There’s more than one type of threat actor, and they’re all differently skilled. Which do you need to worry about and which pose little or no threat? We explain it to you.
Different Tiers of Cybercriminal
In the physical world, there are different tiers of criminals. Clearly, those who plan and execute diamond heists are not the same ones who snatch a handbag and run down the street. It’s the same with cybercriminals. There are many different types of threat actor, from the ever-popular Hollywood trope of the kid in his bedroom to the state-sponsored, advanced persistent threat groups used for offensive and defensive international cybercrime and cyberwarfare.
In August 2018 a team of threat actors infiltrated the webserver that hosted the British Airways flight booking website. Having gained access to the server they paused and reconnoitered. They determined which software modules performed which functions, and how the various modules communicated and authenticated to one another. When they had identified the module they wished to target, they wrote a replacement for that module and swapped in their compromised one.
Because the website continued to work as expected no suspicions were aroused. Bookings were still processed correctly, tickets were issued, and passengers boarded flights without holdups or issues. Meanwhile, the substitute module was retaining a copy of the personal data that passed through it.
All the names, addresses, email addresses, passport numbers, and credit card details were squirreled away, waiting to be retrieved by the criminals. The fraudulent module was active from the end of August to early September 2018. During that period, it harvested 380,000 sets of personal data.
This type of targeted attack requires many different skills. The target has to be selected, the website must be compromised, the website must be analyzed and understood, and the compromised module must be developed and inserted into the chain of execution in the website. More often than not, this takes a team of individuals.
Each team member has a specialism or particular area of expertise that can be brought to bear during the attack. The operation has to be pay-rolled. The cybercriminals must also be well-versed in the associated physical-world criminal activities that are needed to get a pay-off from the attack. They need to be able to make money from the venture and to cover their tracks, for example. Even with payment in a cryptocurrency, they may need to money-launder their proceeds. Maladjusted and misdirected perhaps, but these are intelligent, skilled operators.
This begs the obvious question. Would such top-tier highly-skilled cybercriminals attack the average small to medium enterprise (SME)? No, of course not. But that doesn’t mean the average SME has nothing to worry about.
With a sophisticated service industry flourishing on the Dark Web to provide the tools, support, and even to execute actual cyberattacks on behalf of the poorly-skilled wannabe cybercriminal, practically anyone can execute a cybercrime. Having a broad and deep knowledge of IT, cyber security, and programming is no longer a requirement to get into the game.
All you need is criminal intent and Internet access.
The Different Tiers Defined
The Top Tier
Threat actors in the top tier have advanced and sophisticated skills and deep knowledge of the subject matter. They devote themselves to attacking high-value and, often, high-profile targets. The attacks that took place against Cathay Pacific, British Airways, Equifax, and Yahoo! are examples of attacks by top tier cybercriminals.
The Middle Tier
The threat actors in the middle tier have a moderate amount of IT and cybercrime skills. Typically, these threat actors do not target companies and perpetrate carefully executed attacks. Their targets are anyone they can infect.
If the threat actors in the top tier are like snipers, those in the middle tier are blindfolded machine gunners. They blast away and then see who they’ve hit. They will extort money from anyone and everyone, large or small.
They have enough skills to be able to use downloaded source code and malware kits purchased from the Dark Web to create new strains or variants of existing threats. They may use one of the many Cybercrime-as-a-Service providers on the Dark Web, although that tends to be the domain of the bottom tier threat actor.
The Bottom Tier
The lowest level is the bottom tier. They are known derogatively as script kiddies by the hackers who possess actual skills. These wannabe cybercriminals are able to follow basic instructions, but they are restricted to using ready-made—and readily available—tools to commit their attacks. They don’t have the skills and knowledge to create new threats for themselves.
They often make use of the Cybercrime-as-a-Service providers on the Dark Web. Like the middle tier, they don’t care who they infect or extort from. They are completely agnostic in their malware attacks—for the most part.
One of the common attacks used by the bottom tier threat actor is a distributed denial of service (DDoS) attack. This category of attack is popular with the bottom tier because they are easy attacks to conduct and the software required to carry out a DDoS attack can be found at no cost on the regular internet. A DDoS attack does need to be aimed at a specific victim.
If the top tier is like snipers and the middle tier is like machine gunners, the bottom tier is like a gang of kids who have found a pistol. They’re huddled around it looking down the barrel to see if it is loaded. But a bullet hurts whether the trigger is pulled by a marksman or an idiot.
And Yet More Threat Actors
Of course, the three-tier model is a simplification. If it has served to demonstrate there are different levels of expertise across the three primary tiers of cybercriminals and that only the very top tier targets specific companies for financial rewards, it has fulfilled its purpose. But, as you may expect, the threat landscape is more complicated and many-layered.
Organized Crime uses the internet and the Dark Web for a variety of illegal purposes, and is reshaping its activities to benefit from the anonymity of the Dark Web and cryptocurrencies. For example, drugs need to be grown as a crop then processed. That product must be transported and smuggled. It is then sold and distributed through a multi-level pyramid of lesser criminals with each lower level showing progressively less loyalty to the organization. Every one of those levels introduces risk and cost.
