Profiling modern hackers: Hacktivists, criminals, and cyber spies
by Corey Nachreiner - Director of Security Strategy at WatchGuard - Thursday, 30 May 2013.
These criminal attackers participate in a rich underground economy, where they buy, sell and trade attack toolkits, zero day exploit code, botnet services, and much more. They also buy and sell the private information and intellectual property they steal from victims. Lately, they’re focusing on web exploit kits, such as Blackhole, Phoenix, and Nuclear Pack, which they use to automate and simplify drive-by download attacks.

Their targets vary from small businesses and consumers, whom they attack opportunistically, to large enterprises and industry verticals, who they target with specific goals in mind. In a recent attack on the banking and credit card industry, a very organized group of cyber criminals was able to steal 45 million dollars globally from ATMs, in a highly synchronized fashion. The attack was made possible due to an initial, targeted network breach against a few banks and a payment processor company.

3. Nation states (or state-sponsored attackers)

The newest, and most concerning new threat actors are the state-sponsored cyber attackers. These are government-funded and guided attackers, ordered to launch operations from cyber espionage to intellectual property theft. These attackers have the biggest bankroll, and thus can afford to hire the best talent to create the most advanced, nefarious, and stealthy threats.

Nation state actors first appeared in the public eye during a few key cyber security incidents around 2010, including:

  • The Operation Aurora attack, where allegedly Chinese attackers gained access to Google and many other big companies, and supposedly stole intellectual property, as well as sensitive US government surveillance information.

  • The Stuxnet incident, where a nation state (likely the US) launched an extremely advanced, sneaky, and targeted piece of malware that not only hid on traditional computers for years, but also infected programmable logic controllers (PLCs) used in centrifuges. The attack was designed to damage Iran’s nuclear enrichment capabilities.
Unlike the other hackers’ tools, state-sponsored attackers create very customized and advanced attack code. Their attacks often incorporate previously undiscovered software vulnerabilities, called zero day, which have no fix or patch. They often leverage the most advanced attack and evasion techniques into their attack, using kernel level rootkits, stenography, and encryption to make it very difficult for you to discover their malware. They have even been known to carry out multiple attacks to reach their ultimate target. For instance, they might attack a software company to steal a legitimate digital certificate, and then use that certificate to sign the code for their malware, making it seem like it comes from a sanctioned provider. These advanced attacks are what coined the new industry term, advanced persistent threat (APT).

While you’d expect nation state attackers to have very specific targets, such as government entities, critical infrastructure, and Fortune 500 enterprises, they still pose some threat to average organizations as well. For instance, sometimes these military attackers target smaller organizations as a stepping-stone for a bigger attack. Furthermore, now that these advanced attacks and malware samples have started to leak to the public, normal criminal hackers have begun to adopt the advanced techniques, upping the level of traditional malware as well.

Understanding the motives, capabilities, and tools of these three hacker profiles gives you a better idea of what types of targets, resources, and data each one is after. This knowledge should help cater your defenses to the types of attacker you think are most relevant to the business or organization you protect.

Now that you know a little about your enemy, you can focus on getting to know yourself, and match your defenses to your most likely enemy. Once you’ve done that, you will not be imperiled in a hundred cyber battles.


101,000 US taxpayers affected by automated attack on IRS app

The IRS has revealed more details about an attack it suffered last month, mounted by unknown individuals with the aim to file fraudulent tax returns and funnel the returned money to their own bank accounts.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Feb 10th