The cyberthreat name game: Good or bad?
What’s in a name?
As we all know, that iconic Shakespearean question applies to way more than an Elizabethan-era family feud intruding on adolescent romance.
It has, for generations, applied to everything from diseases to galaxies, insects, musical groups, teams, commercial products, and more. Sometimes things are named for a famous person (Lou Gehrig), a place (Lyme), a classic myth (Andromeda), the founder of an enterprise (Ford), an historic gold rush (49ers) or perhaps the major industry in a company town (Packers, Brewers).
But it also applies now — at least in some cases — to the weapons and vulnerabilities in the online war between malicious hackers and those trying to defeat them.
While thousands of software vulnerabilities or design flaws in digital products are identified through the Common Vulnerabilities and Exposures (CVE) numbering system, as in CVE-2020–26154, some of them also get names.
And no surprise, those that do get much more fame, or notoriety, as a result.
The Heartbleed vulnerability (also identified as CVE-2014–0160, but who the heck remembers that?) is a bug in the OpenSSL cryptography library used to secure millions of servers and protect the integrity of email, e-commerce, online banking and other properties, in many cases for multi-billion-dollar companies.
The vulnerability, discovered in 2014, allowed attackers to steal the information usually protected by the SSL/TLS encryption used to secure the internet. Goodbye integrity. It bled private and personal data, causing a predictable global panic.
But it was also a marketing juggernaut. It may be the most famous software bug ever because it got an iconic, bleeding heart logo, courtesy of Codenomicon, which also bought the domain Heartbleed.com. There were T-shirts. There were hats. There were toenails painted with the Heartbleed logo — I saw the picture. Heartbleed wasn’t a crime but it enabled crime and probably, for a while at least, became almost as famous as Bonnie and Clyde.
Lots of branding
But Heartbleed has lots of “brand” competitors. There are hundreds of others.
A Cyberint blog post in 2017 said that after the “success” of Heartbleed, “vulnerabilities are branded with succinct names that try to explain how they work.”
Well, sometimes. There were Spectre and Meltdown, different variants of an architectural flaw in CPUs, the computer chips that run most computers. They took the cybersecurity world by storm in 2018 after they were revealed by Google’s Project Zero.
And the names were somewhat connected to what they did or how they worked. Spectre was expected to “haunt” the digital world for years, since you can’t patch flaws in hardware with a patch the way you can with software. You have to wait for the next generation of chips, which can take years. And Meltdown got its name because it “melts” security boundaries that are supposed to be enforced by hardware.
But the connections between the name and how an attack works are sometimes more than a bit tenuous. As Leigh Metcalf, writing in Carnegie Mellon Insights in October 2020 put it, “not every named vulnerability is a severe vulnerability despite what some researchers want you to think. Sensational names are often the tool of the discoverers to create more visibility for their work.”
Some of the more famous, in no particular order of importance or severity:
- Ryuk: Named after a fictional character in a popular Japanese comic book and cartoon series. Ryuk is a bored Shinigami (death bringer) who drops a Death Note, a notebook that allows the user to kill anyone simply by knowing their name and face. It was applied in 2018 to “one of the nastiest ransomware families ever to plague systems worldwide,” according to Malwarebytes.
- SamSam: Another ransomware, discovered in 2016 by the U.K. security firm Sophos, named after the filename of the earliest sample they discovered.
- Petya: A ransomware that first appeared in 2016, created by notorious hacker Janus Cybercrime Solutions. The word is a Bulgarian feminine given name of Slavic origin. It is also a Russian diminutive name derived from the masculine given name Pyotr. A 2017 version was a data wiper, which disguised itself as ransomware. It became known as NotPetya, and the hacker Janus reportedly went to some lengths to deny that he had created it, even declaring he would attempt to crack it.
- Stuxnet: This notorious computer worm that was used to destroy a significant percentage of centrifuges used in the Iranian nuclear program. It was originally named Rootkit.TmpHider by VirusBlokAda, but Symantec later referred to it as W32.Temphid, and finally changed it again to W32.Stuxnet, derived from a combination of two artifacts in the malware code — .stub and mrxnet.sys. Obviously marketing was not high on the priority list here.
- Sandworm: Malware used in 2014 for a Russian espionage attack, with the name borrowed from the 1960s sci-fi book “Dune” that features a worm-like creature hundreds or thousands of meters long and vulnerable only to nukes.
- POODLE: No, it’s not a dog that doesn’t shed. It’s an acronym, and the information technology industry LOVES acronyms. It stands for Padding Oracle On Downgraded Legacy Encryption. It was named by Google security researchers who discovered it in 2014 and warned that it could get around the SSL (secure socket layer — another acronym!) protocol for encryption and authentications.
