What if a hacking group believed to be a nation’s intelligence agency turns out to be contract hackers? Or cybercriminals who are temporarily drafted to work for a government? “Ratings change over time,” says Lee. “Like ‘We told you it was Dirty Mustard and now it’s Swirling Tempest,’ and you say what the heck?” (Lee’s own company Dragos admittedly gives hacker groups mineral names that are often confusingly similar to Microsoft’s old system. But at least Dragos has never called anyone Gingham Typhoon.)
When I contacted Microsoft about the new naming scheme, the head of the Threat Intelligence Center, John Lambert, explained the reasons for the change: Microsoft’s new names are clearer, more memorable, and more searchable. Contrary to Lee’s argument for choosing neutral names, the Microsoft team sought to give customers more context about hackers in the names, Lambert says, immediately identifying their nationality and motive. (Instances not yet fully assigned to a known group are given a temporary classifier, he notes.)
Microsoft’s team was also running out of items – after all, there are only 118 of them. “We liked weather because it’s a pervasive force, it’s disruptive, and there’s a kindred spirit because studying weather over time requires improving sensors, data, and analysis,” says Lambert. “It’s also the world of cybersecurity defenders.” As for the adjectives that precede these meteorological terms — often the actual source of the unintentional comedy of the names — they are chosen by analysts from a long list of words. Sometimes they have a semantic or phonetic connection to the hacking group, and sometimes they are random. “Everyone has an origin story,” says Lambert, “or it could just be a name out of a hat.”
There’s a certain persistent logic behind the ever-growing number of hacker groups in the cybersecurity industry. When a threat intelligence firm finds evidence of a new team of network intruders, even if they see known malware, victims, and commands, they can’t be sure they’re seeing the same group that another company has already discovered and tagged. and control infrastructure between the two groups. If your competitor doesn’t share everything they see, it’s better not to make any guesses and go after the new hackers under your own name. So Sandworm becomes Telebots and Voodoo Bear and Hades and Iron Viking and Electrum and –sigh– Seashell Blizzard, as each company’s analysts get a different insight into the anatomy of the group.
But aside from the expanse, did those names have to be so ridiculous? To a certain extent, it can make sense to give hacker gangs names that rob them of their malicious luster. For example, members of the Russian ransomware group EvilCorp are unlikely to be happy that Microsoft renamed it Manatee Tempest. On the other hand, is it really appropriate to label a group of Iranian hackers trying to penetrate crucial elements of US civilian infrastructure as Mint Sandstorm, as if they were an exotic air freshener? (The older name given to them by Crowdstrike, Charming Kitten, is certainly no better.) Did the Israeli mercenaries known as Candiru, who sold their services to governments to target journalists and human rights activists, really have to do anything? be rebranded as Caramel Tsunami, a brand that goes with a Dunkin’ drink and is already being ingested by a cannabis strain?