What if a hacker group thought to be part of a nation’s intelligence agency turns out to be a hacker-for-hire contractor? Or cybercriminals temporarily conscripted to work on behalf of a government? “Assessments change over time,” Lee says. “Like, ‘We told you it was Dirty Mustard and now it’s Swirling Tempest,’ and you’re like, what the fuck?” (Lee’s own firm, Dragos, admittedly gives hacker groups mineral names that are often confusingly similar to Microsoft’s old system. But at least Dragos has never called anyone Gingham Typhoon.)
When I reached out to Microsoft about its new naming scheme, the head of its Threat Intelligence Center, John Lambert, explained the rationale behind the change: Microsoft’s new names are more distinct, memorable, and searchable. In contrast to Lee’s point about choosing neutral names, the Microsoft team wanted to give customers more context about hackers in the names, Lambert says, immediately identifying their nationality and motive. (Instances that are not yet fully attributed to a known group are given a temporary classifier, he notes.)
Microsoft’s team was also just running out of elements—there are, after all, only 118 of them. “We liked weather because it’s a pervasive force, it’s disruptive, and there’s a kindred spirit because the study of weather over time involves improvement in sensors, data, and analysis,” says Lambert. “That’s cybersecurity defenders’ world, too.” As for the adjectives preceding those meteorological terms—often the real source of the names’ inadvertent comedy—they’re chosen by analysts from a long list of words. Sometimes they have a semantic or phonetic connection to the hacker group, and sometimes they’re random. “There’s some origin story to each one,” Lambert says, “or it could just be a name out of a hat.”
There’s a certain, stubborn logic behind the cybersecurity industry’s ever-growing sprawl of hacker group handles. When a threat intelligence firm finds evidence of a new team of network intruders, they can’t be sure they’re seeing the same group that another company has already spotted and labeled, even if they do see familiar malware, victims, and command-and-control infrastructure between the two groups. If your competitor isn’t sharing everything they see, it’s better to make no assumptions and track the new hackers under your own name. So Sandworm becomes Telebots, and Voodoo Bear, and Hades, and Iron Viking, and Electrum, and—sigh—Seashell Blizzard, as every company’s analysts get a different glimpse of the group’s anatomy.
But, sprawl aside, did these names have to be quite so on-their-face ridiculous? To some degree, it may be wise to give names to hacker gangs that rob them of their malevolent glamour. Members of the Russian ransomware group EvilCorp, for instance, are not likely to be happy with Microsoft’s rebranding them as Manatee Tempest. On the other hand, is it really appropriate to label a group of Iranian hackers that seeks to penetrate crucial elements of US civilian infrastructure Mint Sandstorm, as if they’re an exotic flavor of air freshener? (The older name given to them by Crowdstrike, Charming Kitten, is certainly not any better.) Did the Israeli hacker-for-hire mercenaries known as Candiru, who have sold their services to governments targeting journalists and human rights activists, really need to be renamed Caramel Tsunami, a brand befitting a Dunkin’ beverage, and one that’s already taken by a strain of cannabis?