Selling their drugs on Dark Web markets removes the multi-layered distribution model and allows the criminals to hide behind cryptocurrencies. It reduces costs and risks for the criminals. It was a short step from there to realizing that cybercrime is an attractive model too.
Organized crime’s cybercrimes span both the top tier and the middle tier. They have the financial clout to hire top tier cybercriminal talent to develop malware for them, especially ransomware. These are the headline-stealing variants of ransomware that spread globally with devastating effect.
They are the ransomware threats that introduce new attack methods, new distribution or infection methods, or that leverage newly discovered zero-day exploits. Like middle-tier operators, they are aiming to hit as many victims as possible.
The term hacktivist was first coined by a member of the Cult of the Dead Cow back in the mid-90’s. They were a hacking group that used to meet in an abandoned slaughterhouse in Lubbock, Texas. Hacktivist is a portmanteau word joining hacking and activist. But make no mistake, hacktivists are still cybercriminals.
Hacktivists see themselves as social justice warriors carrying out attacks against targets that, as far as they are concerned, are deserving of service disruption or public shaming. Their activities are the digital equivalent of physical activism such as lobbying, workplace disruption, picket lines, and student sit-ins—and sometimes vandalism.
Undoubtedly, the most widely known hacktivist group is Anonymous. It grew out of the 4chan image-posting website. Anonymous has attacked such organizations as Al-Qaeda, ISIS, the Ku Klux Klan, the Church of Scientology, the anti-Islamic group ‘Reclaim Australia‘, and the Westboro Baptist Church.
Typically, Anonymous have used distributed denial of Service (DDoS) attacks to render victims’ websites inoperable, they have defaced web pages with their own political messages, and they have leaked private information online. Occasionally they will go further and utterly annihilate web sites they see as deserving of destruction, such as sites hosting child pornography.
Are hacktivists likely to target the average SME? No, almost certainly not. On the face of it, there’s no justification for a hacktivist group to attack a regular business—unless they make a mistake and misidentify you and your activities.
The Lone Wolf
Like hacktivists, the lone wolf hacker is usually motivated by something other than money. For example, Gary McKinnon—who has been called the most dangerous hacker of all time, by none other than Anonymous—became obsessed with the idea that NASA was suppressing evidence of aliens and alien technology, such as unlimited clean power. The rumour was started by a NASA contractor who claimed to have seen NASA mission photographs being digitally altered to remove images of UFOs.
Between February 2001 and March 2002, McKinnon remotely broke into 97 NASA and US military networks looking for evidence of these claims. He also infiltrated systems belonging to the Pentagon and the US Navy. He was caught, and the US requested extradition. This was eventually blocked by the UK government on the grounds that McKinnon was mentally unwell.
McKinnon freely admits to conducting the cybercrime and remains convinced that NASA is withholding evidence of extra-terrestrial life and technology. It’s worth noting that his hacks almost entirely succeeded because of poor cyber-hygiene on the part of the victim, including weak and predictable passwords.
Many lone wolf attacks follow this template. A socially-challenged or otherwise troubled individual, driven by illogical notions and beliefs, uses moderate technical skills to penetrate computer systems.
They may have some technical skills but they are naive in the criminal field-craft required to carry out a crime and get away with it. In the vast majority of cases, they are caught very easily. The threat posed to the average business by such persons is limited to non-existent.
The Oxford English Dictionary defines cyberwarfare as:
The use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes.
The United States, the United Kingdom, Iran, Israel, Russia, China, North Korea, and Vietnam all have extremely cyber-capable offensive and defensive intelligence wings.
An Advanced Persistent Threat (APT) is a computer network attack in which unauthorized access is achieved and remains undetected for a prolonged period. The term APT has also come to represent the groups behind such attacks, especially if several different advanced persistent threat attacks have been attributed to that group.
These advanced persistent threats are cyberthreats of such protracted and technically challenging development, requiring large teams possessing world-class technical expertise, that they are attributed to nation-states or, possibly, the largest of corporations. It is possible that some of these corporations have been pressured by their intelligence services into creating these threats or to create products that carry in-built backdoors or other vulnerabilities.
The types of cyberthreat posed by the state-sponsored groups are those that attack critical components of the infrastructure of countries. Power stations, communications, hospitals, financial institutions, chemical plants, electronics companies, manufacturing, aerospace, automotive, and healthcare have all been targeted.
It is unlikely that the average SME will be targeted by an APT directly. But you can still get caught in the fallout. The NotPetya ransomware that attacked companies around the world in 2017 is thought to have been a disguised and widespread attack against Ukraine by Russia.
There might be multiple types of threat actor out there, but they are all variations on a theme. You don’t need to plan to thwart each type individually. Make sure you pay attention to all of the basic steps in securing your network and pay attention to the three pillars of cyber security.