What if a hacker group that is supposed to be part of a country’s intelligence agency turns out to be a hired hacker? Or are cybercriminals temporarily recruited to work on behalf of the government? “Valuations change over time,” says Lee. “Like, ‘We told you it was Dirty Mustard, now it’s Swirling Tempest,’ and you, what’s up?” (Admittedly, Lee’s own company, Dragos, has given hacker groups mining names that often sound confusingly similar to Microsoft’s old systems. But at least Dragos never called anyone a Gingham Typhoon.)
When Microsoft talked about the new naming scheme, John Lambert, head of the Threat Intelligence Center, explained the reasoning behind the change: Microsoft’s new names are more distinctive, memorable and searchable. In contrast to Lee’s point about choosing neutral names, the Microsoft team Required In order to give clients more context about hackers by name, Lambert immediately identified their nationality and purpose. (A tentative classifier is given for a known group of conditions not yet fully defined, he commented.)
The Microsoft team was also running out of elements – there are only 118 of them, after all. “They like weather because it’s a pervasive force, it’s disruptive, and there’s a sense of kinship because climate research involves improvements in sensors, data and analysis over time,” Lambert said. “That’s the world of cyber security defenders. As for the adjectives that precede those meteorological terms — often the source of the names’ inexact irony — they are chosen by commentators from a long list of words. Sometimes they are semantically or phonetically related to the hacker group, and sometimes they are random. “Each one has a story behind it, or it could be a name out of a hat,” says Lambert.
There is a specific, rigid logic behind the cyber security industry’s ever-growing hacker group handles. When a threat intelligence firm finds evidence of a new group of network hackers, even if they see known malware, victims, and commands, they can’t be sure they’re seeing a group that another company has seen and flagged. Infrastructure and control between the two groups. If your competitor isn’t sharing everything they see, it’s best not to make any assumptions and track the new hackers on your own behalf. So Sandworm Telebots, and Voodoo Bears, and Hades, and Iron Vikings, and Electron, and—to cry— Seashell Blizzard, because each company’s analysts get a different view of the team’s anatomy.
But, that aside, are these names supposed to be so ridiculous on their face? It might be wise to name the hacker groups that steal some of their insidious charm. For example, members of the Russian ransomware group EvilCorp will not be happy about Microsoft’s Manatee Tempest rebranding. On the other hand, is it really fair to label a group of Iranian hackers who seek to penetrate the mint sandstorm of US civilian infrastructure as a special flavor of air conditioning? (Crowdstrike, their former name Charming Kitten, is certainly no better.) Do the Israeli infiltration mercenaries known as Kandiru, who sell their services to governments targeting journalists and human rights activists, really need them? Will Dunkin’s Beverage Brand and Cannabis-Infused Caramel Tsunami Change?