Who are these groups? What are they after? What techniques, tools, and procedures do they use?
The taxonomy of threat actors responsible for cyberattacks has expanded based on the ease of carrying out these attacks – in many cases, no technical skills are required at all.
Who are these groups? What are they after? What techniques, tools, and procedures do they use? These questions are useful in determining the level and type of threats that are likely to target your business, government agency, or person.
Unsophisticated and opportunistic actors
Typically disparaged as “script kiddies”, these bad actors are not as benign as biases would suggest. Because of the availability and ease of use of “hacking” tools, anyone can wield them. An example is the proliferation of distributed denial-of-service tools that anyone can download and install. This which puts the device into a network of packet-hurlers that aim at the target du jour. Yes, you too can “hack” Russian media in the middle of a war. Configuration mistakes are one of the top vulnerabilities exploited by this group – no passwords, bad passwords, and lack of multi-factor authentication are top problems.
Another example that caused a great deal of concern was the event at the Oldsmar Water utility, near Tampa, Florida. A poorly protected remote access service facing the Internet was “attacked” by someone that either guessed a password or was in possession of the password. The actor gained access to the control application and raised the level of Sodium Hydroxide being mixed into drinking water. This may sound terrifying on the face of it, but details surrounding the event suggest that this was not a terrorist, criminal, or state-sponsored actor. This was a person that found the exposure, logged in, played around with an application they did not know, and then fled.
These actors’ techniques are still relatively primitive and mainly manifest as website defacements and denial of service. These actors are likely to have overlap with activists (described below), and more sophisticated tools are within reach.
Organized crime
Organized cybercrime is just that – organized. Commonly known as “cyber gangs,” these groups are known to emulate a corporate structure, using contractors for their code work and a network of “channel partners” that handle tasks. These tasks range from weaponizing newly announced vulnerabilities as exploits to obtaining initial access to offer to anyone that will pay. Want a compromised system inside Boeing, but don’t have time or skill to do it yourself? Perhaps you can buy that access.
Organized cybercriminals have become extremely sophisticated in their tools, techniques, and procedures. They are focused on profit motive, and the recent and increasing trend is to compromise third parties to gain access to a broader base of victims.
Ransomware-as-a-Service has the potential to further exacerbate the cyber problem by lowering the technical skill necessary to engage in this type of crime. By coupling with initial access brokers (IABs), a target may be selected, compromised, and extorted with no technical skills at all – just an agreement to share proceeds with the criminal organization.
State-sponsored actors
State actors are focused on espionage, but the world has seen the ease with which the US economy can be damaged by attacking critical infrastructure. While the United States has not seen domestic events such as the disabling of maritime port operations in Iran by Israel, or the disruption of water purification in Israel by Iran, we have had notable supply chain events – for example, the incidents at Colonial Pipeline and JBS Meats.
Complicating this is the collusion and cooperation between criminal sand actual agents of the state that obfuscates the true intent of an event. It may look like extortion, but the real objective is to disrupt.
Depending on the sector membership of the victim, this can help to attribute the act. For example, North Korea is known to engage in theft and extortion, which is thought to partially fund weapons programs.
The difference between nation-state and criminal actors is therefore difficult to deconvolve; however, China is very specifically focused on espionage and theft of intellectual property. Are you being extorted? It is likely Russia (State or criminal gang) or North Korea (State). Compromised, but no extortion demand – the Chinese want your secrets, the Iranians want to disrupt. Again, these are the main players, but Turkey, Syria, Brazil, and India are all becoming more active. Note also that the United States is not the sole target; China and India are routinely cyber-attacking one another; more recently China has gone after Russia.
Nation states have cyber units that have mature and well-resourced tools and can exploit zero-day vulnerabilities (those that are not yet public). They are known to begin Internet-wide scanning for vulnerabilities as they are announced within minutes – in tandem with developing a workable exploit and delivery system.
Insiders
Insiders are being actively courted by ransomware and other gangs, and in fact 30% of organizations have identified this as a ransomware risk. Long the domain of espionage, “assets” are identified and bribed to facilitate initial compromise. This has the effect of increasing the efficiency of the criminal enterprise and containing costs, as efforts to compromise using phishing and other techniques take longer and may not be successful.
LAPSUS$ is the moniker of a gang – thought to be teenagers – that is known to be actively courting insiders for this access, however the technique is not unique to that group. It has been reported that the group has openly advertised and offered up to $20,000 for insider access to telecom companies, culminating in the compromise of T-Mobile.
This phenomenon is being exacerbated by the “great resignation,” and the recalculation that many have done regarding the relationship between employer and employee. When someone is resigned to having “one foot out the door,” the likelihood of being incentivized to plug a the USB stick or visit a specific URL increases.
Insiders may be motivated by easy money with low risk, or in retaliation for perceived abuse or unfair treatment by the employer.
Activists
This is a growing and very volatile threat group with a lot of variation in intent and motivation. For example, the Goodwill ransomware gang in India extorts its victims by demanding benevolent acts like feeding hungry children. In South America, Guacamaya is a group that is focused on stealing and leaking embarrassing documents from large corporations and government agencies for the purpose of exposing corruption and resource exploitation.
An international collective advocating for security and privacy and became (in)famous for having made public the live streams of thousands of Verkada video cameras to call attention to their vulnerabilities and privacy implications. Streams included jails, hospitals, schools, and Verkada’s own offices.
