Describe a cyber-attack
Maybe you’ll give me a technical description of how websites or systems were hacked. Perhaps you’d share the way in which vulnerabilities were exposed, or how victims had to pay the ransom in an untraceable cryptocurrency.
It can be easy to forget the human being behind the attack, and the many reasons why they might have committed this crime. I’m not saying this out of sympathy. This is the best way to beat them. “Know your enemy”.
There is certainly no honour among thieves. However, there are certain moral codes cybercriminals use. For example, following the Colonial Pipeline cyberattack. DarkSide, the ransomware group responsible, apologised for the disruption caused. It explicitly said it would introduce moderation to avoid social consequences in future attacks. Additionally, those responsible for the cyberattack on Ireland’s Health Service Executive (HSE) offered to provide the decryption tool for free to help get the system back up and running.
In the murky moral universe of hackers, the line between good and evil intentions is often blurred. But the more we understand about the different types of hackers, their motives, and their tactics, the better we can prepare for and prevent future attacks.
Hacking organisations worry about their business too!
It’s true that some hackers are motivated by ethical or activist considerations, while white-hat hackers probe organisations’ defences to highlight (and fix) security vulnerabilities. But let’s be clear: cybercrime is a vast, multi-billion dollar industry, and businesses need to get a firm grasp on it if they have any hope of preventing future attacks.
In the UK alone, the cost to the economy is estimated at £27 billion, driven by lucrative and largely risk-free profits. For many individuals and hack-for-hire organisations, hacking is a long-term business strategy. You only have to look at the transcripts of the conversations between Conti Ransomware Group and their victims to see how they appropriate the language of business, referring to themselves as “customer service agents”.
Strange as it may seem, hacking organisations worry about their reputation just as much as legitimate businesses. They want to encourage businesses to negotiate with them, and that requires maintaining at least a facade of morality.
Nation-state backed hacking campaigns, on the other hand, aren’t motivated by profit. They operate legally in their countries of origin; their purpose is to protect national security interests (including espionage and the propagation of fake news). As such they’re often resourced directly by governments.
But not always. BAHAMUT is one of the latest hack-for-hire organisations uncovered by BlackBerry and an example of a mercenary group that provides hacking outsourcing for governments. Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but BlackBerry researchers also revealed that BAHAMUT is behind several extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics, and more.
Getting inside the mind of a criminal
It’s one thing to know who hackers are, but it’s just as important to understand how they think. And though there’s no single criminal mindset, certain patterns of behaviour do crop up time and again.
For example, it is commonly observed that malicious actors target seasonal events, such as the 4th July, other national holidays, or major news events. These provide a perfect opportunity to strike when organisations’ efforts are concentrated elsewhere.
We shouldn’t be surprised, then, that the pandemic has provided the perfect breeding ground for cybersecurity attacks, as companies simultaneously dropped their guard and opened up new potential security vulnerabilities as they facilitated remote work.
Hackers are also keen students of human nature. For example, they understand that one of the best ways into an organisation is by exploiting people’s curiosity. Phishing has become far more sophisticated in recent years, with increasingly plausible emails that look like they come from stakeholders and colleagues, surreptitiously luring recipients into clicking a link and giving attackers access to corporate systems. This has been a particularly successful tactic during COVID, with vaccine (mis)information a particularly compelling, clickable subject for phishing emails.
Humanising hacking to defeat it
In many organisations, the discussion of security and protection from cyber-attack is mostly geared towards implementing or upgrading defence systems and technology. The role of people is rarely discussed – and this is a huge mistake. After all, these same defence systems and technologies are engineered by people.
Organisations should prioritise adopting a prevention-first security approach. This approach considers three fundamentals: understanding the nature of the threat, the motivations for those behind it, and the common tactics and patterns used by hackers. It also includes considering what vulnerabilities exist in your business, whether technical or employee-based.
As the old age saying goes: ‘know your enemy’. Hackers are human – and that makes them both fallible and ruthless. For all the harm systems and technology can do, it is important to remember that it’s all powered by a human being.
About the Author
Eric Milam is the VP of Research Operations at BlackBerry, where he and his team track malware threats and threat actors. During his time at BlackBerry, Eric discovered and published the details of numerous emerging threats and malware variants actively being exploited in the wild.
Prior to joining BlackBerry, Eric was a highly regarded Penetration Tester and frequent conference speaker, widely known for his red-teaming exploits.
Featured image: ©Tierney