How do hackers choose their targets?

An illustration of four cyber criminals stealing money from an online account
(Image credit: Shutterstock)

Given the alarming rate at which cyber attacks strike all across the world, you may be forgiven for thinking of cyber crime as a constant and nebulous force that may strike at any moment’s notice. While indiscriminate attacks do happen often, most commonly in the form of ransomware, there’s also a whole raft of motivations that drive cyber criminals, and factors they take into account when choosing their targets.

Virtually any organization can fall victim to a cyber attack, whether they’re in the private sector, public sector or they’re a charity – and of all sizes and across all sectors. For each in question, there may be a reason that hackers have targeted them specifically, and often it ties into their core motivation. But what makes your organization attractive to hackers? There may be commonalities between victims, and knowing how hackers can choose their targets may also be key to developing strong cyber security defenses against attacks.

The various types of hackers

To figure out if you are a potential target, you need to understand who hackers are and what motivates them. There is a multitude of reasons why someone breaks into a computer network, and these give us an indication of who they target, their means of compromise and preferred infiltration tactics.

Multi-coloured-hat hackers

Hackers are sometimes referred to by the color of the metaphorical hats they’re wearing, and this color-coded system was established to tell the ‘good’ hackers from the ‘bad’ hackers. The first – black hat and white hat – were derived from the hats the heroes and villains wore in old Westerns. From there, the network expanded.

White-hat hackers: They engage in legitimate efforts to improve the security of client organizations by infiltrating their networks, stress-testing defenses, and offering guidance on changes their clients can make. They aren’t employed directly by an organization, but are brought in from time to time as and when needed.

Black-hat hackers: On the opposite end of the spectrum, black-hat hackers engage in nefarious activities for a variety of motives. They’re the key focus when it comes to how organizations must protect themselves. More on them later.

Gray-hat hackers: Cyber crime isn’t much of a grey area, but gray-hat hackers would like to think of themselves as on the side of the righteous, albeit their methods may be construed as malicious. They routinely infiltrate organizations’ networks without consent but do so in order to help them improve their cyber security posture rather than for personal benefit.


A whitepaper from ServiceNow covering ways banking leaders can transform technology risk into advantage with image of female working stood outside high rise buildings, looking at a smartphone

(Image credit: ServiceNow)

Discover how banks are strengthening their digital defense strategy


Red-hat hackers: These are the hackers that black-hat hackers fear the most. They channel their efforts into launching offensive measures to disrupt cyber attacks or retaliate against any illicit activity. They often use similar techniques, but exclusively target criminals.

Blue-hat hackers: Think of blue-hat hackers as in-house white-hat hackers. They perform the same function, but they’re employed directly by an organization as a member of staff to routinely improve their cyber security efforts.

Green-hat hackers: Also known as script kiddies (if malicious), green-hat hackers are inexperienced operators who may one day aspire to become a black-hat or white-hat hacker. Their methods are less sophisticated and may, for example, rely on impersonation or social engineering rather than exploiting zero-days.  

The hacktivist is one of the most widely known types of hacker, having risen in prominence thanks to the undertakings of groups such as Anonymous. They tend to be younger and more inexperienced – and often operate as part of a small group or even alone. 

The main incentive here is an ideology or an agenda they’re willing to follow, with their targets often institutions or companies that are at odds with these strongly held beliefs. These operatives will often try to leak information that moves public opinion. They’ll also protest these entities by vandalizing their online platforms, or social media sites.

Hacktivists normally target terrorist organizations, including ISIS or white supremacist outfits, but they can even target local government organizations, as happened in Michigan after the Flint water crisis. Private companies, too, such as extramarital dating site Ashley Madison might also come under fire. Although they’re actually in the minority.

Financially-motivated cyber criminals

Now back to black-hat hackers. The most common type of hacker is motivated by money. These hackers are often tied with established crime gangs, either directly or indirectly, which, in turn, form an entire industry with sophisticated methods and practices. As such, they can take advantage of a plethora of intrusion methods, tools, and campaigns. Common attack methods include phishing and ransomware, with these operations normally running on a large scale. It’s also quite common for such campaigns to indiscriminately target as many victims as possible in order to maximize the potential earnings, as was the case in 2017’s WannaCry attack which, alarmingly, still persists to this day in some corners of the world.

Other strategies are more targeted; many attacks involve identifying wealthy organizations and using spear phishing or direct network intrusion to carry out fraud, theft, and double extortion ransomware operations. These attacks usually target the private sector, as they’re generally more cash-rich than public sector bodies and individuals.

"A weak cyber security posture that is discoverable on a quick query is the equivalent to painting a target on your back," says Rois Ni Thuama, head of cyber governance for Red Sift. "There's a new email standard on its way called BIMI, and that will indicate that a firm has robust email authentication standards in place. Of course, the absence of this identifier will create a new 'tell' for hackers so that they won't need to run a query. They can simply send a message to someone in the firm and the response will reveal to what extent this firm is vulnerable."

