This post is the second in a blog series describing adversaries and their motivations. In part two of the series, we’ll explore the following top-level actor motivations: Cyber Espionage, Cyber Crime, and Cyber Hacktivism.
Adversary Operational Maturity, Targeting, and Key Roles
Before we start, there are some additional concepts that add context to exploring malicious actor motivations:
- Operational Maturity: A gauge of the effectiveness and efficiency of a malicious actor
- Targeting: How an attacker goes about selecting targets
- Key Roles: The expertise required to conduct an attack operation, from inception to meeting objectives
Not all malicious actors pose equal threats. Factors that influence operational maturity of an attacker include:
- Expertise: Ability to successfully conduct operations
- Tradecraft: How well an attacker evades detection and attribution throughout the lifecycle of an attack
- Resources: Level of commitment and persistence in launching attack campaigns
Additionally, advanced malicious actors across all motivations have successfully adopted tried-and-true techniques, generalized into repeatable and scalable operations. This facilitates broader targeting with minimized adversarial overhead.
Attacks executed by malicious actors can be broken out into two categories:
- Indiscriminate: The actor seeks to maximize gains through quantity (i.e., attacking as many entities as possible, leveraging rules of probability to fulfill objectives). Examples include general distribution spam e-mail attacks, drive-by downloads, and exploitation enabled by widely available vulnerability scanners.
- Targeted: The actor seeks to maximize gains through quality (i.e., selecting targets most likely to yield desired results to fulfill objectives). Examples include spear phishing, watering hole attacks/strategic web compromises (SWCs), and direct exploitation by advanced actors.
Most motivations lean further into one of these camps than the other; however, in the course of operations, any actor may leverage both methods to meet their objectives.
Successful adversary operations typically rely on one or more key roles that are shared across all top-level motivations:
- Sponsors: Ensure adequate resources (e.g., funds, head count, training) are available to support adversarial operations.
- Brokers: Facilitate interaction between buyers and sellers for products (e.g., software, information) and services (e.g., development, exploitation).
- Malware developers: Develop, buy, and/or sell malware and their corresponding delivery mechanisms.
- Exploit developers: Develop, buy, and/or sell exploitation techniques against vulnerable target platforms.
- Controllers: Coordinate different operational campaigns to achieve adversarial objectives.
- Attack operators: Execute attack campaigns specified by Controllers, to include arranging for infrastructure and directly conducting attacks and exploitation.
- Back office support: Perform pre and post exploitation processing (e.g., research, aggregation, analysis, and staging) towards culmination of success criteria for campaign objectives.
In some scenarios, requisite roles are embodied in a single individual, but for more mature and advanced operations there are often a number of people specializing in distinct roles.
These are just things to keep in mind as we begin exploring each malicious actor motivation in greater depth.
Cyber Espionage includes patient, persistent, and often creative Computer Network Exploitation (CNE) for strategic economic, political, and/or military advantage.
Actors operating under this motivation are the digital equivalents of the oft-romanticized spies sent to physically infiltrate and conduct collection operations within countries and organizations of interest. The Cyber Espionage motivation can be broken out into two categories:
- Nation-state: Nation-state cyber espionage encompasses CNE activities sponsored by the government and/or military of a country to fulfill intelligence collection requirements as prioritized by that nation-state.
- Corporate: Corporate cyber espionage focuses on unfair competitive advantage within an industry.
The concept of an Advanced Persistent Threat (APT) describes an attacker aligned with the Cyber Espionage motivation, and historically was synonymous with nation-state actors. The term APT encodes who is behind an attack and why, versus the what, when, or how. Given the fuzziness of establishing high-level actor motivations due to shared Tactics, Techniques, and Procedures (TTPs) and tools, the modern APT can be defined as any actor engaged in longer term espionage-oriented CNE against one or more focal targets.
Collected information can benefit entities conducting espionage operations in various ways, including:
- Unfair competitive insight: Adversaries conducting CNE against nation-states and corporations can benefit from detailed views into the strengths and weaknesses of existing capabilities and offerings, as well as visibility into the strategic roadmap for future efforts. For nation-state sponsored activity, gleaned information complements other intelligence gathering methods, including traditional physical infiltration by human spies and monitoring of additional communications mediums. Unlike the legal practice of business competitive intelligence gathering, corporate espionage enables unfair competitive advantages for market positioning through illegal means.
- Boosts to innovation: As a secondary benefit of unfair competitive insight, theft of intellectual capital (i.e., products, services, expertise) can benefit the receiving entity by considerably reducing Research and Development (R&D) costs and allowing for innovative leapfrogging through derivative adaptations or extensions. This information can be used to replicate strengths, exploit weaknesses, and develop counter-strategies for competitive roadmaps.
