The risk of attack or theft from cyber-enabled actors has been made extremely clear to both private businesses and governments. The last few years have demonstrated that any connected device – be it a computer, a phone, or even a car – can be hacked by someone. Often the response focuses on the victim or the potential victim. The questions are usually about what can be done to protect yourself from the attackers. But this overlooks an important question: who, exactly, are these attackers? They are hackers, certainly, but what motivates them, and how do they decide who to target? Broadly speaking, cyber-attackers can be broken-up into three categories – hacktivists, nation-states, and criminals.
Hacktivist groups, like Anonymous, are primarily motivated by a political or social agenda. They pursue their agenda by targeting perceived adversaries and attacking them to the best of their ability. Fortunately, most hacktivist groups are not especially technically sophisticated. They often utilize Denial of Service (DDoS) attacks to overload networks or deface websites in a way that is embarrassing, but not particularly harmful.
For example, a hospital in Flint, Michigan, was targeted by hackers associated with Anonymous as part of their protest against the water crisis there, but the hospital was able to continue to function. However, that may not always be the case. The barriers to acquisition for more sophisticated hacking tools is dropping fairly rapidly, and as these programs diffuse into the hacktivist community, there is a distinct chance that they will become a greater threat to those they choose to target.
Nation-states are among the most well known cyber-threats, as they tend to be fairly high profile when exposed. For example, North Korea hacked Sony, China almost certainly hacked OPM, Iran hacked a damn in New York, and Russia likely hacked the DNC. Nation-states are motivated by strategic objectives that are specific to each individual actor. However, they often break down into three categories: espionage, attacks, and battlefield preparation. Thus, the OPM hack is an example of espionage, the use of Shamoon malware to disable thousands of computers belonging to Saudi Aramco was clearly an attack, and the insertion of currently inactive malware into the American energy grid is an example of preparing the battlefield for a future conflict.
Criminals are by far the most common cyber-attackers, and their motivations are the simplest – they want money. Cyber criminals are almost universally motivated solely by the desire for profit. However, they are also the most varied group in terms of technical sophistication and target sets. That being said, the fact that all cyber-criminals are financially motivated also means that their behavior is influenced by market forces. So, for example, if the black market for credit card information is flooded due to a number of successful hacks, the price for that information will drop, and many criminals will need to shift to another commodity – such as health care information – in order to continue making money.
Knowing the motivations and average skill level of a potential attacker is an integral part of properly assessing the risk to any organization. Maintaining good intelligence about what groups may be targeting a given sector – or a given business - their preferred attack vector, and the type of information they are interested in can give responders a crucial advantage in preventing an attack or mitigating damage. As the saying goes, forewarned is forearmed – and that is especially true when confronting adversaries in cyberspace.
