names, analysts choose them from a long list of words. Sometimes they have a semantic or phonetic connection to the hacking group, and sometimes they are random. “Each one has an origin story,” Lambert says, “or it could just be a name out of a hat.”
There is a certain stubborn logic behind the ever-increasing expansion of hacker group identifiers in the cybersecurity industry. When a threat intelligence company finds evidence of a new team of network intruders, they can’t be sure they’re looking at the same group that another company has already detected and tagged, even if they see familiar malware, victims, and commandos. and infrastructure control between the two groups. If your competitor doesn’t share everything they see, it’s best not to make assumptions and track new hackers under your own name. So Sandworm becomes Telebots, Voodoo Bear, Hades, Iron Viking, Electrum and…sigh—Seashell Blizzard, as analysts at each company get a different view of the group’s anatomy.
But aside from the expansion, did these names have to be so ridiculous? To some extent, it may be wise to give names to the hacker gangs that steal their malevolent glamour. Members of the Russian EvilCorp ransomware group, for example, probably aren’t happy about Microsoft’s name change to Manatee Tempest. On the other hand, is it really appropriate to label a group of Iranian hackers looking to break into crucial elements of US civilian infrastructure Mint Sandstorm, as if they were some exotic flavor of air freshener? (The old name Crowdstrike gave them, Charming Kitten, is certainly no better.) Are the mercenary Israeli hackers known as Candiru, who have sold their services to governments attack journalists and human rights activistsreally needs to be rebranded as Caramel Tsunami, a brand befitting a Dunkin’ drink, and one that has already taken a cannabis strain?
—————————————————-
Source link