I think these attackers just use wordlists for the most part. I had an SSH server log tens of thousands of attempts with the username ‘initech’ before I got fail2ban running and turned off password auth. Not sure there many people out there actually naming user accounts after the company from Office Space.
