How do hackers choose their targets?
We explore what goes on in the minds of cyber criminals
We hear almost every day about new cyber attacks and data breaches targeting all different kinds of organisations, from forums and social media providers all the way to government departments and major multinational corporations.
What makes one company a more attractive target than another? Are there any common threads that dictate how hackers pick their victims and, if so, how can organisations use this knowledge to tailor their defences?
Different types of hackers
First on the agenda is actually gaining an understanding of who these people are and what motivates them. Hackers do what they do for a variety of reasons, and these motivations inform who they target, their methods of compromise and favoured infiltration tactics.
The hacktivist is one of the most widely-known, with this cohort of hackers rising in prominence thanks to the activities of groups like Anonymous. They generally tend to be younger and more inexperienced and often operate as part of a small group or even alone. The primary motivation here is an ideology or an agenda they’re willing to pursue, with their targets more often than not institutions or companies that are at odds with these strongly held beliefs. These operatives will often try to leak information that moves public opinion. They’ll also protest against these entities by vandalising their online platforms, or social media sites.
Hacktivists normally target terrorist organisations, including ISIS or white supremacist outfits, but they can even target local government organisations, as happened in Michigan after the Flint water crisis. Private companies, too, such as extramarital dating site Ashley Madison might also come under fire. Although their activities tend to be eye-catching, they’re actually in the minority.
The most common type of hacker is motivated by money. These cyber criminals are often tied with established crime gangs, either directly or indirectly, with these groups forming an industry with sophisticated methods and practices. As such, cyber criminals can take advantage of a plethora of intrusion methods, tools and campaigns. Common activities include phishing scams and ransomware campaigns, with these operations normally running on a large scale. It’s quite common for such campaigns to indiscriminately target as many victims as possible in order to maximise the potential earnings.
Other strategies are more targeted; many attacks involve identifying wealthy organisations and using spearphishing or direct network intrusion attempts to carry out fraud, theft or blackmail operations. These kinds of attacks are usually aimed at private sector organisations, as these are generally more cash-rich than public sector bodies and individuals.
"A weak cyber security posture that is discoverable on a quick query is the equivalent to painting a target on your back," says Rois Ni Thuama, head of cyber governance for Red Sift. "There's a new email standard on its way called BIMI, and that will indicate that a firm has robust email authentication standards in place. Of course, the absence of this identifier will create a new 'tell' for hackers so that they won't need to run a query. They can simply send a message to someone in the firm and the response will reveal to what extent this firm is vulnerable."
The other main category of hacker is the state-sponsored operative. These hackers operate under the banner of a specific government, and are enlisted to carry out attacks on their behalf. For the purposes of plausible deniability, they are often hacktivists or common cyber criminals whom the government in question employs on a freelance basis, but they can also be part of the state intelligence apparatus.
These nation-state actors are similar to both other kinds of hacker in different respects; they sometimes attack specific victims based on political motivations – often for some perceived slight, as in the case of the Sony Pictures hack, which was widely concluded to have been carried out by North Korea in response to the release of The Interview, or in Russia's hack on the Democratic National Committee (DNC). However, they have also been observed to carry out financially-motivated attacks; the same North Korean-linked group behind the Sony attack has also been accused of spreading the Magecart credit card skimmer in order to swell the country's coffers.
"APT actors are genuinely motivated and directed by national policy objectives," explains Ian Thornton-Trump, CISO of threat intelligence firm Cyjax. "They conduct various offensive and defensive operations in support of those policy objectives. Although infiltration and data exfiltration are common hallmarks of both cyber criminals and APT actors, in general APT actors are focused but on espionage, disinformation, denial, disruption or destruction generally in support of kinetic or military operations."
What motivates a hacker?
This shows that cyber criminals can be motivated by a myriad of goals, and these will often dictate who will be chosen as their next victim. For the majority, the incentive is simple and somewhat unsurprising: money. Most hackers will be focused on growing their personal wealth, that is why they will often resort to blackmailing their victims through ransomware or using various phishing techniques to trick them into making a bogus financial transfer.
When money is the primary motivator, it makes sense to go after a target who is known for their wealth. This includes large corporations, especially the publicly-traded ones which are known to generate a substantial profit. An additional motivator is that these companies are likely to pay the ransom and not disclose the attack, as public knowledge of the incident is likely to negatively impact their share price and reputation.
However, this doesn't mean that smaller companies and individuals are inherently safe from hackers. Another popular tactic used by cyber criminals is a mass-impact attack, which targets a large number of victims by extorting a small amount of money from each individual. For example, £10 might not seem like much when stolen from one person, but when stolen from a thousand people at once using ransomware distribution – that's already £10,000. An additional benefit to this tactic is that the stolen sum might go unnoticed, while even those who take note of the unexplained transaction are unlikely to report it to the police if the amount is that small.
For ideological attacks, however, the motivation becomes a touch murkier. Human nature is such that there are uncountable reasons why someone may take issue with a company's actions; maybe they disagree with a specific element of your corporate values, maybe your recent actions have outraged them, or maybe you simply represent a worldview or system that they wish to strike a blow at.
Whatever the specific motivation, the goal is generally to embarrass the victim, which is usually accomplished by shining a light on things that the target would rather remain unseen. Internal emails are often a key target for hackers in this kind of attack, as are financial documents which may indicate potential wrongdoing.
There is, however, one common thread that runs through almost all of the cybercrime that we see in the wild: Hackers are lazy. They will always go for the easier option, which applies just as much to their choice of victims as it does to what methods they use to attack them. No hacker will use a finely-crafted zero-day if they can use a set of unchanged default credentials instead, and similarly, when presented with two potential targets, the less well-defended one will always be the first choice.
Thornton-Trump points out that hackers often cruise for easy targets on portals like Shodan, a search engine that lists unsecured internet-connected devices. "Showing up on Shodan with a whole pile of vulnerabilities… is the 'hit me' sign of InfoSec," he notes, adding that social media controversy or public spats can also attract the attention of cyber criminals.
Hackers now have access to just as many scanning and analysis tools as security teams, if not more. It's relatively trivial to assess how many potential routes of entry there are into a prospective victim's network, so it pays to make sure that your own is at least abiding by best-practises. It's like that old joke: "I don't have to outrun the lion – I just have to outrun you."
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device programFree download
The business value of Red Hat OpenShift
Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShiftFree download
Managing security and risk across the IT supply chain: A practical approach
Best practices for IT supply chain securityFree download
Digital remote monitoring and dispatch services’ impact on edge computing and data centres
Seven trends redefining remote monitoring and field service dispatch service requirementsFree download