- Leverage in negotiations: Access to protected insider information can influence political and organizational negotiations. Examples of this include exploiting the delicate play in terms and concessions regarding military activity based on gleaned knowledge, gaming financial markets using captured non-public information, or determining the ideal bid for organizational acquisitions or work contracts through prior knowledge of competing bids or key bid evaluation factors.
- Progressive targeting: Operations may identify platforms, business units, and/or individuals against which subsequent, progressive attack campaigns can be launched. In some cases, progressive targeting may identify personnel for coercion, leading to insider threats within organizations.
Additional Context for this Motivation
While there are considerable overlaps in TTPs and tools, nation-state and corporate CNE espionage-oriented operations differ in terms of targeting, scale, and extent of benefit. Nation-state sponsored CNE entails global campaigns across multiple industries, with a number of longer-term impacts, which can easily extend out for several decades and be difficult to quantify in terms of damage. Most corporate sponsored CNE includes nearer-term objectives, where damage is usually easier to quantify for a singular, competitive industry or company.
Most APTs are well resourced (i.e., funding, head count), leverage established infrastructure (whether purchased or compromised/subverted), and can be categorized as moderate to high sophistication in terms of capabilities and tradecraft. The term APT is a bit of a misnomer, as most attackers under this motivation do not employ “advanced” capabilities. Instead, they often only apply sufficient resources as required to achieve their objectives. In most attacks, a combination of social engineering and clever delivery of simple malicious payloads continues to serve adversaries well. Zero day exploits and advanced attack tools are typically held in reserve to minimize their exposure and potential detection, and only brought into play for high value strategic or tactical targets.
Some examples of Cyber Espionage activity follow:
- Operation Lotus Blossom: A New Nation-State Cyberthreat?
- APT Group UPS Targets US Government with Hacking Team Flash Exploit
- Musical Chairs: Multi-Year Campaign Involving New Variant of Gh0st Malware
Cyber Crime is an extension of traditional criminal activity, focused on the theft of personal and account information and/or establishment of leverage over a target to achieve illicit monetary gains.
The Cyber Crime motivation includes a wide range of actor sub-types, each enabling some form of fraud and theft to be carried out. Media coverage of cybercrime activity often cultivates an image of incidents such as major data breaches being associated with traditional organized crime. While it is true that there are a number of highly organized and skilled international cybercriminal groups, the availability of open source tools and respective online tutorials has lowered the cost of entry for aspiring cybercriminals as well. Still, successfully converting stolen information into sought-after payouts and avoiding attribution (and jail time) require a number of scheme-related roles and refined tradecraft.
Actors operating under this motivation focus on direct or progressive monetary gains across various criminal scheme types:
- Digital robbery: Whether through a banking trojan or a data breach of financial or payment card account information, cybercrime actors seek this information to siphon and sometimes completely exhaust victim accounts. This attack scheme applies equally to businesses and individuals, with some advanced actors aiming for the larger payouts of attacking financial institutions directly.
- Exploitation of PII: Clearinghouses, processors, or even individuals managing personally identifiable information (PII) present ideal targets for cybercriminals. This information consists of established commodities typically used directly (i.e., identity theft) or sold in the criminal underground towards financial gain. Both alternatives can lead to progressive attacks leveraging key pieces of that information towards higher yield gains for one or more malicious actors.
- Extortion: This type of scheme encompasses holding data for ransom, either towards restoring it for its rightful owner (e.g., ransomware such as CryptoWall) or potentially threatening to expose sensitive information to the public or other unauthorized parties unless demands are met. This is another area where Cyber Crime mirrors Cyber Espionage benefits: depending on the sensitivity of stolen information, there also remains a probability of victim coercion towards progressive attacks in support of an adversary’s ultimate objectives.
Additional Context for this Motivation
Similar to the Cyber Espionage motivation, attacks executed by Cyber Crime actors tend towards not-so-advanced methods, relying on social engineering and simple malware. The bulk of indiscriminate cybercrime attacks relies on social engineering to either trick someone into sharing sensitive information or executing malicious code on their device. Advanced actors operating under the Cyber Crime motivation are similar to Cyber Espionage operators in terms of higher degrees of targeting, resources, and tradecraft. This is not a coincidence, as there is a significant overlap between espionage and criminal activities for a number of malicious actors, to include TTPs and tools employed.
