{"id":640587,"date":"2023-04-23T09:56:08","date_gmt":"2023-04-23T14:56:08","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/04\/23\/hacker-group-names-are-now-absurdly-out-of-control\/"},"modified":"2023-04-23T09:56:08","modified_gmt":"2023-04-23T14:56:08","slug":"hacker-group-names-are-now-absurdly-out-of-control","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/04\/23\/hacker-group-names-are-now-absurdly-out-of-control\/","title":{"rendered":"Hacker Group Names Are Now Absurdly Out of Control"},"content":{"rendered":"
\n
\n

Hackers\u2014particularly state-sponsored ones<\/span> focused on espionage and cyberwar, and organized cybercriminals exploiting networks worldwide for profit\u2014are not pets. They wreck businesses, sow chaos, disrupt critical infrastructure, support some of the world’s most harmful militaries and dictatorships, and help those governments spy on and oppress innocent people worldwide.<\/p>\n

So why, when I write about these organized hacker groups as a cybersecurity reporter, do I find myself referring to them with cute pet names like Fancy Bear, Refined Kitten, and Sea Turtle?<\/p>\n

Why, when I interview different cybersecurity firms about a particular unit of Russian military intelligence hackers, do I have to internally translate that this company refers to Fancy Bear as Pawn Storm, while this one calls them Iron Twilight? Why, when I wrote a news piece earlier this week<\/a> about a North Korea\u2013linked hacking team that has spied on their South Korean neighbors, stolen millions in cryptocurrency to fund the totalitarian regime of Kim Jong-un, and corrupted the software distributed by multiple companies to spread malicious code worldwide, did I find myself referring to them as “the hacker group known as Kimsuky, Emerald Sleet, or Velvet Chollima”? It is all, frankly, a little embarrassing\u2014and to the average reader, lends reporting about cyber conflict about as much gravity as the play-by-play of a Pok\u00e9mon card game.<\/p>\n

A few days ago, Microsoft’s cybersecurity division announced it was changing the entire taxonomy of names<\/a> it uses for the hundreds of hacker groups that it tracks. Instead of its previous system, which gave those organizations the names of elements\u2014a fairly neutral, scientific-sounding system as these things go\u2014it will now give hacker groups two-word names, including in their description a weather-based term indicating what country the hackers are believed to work on behalf of, as well as whether they’re state-sponsored or criminal.<\/p>\n

That means Phosphorous, an Iranian group that Microsoft reported this week has been targeting US critical infrastructure<\/a> like seaports, energy companies, and transit systems, now has the less-than-fearsome name Mint Sandstorm. Iridium, Russia’s most aggressive and dangerous cyberwar-focused military hacker unit more commonly known as Sandworm<\/a>\u2014responsible for multiple blackouts in Ukraine<\/a> and the most destructive malware in history<\/a>\u2014now has the whimsical title of Seashell Blizzard. Barium, a team of Chinese hackers that’s carried out more software-supply-chain attacks than perhaps any group worldwide<\/a>, is now Brass Typhoon\u2014a phrase that, I confess, I have a hard time separating from flatulence.<\/p>\n

Many of the new names sounded so absurd that I actually double-checked Microsoft hadn’t published the new labeling system on April 1. Periwinkle Tempest. Pumpkin Sandstorm. Spandex Tempest. Gingham Typhoon. \u201cThese names are just really silly,\u201d says Rob Lee, the founder and CEO of industrial-control-system cybersecurity firm Dragos. \u201cI mean, talk about not being taken seriously as a profession.\u201d<\/p>\n

Goofiness aside, the new system is counterproductive for actual cybersecurity analysis, Lee argues. Given that Microsoft’s threat intelligence is some of the best in the world, analysts and customers across the industry will have to actually revise their databases\u2014and even some of their products\u2014to match Microsoft’s new naming scheme, he says. And the revised system now locks in educated guesses about the national loyalties of hackers with no indication of the analysts’ degree of confidence in those assessments, Lee adds.f<\/p>\n<\/div>\n

\n

What if a hacker group thought to be part of a nation\u2019s intelligence agency turns out to be a hacker-for-hire contractor? Or cybercriminals temporarily conscripted to work on behalf of a government? \u201cAssessments change over time,\u201d Lee says. \u201cLike, \u2018We told you it was Dirty Mustard and now it\u2019s Swirling Tempest,\u2019 and you\u2019re like, what the fuck?\u201d (Lee\u2019s own firm, Dragos, admittedly gives hacker groups mineral names that are often confusingly similar to Microsoft\u2019s old system. But at least Dragos has never called anyone Gingham Typhoon.)<\/p>\n

When I reached out to Microsoft about its new naming scheme, the head of its Threat Intelligence Center, John Lambert, explained the rationale behind the change: Microsoft’s new names are more distinct, memorable, and searchable. In contrast to Lee’s point about choosing neutral names, the Microsoft team wanted<\/em> to give customers more context about hackers in the names, Lambert says, immediately identifying their nationality and motive. (Instances that are not yet fully attributed to a known group are given a temporary classifier, he notes.)<\/p>\n