State-backed advanced persistent threats (APTs)

The other main category of hackers is the state-sponsored operative. These hackers operate officially – or often unofficially – under the banner of a specific government, and are enlisted to carry out attacks on their behalf. For the purposes of plausible deniability, they’re often hacktivists or common cyber criminals who are employed on a freelance basis, but they can also be part of the state intelligence apparatus.


O'Reilly: Learning and Operating Presto eBook cover

(Image credit: IBM)

Meet your team’s warehouse and lakehouse infrastructure needs


These nation-state actors are similar to other kinds of hackers, but they quite often target victims for political reasons. The reason can be fairly innocuous, as in the case of the Sony hack, which was widely concluded to have been carried out by North Korea in response to the release of The Interview. Or, they can be more serious, like Russia’s alleged hack on the Democratic National Committee (DNC). But, in many cases, APTs operate for financial reasons too; the North Korean-linked group behind the Sony attack has also been accused of spreading the Magecart credit card skimmer to swell the country's coffers.

"APT actors are genuinely motivated and directed by national policy objectives," explains Ian Thornton-Trump, CISO of threat intelligence firm Cyjax. "They conduct various offensive and defensive operations in support of those policy objectives. Although infiltration and data exfiltration are common hallmarks of both cyber criminals and APT actors, in general, APT actors are focused but on espionage, disinformation, denial, disruption or destruction generally in support of kinetic or military operations."

What motivates a hacker?

Knowing there are different types of cyber criminals means understanding they can be motivated by a myriad of goals, and these will often dictate who will be chosen as their next victim. For the majority, the incentive is simple and somewhat unsurprising: money. Most hackers will be focused on growing their personal wealth, which is why they’ll resort to blackmailing their victims through ransomware or using phishing techniques to trick them into making a bogus financial transfer.

Hackers motivated by money

When money is the primary motivator, it makes sense to go after a target known for its wealth, especially publicly traded large corporations known to generate a substantial profit. These businesses are more likely to pay the ransom, too, and not disclose the attack, because disclosure is likely to impact their share price and reputation.

But this doesn't mean smaller companies and individuals are inherently safe from hackers. Another popular tactic used is a mass-impact attack, which targets a large number of victims by extorting a small amount of money from each individual. For example, £10 might not seem like much when stolen from one person, but when stolen from a thousand people at once using ransomware distribution – that's already £10,000. An additional benefit to this tactic is that the stolen sum might go unnoticed, while even those who take note of the unexplained transaction are unlikely to report it to the police if the amount is that small.

Hackers motivated by ideology

For ideological attacks, the motivation becomes a touch murkier. Human nature is such that there may be dozens of reasons why someone may be upset with an organization’s actions. Hackers could, for instance, disagree with a specific pillar in your corporate values; maybe your recent actions have outraged them; or maybe you simply represent a worldview they wish to strike a blow at.

Whatever the specific motivation, the goal is to embarrass the victim, which is usually accomplished by shining a light on things that the target would rather remain unseen. Internal emails are often a key target for hackers in this kind of attack, as are financial documents which may indicate potential wrongdoing.

What can we learn from how hackers operate?

There are various lessons we can learn from how cyber criminals operate, but the overriding lesson is that they often take the path of least resistance. It’s more often than not the low-hanging fruit that becomes the most attractive target – or attack method. 

For example, hackers are far more likely to engage in mass credential stuffing attacks when attempting to gain access to corporate networks, having bought a batch of usernames and passwords from the dark web for cheap, than they are to expertly craft an exploit to a zero-day vulnerability in a particular system. It almost goes without saying too, but an organization that’s poorly defended is always going to be more appealing for an attacker than one with far more barriers to break down.

The reality is that while the security industry has been devising new ways to protect their clients from cyber attacks, so, too, have hackers been professionalizing and becoming more sophisticated. We often see evidence of cyber crime supply chains and hacking offered as a service, for example, in addition to collaboration between individual groups. With the cyber crime landscape growing more seemingly worrisome as each month passes, businesses must apply cyber security best practices – including regular patching of systems, staff training, healthy endpoint management, and zero trust principles, among other strategies.

Hackers now have access to just as many scanning and analysis tools as security teams, if not more. It's relatively trivial to assess how many potential routes of entry there are into a prospective victim's network, so it pays to make sure that your own is at least abiding by best-practises. It's like that old joke: "I don't have to outrun the lion – I just have to outrun you."

ITPro created this content as part of a paid partnership with Jamf. The contents of this article are entirely independent and solely reflect the editorial opinion of ITPro. 

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.