Behind every hack there’s a human. It’s easy to forget it when systems go down and an anonymous email arrives demanding you pay ransom in untraceable cryptocurrency, but hackers are people, too.
I say this not to humanise them, but to defeat them. In the eternal battle against cybercrime, we need to understand hackers’ weaknesses – as the old adage goes, to “know your enemy”. While there’s no honour among thieves, cybercriminals often operate according to moral codes of conduct which, while twisted, are not always so far from our own.
Just look at the Colonial Pipeline cyberattack. DarkSide, the ransomware group responsible, issued a statement claiming its goal was not to cause disruption and that it would introduce moderation to avoid social consequences in the future. Similarly, the hacking group responsible for the cyberattack on Ireland’s Health Service Executive (HSE) offered to provide the decryption tool for free to help get the system back up and running.
In the murky moral universe of hackers, the line between good and evil intentions is often blurred. But the more we understand about the different types of hackers, their motives, and their tactics, the better we can prepare for, and prevent, future attacks.
Choose your hacker
It’s true that some hackers are motivated by ethical or activist considerations, while white-hat hackers probe organisations’ defences to highlight (and fix) security vulnerabilities. But let’s be clear: cybercrime is a vast, multi-billion dollar industry, and businesses need to get a firm grasp on it if they have any hope of preventing future attacks.
In the UK alone, the cost to the economy is estimated at £27 billion, driven by lucrative and largely risk-free profits. For many individuals and hack-for-hire organisations, hacking is a long-term business strategy. You only have to look at the transcripts of the conversations between Conti Ransomware Group and their victims to see how they appropriate the language of business, referring to themselves as “customer service agents”.
Strange as it may seem, hacking organisations worry about their reputation just as much as legitimate businesses. They want to encourage businesses to negotiate with them, and that requires maintaining at least a facade of morality.
Nation-state backed hacking campaigns, on the other hand, aren’t motivated by profit. They operate legally in their countries of origin; their purpose is to protect national security interests (including espionage and the propagation of fake news). As such they’re often resourced directly by governments.
But not always. BAHAMUT is one of the latest hack-for-hire organisations uncovered by BlackBerry and an example of a mercenary group that provides hacking outsourcing for governments. Not only is the group responsible for a variety of unsolved cases that have plagued researchers for years, but BlackBerry researchers also revealed that BAHAMUT is behind several extremely targeted and elaborate phishing and credential harvesting campaigns, hundreds of new Windows malware samples, use of zero-day exploits, anti-forensic/AV evasion tactics, and more.
The criminal mindset
It’s one thing to know who hackers are, but it’s just as important to understand how they think. And though there’s no single criminal mindset, certain patterns of behaviour do crop up time and again.
For example, it is commonly observed that malicious actors target seasonal events, such as the 4th July, other national holidays, or major news events. These provide a perfect opportunity to strike when organisations’ efforts are concentrated elsewhere.
We shouldn’t be surprised, then, that the pandemic has provided the perfect breeding ground for cybersecurity attacks, as companies simultaneously dropped their guard and opened up new potential security vulnerabilities as they facilitated remote work.
Hackers are also keen students of human nature. For example, they understand that one of the best ways into an organisation is by exploiting people’s curiosity. Phishing has become far more sophisticated in recent years, with increasingly plausible emails that look like they come from stakeholders and colleagues, surreptitiously luring recipients into clicking a link and giving attackers access to corporate systems. This has been a particularly successful tactic during COVID, with vaccine (mis)information a particularly compelling, clickable subject for phishing emails.
The human factor
Far too often organisations think about security purely in terms of systems and technologies. These are critical, of course, but we must never forget the role of people – both those within the organisation, and those trying to get in.
Organisations should be establishing a prevention-first security approach. This approach begins with understanding the nature of the threat, the motivations for those behind it, and the common tactics and patterns used by hackers. It also includes being aware of the vulnerabilities within the business, not least from employees.
The moral of this story is ‘know your enemy’, organisations must first have a thorough understanding of their adversaries and appreciate that, for all the harm they do, they are human too.