Microsoft’s team was also just running out of elements\u2014there are, after all, only 118 of them. \u201cWe liked weather because it’s a pervasive force, it’s disruptive, and there’s a kindred spirit because the study of weather over time involves improvement in sensors, data, and analysis,\u201d says Lambert. \u201cThat’s cybersecurity defenders’ world, too.\u201d As for the adjectives preceding those meteorological terms\u2014often the real source of the names’ inadvertent comedy\u2014they’re chosen by analysts from a long list of words. Sometimes they have a semantic or phonetic connection to the hacker group, and sometimes they’re random. \u201cThere\u2019s some origin story to each one,\u201d Lambert says, \u201cor it could just be a name out of a hat.\u201d<\/p>\n

There’s a certain, stubborn logic behind the cybersecurity industry’s ever-growing sprawl of hacker group handles. When a threat intelligence firm finds evidence of a new team of network intruders, they can’t be sure they’re seeing the same group that another company has already spotted and labeled, even if they do see familiar malware, victims, and command-and-control infrastructure between the two groups. If your competitor isn’t sharing everything they see, it’s better to make no assumptions and track the new hackers under your own name. So Sandworm becomes Telebots, and Voodoo Bear, and Hades, and Iron Viking, and Electrum, and\u2014sigh<\/em>\u2014Seashell Blizzard, as every company’s analysts get a different glimpse of the group’s anatomy.<\/p>\n

But, sprawl aside, did these names have to be quite so on-their-face ridiculous? To some degree, it may be wise to give names to hacker gangs that rob them of their malevolent glamour. Members of the Russian ransomware group EvilCorp, for instance, are not likely to be happy with Microsoft’s rebranding them as Manatee Tempest. On the other hand, is it really appropriate to label a group of Iranian hackers that seeks to penetrate crucial elements of US civilian infrastructure Mint Sandstorm, as if they’re an exotic flavor of air freshener? (The older name given to them by Crowdstrike, Charming Kitten, is certainly not any better.) Did the Israeli hacker-for-hire mercenaries known as Candiru, who have sold their services to governments targeting journalists and human rights activists<\/a>, really need to be renamed Caramel Tsunami, a brand befitting a Dunkin\u2019 beverage, and one that’s already taken by a strain of cannabis<\/a>?<\/p>\n<\/div>\n

\n

Kevin Mandia, one of the original hacker hunters and the founder and CEO of the cybersecurity firm Mandiant, captured this problem in a speech at the Cybersecurity Threat Intelligence Summit in 2018<\/a>. \u201cI\u2019ve always wondered, how do you get into a boardroom and say, \u2018Sir, I know you\u2019re breached. You\u2019re in the headlines. And you were hacked by Fluffy Snuggle Duck,\u2019\u201d Mandia said. \u201cIt just doesn\u2019t work.\u201d<\/p>\n

Mandia concedes today that in the five years since his Fluffy Snuggle Duck comment, he’s become more inured to the silly hacker group names. \u201cI don’t care what they’re called, I just want to make sure we have the catalog right. Do we have the fingerprints for them, do we have defenses for them?\u201d he says.<\/p>\n

In our interview, though, he still seemed to be genuinely tripped up by the labeling scheme of his competitor Crowdstrike, which names hackers after different animals based on their nationality. \u201cBear is Russia \u2026 or is it?\u201d Mandia pondered out loud. \u201cPanda is China. But that\u2019s a bear. I\u2019m confused already.\u201d<\/p>\n

Mandia and Lee both dream of a day when a government body\u2014say, the US National Institute of Standards and Technology\u2014comes up with a hacker group naming convention that can be adopted across the industry. But they both also say that companies would never stick to it. Marketing aside, the fog of war in cybersecurity research means analysts at different companies will never be sure they’re looking at the same entities\u2014unless they all agree to openly share every scrap of their closely guarded intelligence.<\/p>\n

Until then, well, just watch out for Periwinkle Tempest. Last year, Periwinkle Tempest launched crippling ransomware attacks across the entire nation of Costa Rica<\/a>, leading the country’s government to declare a national emergency. Periwinkle Tempest are some of the most dangerous hackers in the world<\/a>. Periwinkle Tempest. Seriously.<\/p>\n<\/div>\n<\/div>\n

Read More<\/a>
\n Andy Greenberg<\/p>\n","protected":false},"excerpt":{"rendered":"

Hackers\u2014particularly state-sponsored ones focused on espionage and cyberwar, and organized cybercriminals exploiting networks worldwide for profit\u2014are not pets. They wreck businesses, sow chaos, disrupt critical infrastructure, support some of the world’s most harmful militaries and dictatorships, and help those governments spy on and oppress innocent people worldwide.So why, when I write about these organized hacker<\/p>\n","protected":false},"author":1,"featured_media":640588,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1222,1507,46],"tags":[],"class_list":{"0":"post-640587","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-group","8":"category-hacker","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/640587","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=640587"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/640587\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/640588"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=640587"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=640587"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=640587"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}