How do hackers choose their targets?

An illustration of four cyber criminals stealing money from an online account
(Image credit: Shutterstock)

Cyber attacks and data breaches happen on a daily, if not hourly basis. Cyber criminals are attacking virtually every kind of organisation, from small charities and non-profits to massive multinational corporations.

But what makes a company attractive to hackers, do the victims of hacking attempts have anything in common, and would knowing your company is a likely target means you could adjust your defences accordingly?

The various types of hackers


Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures


To figure out if you are a potential target, you need to understand who hackers are and what motivates them. There is a multitude of reasons why someone breaks into a computer network, and these give us an indication of who they target, their means of compromise and preferred infiltration tactics.

The hacktivist is one of the most widely known, with this legion of hackers rising in prominence thanks to the undertakings of groups such as Anonymous. They tend to be younger and more inexperienced, and often operate as part of a small group or even alone. The main incentive here is an ideology or an agenda they’re willing to follow, with their targets often institutions or companies that are at odds with these strongly held beliefs. These operatives will often try to leak information that moves public opinion. They’ll also protest these entities by vandalising their online platforms, or social media sites.

Hacktivists normally target terrorist organisations, including ISIS or white supremacist outfits, but they can even target local government organisations, as happened in Michigan after the Flint water crisis. Private companies, too, such as extramarital dating site Ashley Madison might also come under fire. Although their activities tend to be eye-catching, they’re actually in the minority.

The most common type of hacker is motivated by money. These cyber criminals are often tied with established crime gangs, either directly or indirectly, with these groups forming an industry with sophisticated methods and practices. As such, cyber criminals can take advantage of a plethora of intrusion methods, tools and campaigns. Common activities include phishing scams and ransomware campaigns, with these operations normally running on a large scale. It’s quite common for such campaigns to indiscriminately target as many victims as possible in order to maximise the potential earnings.

Other strategies are more targeted; many attacks involve identifying wealthy organisations and using spearphishing or direct network intrusion attempts to carry out fraud, theft or blackmail operations. These kinds of attacks are usually aimed at private sector organisations, as these are generally more cash-rich than public sector bodies and individuals.

"A weak cyber security posture that is discoverable on a quick query is the equivalent to painting a target on your back," says Rois Ni Thuama, head of cyber governance for Red Sift. "There's a new email standard on its way called BIMI, and that will indicate that a firm has robust email authentication standards in place. Of course, the absence of this identifier will create a new 'tell' for hackers so that they won't need to run a query. They can simply send a message to someone in the firm and the response will reveal to what extent this firm is vulnerable."

The other main category of hackers is the state-sponsored operative. These hackers operate under the banner of a specific government and are enlisted to carry out attacks on their behalf. For the purposes of plausible deniability, they are often hacktivists or common cyber criminals whom the government in question employs on a freelance basis, but they can also be part of the state intelligence apparatus.


Protecting every edge to make hackers’ jobs harder, not yours

How to support and secure hybrid architectures


These nation-state actors are similar to both other kinds of hacker in different respects; they sometimes attack specific victims based on political motivations – often for some perceived slight, as in the case of the Sony Pictures hack, which was widely concluded to have been carried out by North Korea in response to the release of The Interview, or in Russia's hack on the Democratic National Committee (DNC). However, they have also been observed to carry out financially-motivated attacks; the same North Korean-linked group behind the Sony attack has also been accused of spreading the Magecart credit card skimmer in order to swell the country's coffers.

"APT actors are genuinely motivated and directed by national policy objectives," explains Ian Thornton-Trump, CISO of threat intelligence firm Cyjax. "They conduct various offensive and defensive operations in support of those policy objectives. Although infiltration and data exfiltration are common hallmarks of both cyber criminals and APT actors, in general APT actors are focused but on espionage, disinformation, denial, disruption or destruction generally in support of kinetic or military operations."

What motivates a hacker?

This shows that cyber criminals can be motivated by a myriad of goals, and these will often dictate who will be chosen as their next victim. For the majority, the incentive is simple and somewhat unsurprising: money. Most hackers will be focused on growing their personal wealth, that is why they will often resort to blackmailing their victims through ransomware or using various phishing techniques to trick them into making a bogus financial transfer.

When money is the primary motivator, it makes sense to go after a target who is known for their wealth. This includes large corporations, especially the publicly traded ones which are known to generate a substantial profit. An additional motivator is that these companies are likely to pay the ransom and not disclose the attack, as public knowledge of the incident is likely to negatively impact their share price and reputation.

However, this doesn't mean that smaller companies and individuals are inherently safe from hackers. Another popular tactic used by cyber criminals is a mass-impact attack, which targets a large number of victims by extorting a small amount of money from each individual. For example, £10 might not seem like much when stolen from one person, but when stolen from a thousand people at once using ransomware distribution – that's already £10,000. An additional benefit to this tactic is that the stolen sum might go unnoticed, while even those who take note of the unexplained transaction are unlikely to report it to the police if the amount is that small.

For ideological attacks, however, the motivation becomes a touch murkier. Human nature is such that there are uncountable reasons why someone may take issue with a company's actions; maybe they disagree with a specific element of your corporate values, maybe your recent actions have outraged them, or maybe you simply represent a worldview or system that they wish to strike a blow at.

Whatever the specific motivation, the goal is to embarrass the victim, which is usually accomplished by shining a light on things that the target would rather remain unseen. Internal emails are often a key target for hackers in this kind of attack, as are financial documents which may indicate potential wrongdoing.

There is, however, one common thread that runs through almost all of the cybercrime that we see in the wild: Hackers are lazy. They will always go for the easier option, which applies just as much to their choice of victims as it does to what methods they use to attack them. No hacker will use a finely crafted zero-day if they can use a set of unchanged default credentials instead, and similarly, when presented with two potential targets, the less well-defended one will always be the first choice.

Thornton-Trump points out that hackers often cruise for easy targets on portals like Shodan, a search engine that lists unsecured internet-connected devices. "Showing up on Shodan with a whole pile of vulnerabilities… is the 'hit me' sign of InfoSec," he notes, adding that social media controversy or public spats can also attract the attention of cyber criminals.

Hackers now have access to just as many scanning and analysis tools as security teams, if not more. It's relatively trivial to assess how many potential routes of entry there are into a prospective victim's network, so it pays to make sure that your own is at least abiding by best-practises. It's like that old joke: "I don't have to outrun the lion – I just have to outrun you."

Adam Shepherd

Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.

Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.

You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.