This is pretty silly. I think they should lean into the silliness even more. Pretty silly is the worst kind of silly. Give them names from D&D or something.
A level 7 gnome warlock with a ring of true sight and the wand of absolute freezing => Russia has hacked payroll and is encrypting your savings.
A level 4 half-orc paladin wielding the singing sword of ix => Iran has created a new chat bot that is data mining the entire world.
Then it will be very silly, a much better kind of silly.
Outside of silly, your proposition also allows to encode more information into the name. Race could be geographical origin, class can be if it's state-sponsored or independant, level the "level of danger", and gear the methods used. You can even add an actual name to easily refer to them. But the issue is that in both of your examples the coded descriptions aren't really shorter than the real descriptions. I guess this is the issue, they want names that are a bit descriptive but not a full description, and you gave a full description.
Still, I agree that half silly is the worst (at least to me), it sounds like "corporate-allowed fun" which ruins the point.
At this moment, there are basically three types of comments here.
- No mention of USA?
- This seems like needless redirection.
- Why tho?
Perhaps I’m hopelessly naive but I wonder if they all answer each other.
For business related reasons, Microsoft can’t call out threats of US origin. But obviously the researchers on the ground still care about those attacks very much.
One solution is to create an opaque reference scheme where Typhoon actually means China and Sandstorm actually means Iran.
Then you can sprinkle in new terms that aren’t explicitly defined anywhere. Something can be called Sunshine and, even though it’s not documented anywhere, everyone seems to know what it means.
I would love to be a fly on the wall in Microsoft APT research whenever a particular actor they're looking at shows signs of being US origin. "Whoops, nothing there, Pentagon contracts are safe once more - say, I'm pretty sure the name for that container is actually an obscure reference to an Iranian ice cream brand. Glad we figured out their nationality!".
I'd like to think they write the agency a pleasant letter each time. "Well hey, awkward, but we caught you again. Next time make sure not to name your files after US baseball teams :)"
Does "Snowden leaks" mean anything to you? We know the US wiretapped its allies heads of state's mobile phones and manipulated CISCO routers en masse. We also know the US infiltrated satellite telcos in Germany and set up an encryption vendor in Switzerland alongside with the German intelligence who pulled out after finding out the US was also happily selling the compromised devices to its own European allies. We can also be pretty certain the US was involved in Israeli cyber attacks on Iran.
Equation Group, who are operating alongside the creators of stuxnet and flame. If you got the time you should look into the leaks from the shadow brokers. There were many cool tools and the messages from TSB were fun to read.
This is exactly the kind of theatrics I expect from the "security" industry. Couldn't just call Russia "Russia", that would be too simple and understandable. Have to make up cool and scary sounding code words and logos like we're in Hollywood's version of the CIA, doing secret missions.
"Nation-state actor" is another hilarious one. For some strange reason everybody in the computer security industry decided to misuse the term (https://www.e-education.psu.edu/geog128/node/534) because... it sounds cool or scary or something. Why? Certainly doesn't signal anything positive about their understanding of geopolitics. If they'd just communicate like normal people then they would be taken more seriously. It all just reeks of snake oil salesman behavior, where words are not used to communicate and create mutual understanding, but to confuse and conjure the appearance of authority and grandiosity.
Wired has their own take on it (https://www.wired.com/story/hacker-naming-schemes-spandex-te...) where they actually interview the team that made this change. The overall scheme was driven by wanting more searchable names (I guess even threat intel needs SEO) but as for how they choose them... it feels like a fun way to personalize. FTA: `“There’s some origin story to each one,” Lambert says, “or it could just be a name out of a hat.”`
Also closes with this banger of a paragraph: Until then, well, just watch out for Periwinkle Tempest. Last year, Periwinkle Tempest launched crippling ransomware attacks across the entire nation of Costa Rica, leading the country's government to declare a national emergency. Periwinkle Tempest are some of the most dangerous hackers in the world. Periwinkle Tempest. Seriously.
It is even worse when your sites are on the other end of these absurd accusations. "Verified threat incident", because public user data was aggregated? Hope you enjoy a long, accusatory email exchange with a sub-literate employee in their overseas (a Gulf state) based office.
Best you can do is learn to laugh at these people. Don't do it too contemptuously though, they might send your site's data along to their own aggregators. That would cost you an entire domain name.
Basically, Microsoft Threat Intelligence (formerly RiskIQ) craws the web, sends automated abuse complaints and backs them up with people who cannot even speak English, much less understand the context of their task. For independent publishers, the sword of Damocles is dangling. They can easily have your entire domain flagged and nuked from search. See also: "Google Safe Browsing".
I'm not a fan of using names to convey additional information.
for example, when new information comes to light that attributes the attack to someone different, instead of updating meta data you either have the name remain wrongly attributing it or you change the name and cause a load of confusion.
So instead of saying, we have a self-propagating worm threat from Russia. Now you have a load of codenames, that after read, you need to go to the table and figure it out what <<we have a hailstorm with rain conditions on a sunny day>> means.
This seems to be about actors, not tools. If you have two actors from Russia, the first one can be cat blizzard and the other dog blizzard. The only thing encoded in the name is the group/subgroup.
I am disappointed that they've decided not to follow the ideas pursued e.g. under MITRE ATT&CK®. Though, things went awry quite early on with respect to labeling malware.
Surprised to see South Korea and Vietnam in there. Is there a particular cyber-history with Microsoft? (I know the History with Vietnam, I'm asking for specifics.)
I know it's fashionable to hate on Microsoft's customs because of Bill Gates, but I just came here to point out that this is becoming S.O.P. for major infosec vendors. They're all coining names like this. I think it's important to standardize these points of reference when talking about threat actors, who can be quite mysterious to those who don't have the tools or insider knowledge to distinguish them properly.
My highly subjective opinion is Crowdstrike's naming convention is the best and every other security company should use that for public material but use whatever naming convention they want in private.
I've been in situations where I would find attribution to an actor for something I am looking into but I had no idea $randomvendor was talking about the same actor $anothervendor had quite a bit of concerning write ups on until much later on.
Their convention is pretty common sense. An animal(or mythological creature) associated with an origin/actor and a different adjective to describe the threat.
This is pretty old-school military jargon and is simple enough that the public could get a general idea.
Not sure I agree with the use of spiders or jackals though. Spiders don't quite make sense for financial motivation/greed(unless the reference is pure "web" related). Jackals aren't well known outside of myth to be tricksters. Perhaps these animals make more sense from an ignorant American perspective:
With how Blizzard has been acting in the recent years, I got caught there for good 20 seconds wondering if the company is considered a threat actor, with "Russia" being the nickname...
Aside for actual military security, is there really any good reason for this taxonomy? Doesn't this defeat the purpose of "codenames" if they are public?
This specific theme sounds like it will increase the amount of cumulative errors given how closely related some of these names are.
so it's a blizzard-tempest when it's financially motivated from russia? That's entertaining. I've said it before... I find the habit of using every day words for products in this industry really confusing and hurtful to communication.
A level 7 gnome warlock with a ring of true sight and the wand of absolute freezing => Russia has hacked payroll and is encrypting your savings.
A level 4 half-orc paladin wielding the singing sword of ix => Iran has created a new chat bot that is data mining the entire world.
Then it will be very silly, a much better kind of silly.