Cyber-Criminals: Who and Why?
Date: 07/04/2022 | Data Protection & Information Law
It may come as a surprise that not all cyber-criminals are interested in money. Generally speaking there are five types of cyber-criminal: the hacker, the spy, the activist, the terrorist and the insider. I have already discussed the insider threat in a previous article. This article will focus on the external threats to your organisation.
Not all cyber-criminals have the same objectives. Understanding these objectives is the first step in ensuring your organisation has the correct protections in place.
So, what do cyber-criminals want?
A hacker will access your system and may not take action immediately. They are likely to deploy malware into your system to monitor what is going on. The main objective of the hacker is to make money.
There are two common ways of doing this:
- Locking you out of your own system through use of malware and demanding a ransom is paid before you regain access; or
- Identifying a financial transaction is about to take place and spoofing an email either from you to a customer or from a customer to you providing ‘new’ bank details.
Ransomware attacks are on the rise and hackers tailor their demands to the size of the organisation they are scamming – the bigger the organisation, the more sophisticated the security measures will be, the more time they will take to get in and so the ransom is higher. But not all large organisations can weather the storm. In 2020 Travelex, a UK company which provides foreign exchange services, paid £2.3 million to regain control after hackers shut down its networks. Unfortunately, none of this ransom was recovered and the company subsequently fell into administration and 1,300 jobs were lost.
There are also numerous examples of small businesses being targeted and the ransom requested being in the region of £1,500, usually requested in Bitcoin. Smaller businesses will generally be seen as an easier target and attacks will be lower cost and more indiscriminate but with the hope of more victims.
However, not all organisations can or will pay these ransoms. On Christmas Eve 2020 Scottish Environment Protection Agency (SEPA) was the victim of a serious attack which led to 1.2 GB of data, amounting to just over 4,000 files, being published illegally online. SEPA have clearly stated that it will not engage with the cyber-criminals. It is not uncommon for government or public entities to refuse to pay a ransom because ultimately the cyber-criminals want to extort public funds which no governmental body can endorse. Although this attack is still subject to a criminal investigation, SEPA have an uphill battle to recover from the consequences of this attack. Thankfully, as SEPA have stated, they have not lost “the knowledge, skills and experience of our twelve-hundred expert staff” but the attack on top of Covid has undoubtedly had a negative impact on the work they are able to do.
The spy is interested in gaining economic, strategic or political advantage through exploitation of your organisation’s knowledge and information. This threat is sometimes referred to as cyber espionage where sensitive data, intellectual property or classified know-how are stolen to the advantage of another, usually a competitor.
The UK’s Government Code and Cipher School (GCCS) estimates that there are 34 separate nations that have serious well-funded cyber espionage teams.
One of the most notorious nation-state attack groups is in North Korea. Some reports claim that North Korea has an army of more than 6,000 hackers that raise money to pay for the country’s nuclear program. The hacking group called Lazarus has been linked to North Korea.
Lazarus has some criminally impressive accolades, including the 2014 attack on Sony Pictures which netted tens of millions of dollars, the 2016 Bangladeshi bank “cyber heist” which netted $81 million and the 2017 WannaCry attack which netted billions in damages across the world, including our very own NHS.
The activist is motivated by their own or their group’s political, religious or social agenda. The activist does not want money per se; they want to expose or discredit an organisation for its political or ideological activities. Unlike hackers who may enter your system and stay for days or months undetected (the average is 140 days), the activist is likely to cause visible damage in order to ensure that their message is delivered. Sometimes this type of cyber-criminal is referred to as a hacktivist.
The group known as Anonymous is an infamous hacktivist group who were active between 2008 and 2012 (although some may believe that they are still active but working under a different name). Anonymous executed many attacks with various levels of damage. One of their most infamous attacks was Operation Tunisia which took down eight government websites in support of the Arab Spring movement in 2010. However, this group has also been tied to the shut down of the CIA’s website, the hacking of the Syrian Defence Ministry, the attack which shut down such services as PayPal and Visa after the U.S government pressured them into removing the ability for people to donate to WikiLeaks and Operation Darknet where Anonymous broke into forty child pornography websites and published over 1500 names of users who frequented these sites.
Not all hacktivists want their name to be known, for example in 2012 unidentified hackers cracked emails of pro-Kremlin activists and officials and published these online.
Although interesting, unless your organisation is knee deep in government secrets or is a cosmetic company which exclusively tests on animals, then it is unlikely that you will ever experience an attack from an activist. However, this does not mean that you should completely ignore the risk that activists may cause you and your organisation.
Much like the activist, the terrorist’s prime motivation is to spread propaganda, cause chaos and create panic. The terrorist will use the same types of attacks that an activist would use (Distributed Denial of Service (DDoS) attacks etc.) but in a way which costs an organisation more money and causes long term damage, not only in terms of physical damage but also damage to an organisation’s reputation.
Cyberterrorism is also defined as the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm. Although cyberterrorism can impact on your organisation, it is also worth taking a moment to consider the personal implications. Unfortunately, we have all heard the harrowing stories of young people who are targeted through the internet and threatened and pressured into doing unspeakable things: cyber-attacks are not just aimed at professional organisations.
Understanding the motivations of cyber criminals is the first step in protecting yourself and your organisation from attack.
So far, I have covered the who and the why…in my next article I will discuss the how.
If you have any questions, please get in touch with our Specialist Data Protection Team.