The list goes on — and on. Among some of the more prominent are TeslaCrypt, CryptoLocker, PC Cyborg, Code Red, Slammer, Zeus, MyDoom, ILOVEYOU, Supernova, Silver Sparrow, Dirty Cow, Badlock, and more recently PYSA, and LockerGoga.
Some are cryptic, some amusing, some too technical, some border on boring, but probably all would qualify for the decades-long refrain from humorist Dave Barry who, when confronted with a weird term or expression would declare “… which would be an excellent name for a rock band.”
But of course they aren’t a band, or a joke. Each identifies a vulnerability or an attack that has been exploited or used to commit crimes against innocent people and organizations. Collectively, they have caused trillions of dollars in damage globally and when attacks have been aimed at organizations like hospitals, jeopardized the lives and health of people.
So is giving them names, some of which sound like — and are — comic book characters, a good thing?
It depends. As has been demonstrated, it’s an effective way to raise awareness — a name is much easier to remember than a lengthy number.
Or, as Stephen Ward, then senior director of marketing at iSIGHT Partners, told ZDNet in 2014, “Without naming these (cyber attack) teams, it would be impossible for a network defender to keep track of them all.”
But at least in some cases, it can create some confusion. What’s up with a name like NotPetya? Couldn’t everything that isn’t Petya qualify as NotPetya?
Also, earlier this month, Threatpost reported that researchers at Microsoft and FireEye had identified “three new pieces of malware that the companies said are being used in late-stage activity by the (SolarWinds) threat actor (previously called Solarigate by Microsoft and now renamed Nobelium; and called UNC2542 by FireEye). The malware families include a backdoor that’s called GoldMax by Microsoft and called Sunshuttle by FireEye.”
Dueling names? How helpful is that?
According to Ben Read, director of analysis at Mandiant Threat Intelligence (Mandiant is part of FireEye), it’s not about a duel. “Each company comes up with their own names because they know the analytic reasoning and data that went into drawing the lines around a family of malware or a group,” he said.
“Each company can only speak to its own data, so each one gives its own name as there often is not perfect overlap between two different companies’ data and analysis.”
Too many distractions
Still, Paul Roberts, publisher and editor-in-chief of The Security Ledger, worried in a post last fall on Digital Guardianthat names of vulnerabilities, malware and attacks could create confusion and “draw attention away from the real problem (or problems) and to the thing that has the name.”
He cited “the latest internet contagion, which everyone has referred to as WannaCry,’ a friendly variation on WanaCryptor, the name of a piece of down market ransomware that was strapped to the rocket ship known as EternalBlue, a highly effective exploit of a vulnerability in Microsoft’s implementation of Server Message Block (SMB), a key networking component of Windows that allows attackers to execute arbitrary code on a target computer.”
“What difference does it make what we call the attack? A lot of difference, actually,” he wrote, contending that both WannaCry and WanaCryptor were lousy attacks poorly implemented, but diverted attention from the “highly versatile and astoundingly effective” EternalBlue, which was among a trove of hacking tools stolen from the National Security Agency in a 2016 hack by a group called Shadow Brokers.
Giving a less severe problem that much exposure, he contended, diverts attention from “the endemic problems, like the difficulty that most companies have keeping their software up to date or blocking external access to sensitive services like SMB [server message block].”
Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center, doesn’t think naming malware, vulnerabilities or attacks has much constructive use at all.
“Can we please not have marketing names for cyberthreats?” he said. “We don’t need Dirty Cow mugs, WannaCry t-shirts, or Silver Sparrow hoodies — cute as they might be. If your team is going to put their cybersecurity attention into something because it’s Instagram famous, then you really need to be looking at your security processes.”
Publicity about a threat usually comes after it’s already done major damage anyway, he added. “If your team prioritized their triage efforts or response to a cyber security event being in the news, then your team isn’t keeping up,” he said. “Any vulnerability making the evening news has already claimed a bunch of victims, and a sexier name than CVE-2017–5482 won’t change that overly much.”
But Mackey acknowledges that malware and the attack types like advanced persistent threats don’t have a standardized naming system like CVE for vulnerabilities.
“So for them we unfortunately have vendor-specific naming conventions,” he said. “This does tend to lend itself to the vendor creating a sexy name for a high-impact threat their teams discover. Think of it like cybersecurity marketing — a high-impact, sexy brand name for a threat makes for good PR, even if it is ultimately rather silly.”
Sammy Migues, principal scientist with the Synopsys Software Integrity Group, isn’t impressed with the cyberthreat name game either, but said the important thing is that the industry is “being more careful about not giving notoriety to the attackers whenever possible. So we never call anything ‘Bob’s Attack’ because it’s obvious that’s what the attacker wanted us to call it, because they may have already set up websites or other attacks based on that.”
And what about when one threat has more than one name? Migues said “the court of public opinion” could decide which one prevails.
But for good or ill, the name game overall is here to stay. “I don’t think it’ll stop anytime soon,” he said.
You could even call it an advancing persistent threat.
