SHARE
Cyber Cops Have a Problem: Cutesy Hacker Code Names
BY ANGUS LOTEN
Security experts divide over monikers like Lucky Mouse; ‘We’re not naming Care Bears’
When Dutch intelligence services blamed a massive data breach at the Netherlands national police corps on a cabal of Russian-backed hackers, they identified their attacker as Laundry Bear.
Chalk up another indignity for Ira Winkler.
“I hate these cutesy names,” said the chief information security officer at cybersecurity firm CYE Security and a former intelligence analyst at the National Security Agency. “We’re not playing a kid’s game here. We’re not naming
Care Bears.”
Because of a quirk of the cybersecurity industry, the world’s most dangerous hackers are getting increasingly cartoonish code names. Laundry Bear joined a team of supervillains that also included Vengeful Kitten, Lucky Mouse and Chatty Spider.
While some security chiefs have come to embrace the taxonomy—saying dorky names are easier to remember than random numbers and letters—others have had enough.
They say the practice minimizes and even undermines their work. Try convincing a group of corporate bigwigs of the real-world dangers posed by Charming Kitten or Vixen Panda.
“If the actor’s name is Gingersnap, most board members aren’t going to find that group terribly nefarious,” said Ferhat Dikbiyik, chief research and intelligence officer at Black Kite, a Boston-based cybersecurity firm.
Cuddly monikers have proliferated because competing security services identify and name cybercriminals independently, so many attackers end up with multiple public identities. The cluttered landscape has created incentives for firms to come up with ever more attention- grabbing monikers, at least some of which are meant to double as a form of marketing, industry experts say.
In an online post last week, two former leaders of government cybersecurity agencies in the U.S. and U.K. called on the industry to stop “naming these groups in ways that mystify, glamorize or sanitize their nefarious activities.”
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said memorable attack names play a crucial role in delineating different cybercriminals’ techniques and strategies. Focusing too much on their silliness misses the point, he said. Meyers takes credit for coining “Fancy Bear” for a Russian-linked cyberattack after a morning run listening to Iggy Azalea’s song “Fancy.” He said he initially pitched “Iggy Bear” and thought better of it.
“Names matter,” said Vasu Jakkal, corporate vice president of Microsoft Security. “They help defenders de--code the threat landscape and act fast,” Jakkal said, adding that Microsoft’s threat actor taxonomy is shaped by 84 trillion daily signals.
Microsoft and Crowd Strike, two of the industry’s biggest threat detectors, earlier this month released a cross- referencing guide linking different industry names for the same hackers. According to the guide, Crimson Sandstorm, a hacking group Microsoft links to Iran, is also known as Curium, Imperial Kitten, Tortoise Shell, Houseblend, and TA456.
Likewise, the China-linked Heart Typhoon group also does business as Helium, Aurora Panda, APT-17, Hidden Lynx, Red Typhoon, Koas, Sports-Fans, DeputyDog and Tailgater.
“I would never mention those names with executives or in a board meeting,” said Rinki Sethi, who has held top cyber roles at Twitter, Walmart, eBay and payments company BILL, among others. “I would talk about what it is or what it does instead,” she said.
Heath Renfrow, chief information security officer and co-founder at Fenix24, a cyber disaster recovery service, said he’s seen firsthand how fanciful hacker names have derailed efforts to communicate the gravity of a threat to executives or corporate boards during a crisis.
During a “high-severity” ransomware attack last year, Renfrow said, he briefed directors on an attacker known as Velvet Ant. A board member laughed and asked if the company was being attacked by a fragrance or an insect, he said: “We had to spend extra time refocusing the conversation.”
The stakes are high. Data breaches and ransomware attacks— in which hackers demand huge sums to return or unlock a company’s data—can cost millions of dollars, cause irreparable damage to a brand and trigger class action lawsuits. Worse, nation-state attackers can cause lifethreatening disruptions to hospitals, transportation hubs, ports and other systems.
“Names like Vengeful Kitten or Laundry Bear don’t reflect the reality of fighting organized, sophisticated adversaries who are causing significant financial loss, disruption and even psychological harm to victims.” said Luigi Lenguito, chief executive at cybersecurity firm BforeAI. Lenguito said he would “strongly prefer” more sober, technical or professional designations like Storm-0216 or Dev-0322.
Trey Ford, chief information security officer at Bugcrowd, a San Francisco-based cybersecurity firm, said action-figure names put “miscreants and well-funded adversaries on a pedestal.”
Some say it doesn’t help that CrowdStrike sells adversary figurines on its website—including a sinister-looking figure named Scattered Spider, a hacking group that has wreaked havoc on the Las Vegas Strip. (CrowdStrike says proceeds from the figurines are donated to charity.) At a private industry party last year, Microsoft served cocktails named after threat actors, including a Sangria Tempest and a Mint Sandstorm, according to attendees.
But not all security chiefs are ready to abandon whimsical hacker names.
“I’m in favor of the fun names,” said angel investor Timothy Youngblood, a former chief information security officer at Dell, Kimberly Clark, McDonald’s and T-Mobile. Once an attack pattern is recognized and linked to a colorfully named threat actor, responders know how the attacker operates, said Youngblood, currently CISO-in-residence at Astrix Security: “The quirky names do help people remember who they are dealing with,” he said.
Chad Cragle, chief information security officer at cyber platform Deepwatch, agrees, saying goofy names are memorable and can actually help deal with an attack. “If a name like ‘Strawberry Tempest’ sticks in the minds of my team and instantly brings up known tactics, techniques and procedures, or past incidents, that’s a win,” Cragle said. “Sometimes the absurdity makes it more effective.”
CAM
SHARE
