How Well Do You Understand Your Cyber Adversary? – Part 2


In my previous post, I wrote of my distaste for how loosely the cybersecurity community uses terms like cyber terrorism and cyber crime.  There are different motivations driving those who would try to gain unauthorized entry into a corporate network. So let’s take a look at who they are and what drives them to do what they do.


Hacktivists are activists with a unique skill set. According to, an activist is “an especially active, vigorous advocate of a cause, especially a political cause.” Traditional activists, like Martin Luther King, Jr., organize peaceful protests, marches, and the like, to earn attention for their cause. Confrontational activists, like Greenpeace, sometime break the law to earn that attention, and hacktivists are in this camp. They break the law using traditional hacking techniques to support their cause. Like good activists, good hacktivists have also learned how to manipulate the media to reach a broader audience.

Hacktivists have used a number of methods to support their passion: web face defacements, Doxxing (the practice of publishing Personally Identifiable Information [PII] and other documents not meant for public consumption) and Distributed Denial of Service (DDOS) attacks.

Sometimes, hacktivists activity can be extremely dangerous to an organization’s business, as was the case with HBGary Federal when hacktivist members claiming to be from Anonymous doxxed HBGary’s email server and published the company’s mail on Pirate Bay. Eventually, the Board of Directors fired the CEO and HBGary went into bankruptcy. Most of the time, however, hacktivist activity is only embarrassing to the target and causes the media to publish stories about the event.

If you are seeking a primer on the hacktivist culture, read Parmy Olson’s We Are Anonymous.

Cyber Espionage

Similar to their hacktivist brethren, cyber spies are spies with a different tool kit. The advent of the Internet has made it much less risky and a lot more lucrative to spy on your competitors, enemies and “frenemies”.

Before the Internet, spy agencies from all governments and evil corporate empires had to invest in highly trained humans and put them at risk trying to deceive other highly trained humans. Death, torture or imprisonment were a real possibility. With the Internet, the risk to humans went down significantly and the volume of material available to steal went up exponentially. Cyber spies don’t normally get captured or killed, and once they manage to infiltrate your network, the amount of valuable data they can steal is staggering.

Cyber spies use a variety of Advanced Persistent Threats (APTs) to gain access to networks and remain hidden for long periods of time – persistent – as compared to the normal smash-and-grab operations that cyber criminals and hacktivists like to run.

The general populace became aware of the cyber spy when Google went public back in 2010 with a breach called Operation Aurora. Google leadership and the rest of the cybersecurity community attributed the breach to the Chinese government. The US Government’s cyber defenders were on to the Chinese as far back as 2004 (but probably much earlier than that). They even had a cool code name for Chinese Cyber Spy activity: Titan Rain. The Chinese government, which realized attribution of a cyber attack was hard and plausible deniability was easy, did little to hide their cyber espionage operations compared to Russia, Israel, the US or France.

However, their attitude has changed since Mandiant released their APT1 report last year, and we have seen a distinct drop in noisy Chinese cyber espionage activity. Most countries go to great lengths to hide their espionage operations. In fact, it wasn’t until the summer of 2010 that the public became aware of US/Israeli cyber spy operations. Malware researchers from Belarus discovered Stuxnet, the first sign of a US/Israeli cyber espionage/cyber warfare campaign called Operation Olympic Games, which the countries designed to delay and degrade uranium enrichment production activities in Iran. Isn’t it interesting that the general public became aware of significant cyber espionage operations from three countries all in the same year?

If you are seeking a primer on the issues of cyber espionage, read Clifford Stoll’s Cuckoo’s Egg.

Cyber Crime

Cyber criminals are just criminals who use the Internet to steal money and commit fraud. They hack into networks to steal unauthorized information that can be used by the criminal, or sold to other criminals. Stolen information typically includes customer credit card information or PII the criminal can use to fraud the victim.

The latest (and perhaps most infamous) case is the Target Breach where the criminals stole the data from 40 million credit cards from the retailer. The press often associates cyber criminals with organized crime, meaning the hackers involved belong to a multi-international crime syndicate and are involved lots of different criminal activities; cyber crime being one of them.

While this is certainly true in some cases, often times it is not. It takes a lot of effort to convert credit card information or PII into useable cash. Stealing the information is probably the easiest part and the least dangerous. At some point, somebody has to engage the real world to get access to cash out. Cyber criminals concoct elaborate schemes to do this and the efforts are quite complicated.  Some of these folks are working 80-hour weeks so it is not like these adversaries are living the easy life. But it is lucrative if you can stay a couple of steps ahead of law enforcement.

For a primer on the cyber criminal world, read these two books: Kevin Poulsen’s Kingpin and Joseph Menn’s Fatal System Error.

Check this space tomorrow to find out the differences between Cyber Terrorism and Cyber Warfare. Have anything to add to the above? Leave a comment.