Surprisingly, variants on financial and PII theft scams that play on the greed and/or sympathy of targets remain viable for cybercriminals to collect funds from “willing” victims. Whether it comes down to claiming a windfall inheritance from a distant relative, assisting someone with liberating major funds in a foreign bank account, or helping out a new virtual acquaintance made online with a financial bind, the probability of success for such schemes keeps them in circulation.
Some examples of Cyber Crime activity follow:
- 419 Evolution
- Dridex is Back and Targeting the UK
- CryptoWall 3, The Cyber Threat Alliance and the Future of Information Sharing
Cyber Hacktivism entails activist cyber attacks that seek to influence opinion and/or reputation for specific organizations, affiliations, or causes.
The broader concept of activism encompasses both legal and illegal activities. Actors operating under the Cyber Hacktivism motivation are activists using that medium to express themselves in the latter fashion. These actors are first and foremost individuals who share a common belief or cause. In some cases, they can operate independently; in others, they may cultivate affiliations with collectives or groups.
Due to the often anti-authoritarian leanings of hacktivists, loose collectives, such as Anonymous, are the norm. Such collectives do not employ a formal leadership hierarchy; usually power within the collective gravitates towards contributors with stronger reputation and popularity. More cohesive malicious actor groups under this motivation tend to be aligned with political causes, typically advertising sympathetic or fanatic allegiance to associated governments or parties. Additionally, not all members within collectives or groups are technically proficient; some contribute in other areas such as public relations, analysis of pilfered content, or simply amplifying the impact of attacks that they support using tools provided for that purpose.
The predominant objective of malicious actors under the Cyber Hacktivism motivation is to send a message for or against a cause, which can range across political and moral polarities. The underlying goal of most associated activity is to embarrass, shame, or otherwise negatively impact confidence or trust in an organization that opposes the attacker’s views. Some common attack methods used by hacktivists follow, along with context on respective objectives:
- Denial of Service (DoS): DoS remains a favorite for hacktivists because it doesn’t require sophisticated skills or tools. Often, it is employed in its distributed form, which maximizes the scale of mounted attacks by leveraging greater numbers of botnet or other attacking assets. The purpose of this type of attack is to disrupt operations of a target, whether strictly messaging available on websites or services exposed to users (e.g., e-mail, web portals, processing platforms). Anti-DoS service offerings have thrived due to the increasing popularity of this style of attack.
- Release of sensitive information: This attack method, also referred to as doxing or doxxing, involves gaining unauthorized access to a target’s owned or entrusted sensitive information and releasing it to the public. This activity has a number of potential impacts, such as causing revenue loss due to disruption of e-commerce or other transactional services core to an organization’s business, degrading public confidence and trust in the target, and exposing embarrassing and potentially illegal aspects of the target.
- Website and social media defacement: Ubiquitous web presence through websites and social media platforms makes them a hot target for adversaries. Government, military, businesses, organizations, and individuals use these platforms to advertise services, share views, and otherwise support certain initiatives or causes. Targeted disruption of these platforms is one end objective of this attack method; however, for indiscriminate attackers, compromise of any vulnerable platform to spread their message is acceptable.
Additional Context for this Motivation
The difference between Cyber Hacktivism and other top-level malicious actor motivations is that their anticipated payout is measured in the currencies of guided public perception and satisfaction in having dealt a blow to contrary causes. In cases where purportedly hacktivist activities shift to seeking compensation of any sort, this motivation shifts from Cyber Hacktivism to another, accordingly.
The broad set of tactical options open to hacktivists makes defending against them especially challenging. They only need to affect public perception on an incident to send their message, versus confirming quantified damage (typically easier to establish for other malicious actor motivations, such as Cyber Crime and Cyber Espionage). Actors under this motivation mostly use open source or widely available tools and tend to exploit well-known (i.e., usually patched) vulnerabilities.
Given the globally distributed qualifier of a DDoS attack, the range of technical/tradecraft proficiency for attackers using respective tools and botnets can make tracing incidents back to individuals challenging. Often, attackers with weaker technical and tradecraft proficiencies are more easily attributed and face criminal charges. Attackers stronger in those areas tend to evade attribution and indictments.
Some examples of Cyber Hacktivism activity follow:
- Anonymous’s KKK ‘leak” targets the elusive online world of white nationalism
- Syrian Electronic Army Claims Responsibility For Hacking U.S. Army Website
- Cyber Berkut Graduates From DDoS Stunts to Purveyor of Cyber Attack Tools
Coming Up. . .
The next blog for this series will take a closer look at the three remaining top-level malicious actor motivations: Cyber War, Cyber Terrorism, and Cyber Mischief.