Many examples have been reported of police departments being attacked to steal and make public internal communications; a recent example from Australia. Anonymous often takes credit for these acts, and in fact was quite active during the unrest after the George Floyd murder.
We should all be familiar with Anonymous, the on-again off-again loose group that historically defaces websites and engages in theft of information with the intention of making it public. The Anons, along with the Ukrainian IT (Information Technology) army and Belarusian Cyberpartisans have become involved as volunteers in the war against Ukraine, having penetrated and disrupted media outlets to broadcast counter propaganda, a satellite ground station, the Russian propaganda ministry, trains, and much more.
Activists also target people, and“doxing” has become a dictionary word. They wage organized campaigns against those perceived to have disparaged, through speech or act, one political party or policy position. While still limited to disclosure of personal information (including communications), this technique has been used to terminate the employment of and sometimes terrorize the victims.
The motivation for activist actors with skills ranges across a variety of positions: conservation and social justice, participation in a war perceived as unjust, retaliation against law enforcement and increasingly, political factionalism. A recent example is the reaction to states enacting anti-abortion laws in the wake of the Supreme Court ruling on Roe vs. Wade.
All this portends a significant uptick in cyber-activism in the upcoming U.S. elections. With the ease of Ransomware-as-a-service and other tools discussed above, sophisticated attacks on key counties (counties conduct elections) are not out of the question.
Mercenaries and Freelancers
The “Gig economy” may be creating more people willing to become hired hackers. Working in cybersecurity means constantly being frustrated and feeling like we are collectively losing. For some, The dark side becomes attractive.
Operated by a corporation-like entity that does business on the dark web, cybersecurity practitioners with specific skills are constantly being recruited. Somewhat aligned with the organized crime infrastructures above, the properly connected can buy access to any identified e-mail or social media account, interactive access to an asset in the corporation or government agency of choice, and more.
The signal from this group is indistinguishable from organized crime. The difference being the nature of the type and cost of goods, and the questionable moral justification by the participants.
Because of the high skills with this group, it This group is capable of competitive espionage at the direction of well-resourced organizations. For example, contract hackers are being used to penetrate and surveil legal offices for the purpose of gaining information on ongoing litigation strategies. Corporate espionage is not new, and this should not be surprising given the growing resource pool and ability for a corporation to fund it.
Terrorists
Much like some state actors, tTerrorists are motivated to disrupt and destroy without regard to impact. The only difference between them and nation-state wartime acts is that terrorists are not constrained by international (or any) law. As the market for easily acquired cyber goods and services grows, this group becomes much more dangerous. Tools such as wipers and killware emulate a ransomware attack, but there is no hope of restoration by paying an extortion demand. Disruption of critical infrastructure is considered terrorism, and the incident rate is going up. This notably includes the healthcare sector that has been particularly hard hit.
Since the originating Stuxnet event there has been a steady increase in attacks against operational technologies – industrial control or SCADA (supervisory control and data acquisition) systems that can cause kinetic damage as well as outages of life-safety, life-sustaining, and quality of life systems;. This includes water, dams, wastewater, manufacturing, and others with local governments particularly at risk.
While not historically known to be technically proficient, the ability to attack your adversary from the other side of the world has not gone unnoticed by terrorist organizations, and they have made investments in developing these capabilities. We can expect more of this asymmetric warfare.
Identification without attribution
Attribution techniques are used to identify specific threat actor groups, and often the actual identities of those actors. Attribution is beyond the scope of this paper. However, identification of the taxonomic identity is possible using the specific details of the attack. While this is necessarily done after an event, foreknowledge of these details can help to focus efforts and resources to counter the abilities of a threat that is likely to target your organization.
What do you have to steal or disrupt?
Are you of strategic value to a state actor?
Would disrupting your organization be considered a terrorist act?
An analysis of tools, techniques, and procedures can be used to describe the sophistication of the actor and provide insight into how well-resourced they may be. For example, the use of zero-day vulnerability exploits is a method used by nation-states for the purpose of espionage. But, it should be noted, once a technique is used, and proved effective, it can be reused by a different group with different motives. For example, if a nation-state reveals a zero-day vulnerability and uses it for espionage, within a few days gangs, terrorists, and activists can begin using the same vulnerability for their own means.
Determining whether there is a profit-seeking motivation can identify criminal intent, however the use of ransomware-like tactics by state actors with no intent to extort has also been seen as a “false flag” technique. In many cases, the real intent is pure disruption, and the lack of an extortion demand suggests exactly that.
Disinformation campaigns are out of scope for this paper but are the domain of state-sponsored actors with the intent of fomenting dissent and division among a population.
Records and other information stolen but not monetized may be used to publicly embarrass or show criminal behavior on the part of the victim organization. This activism – hacking for a cause – has existed under the radar for some time as groups like Anonymous have proliferated and become more open about their activities since the start of the Russian war against Ukraine.
Tools
The following tables provide a way to summarize. Based on the above discussion, you should have a reasonable idea of which of these groups (and there are certainly more than one) that may be interested in what you have. Having parameterized that, the table below estimates the outcomes the groups may be seeking.
Also, with respect to the groups or actors that may be in your threat profile, the table below lists tactics that are commonly used by each of these groups, noting that there are significant overlaps when comparing state actors to mercenaries.
And finally, given that these tactics are mapped to the actors most likely to be interested in your organization, here are reasonable countermeasures to think about when prioritizing controls that are relevant to your biggest threats.
DDOS: Engage a service like CloudFlare that will detect and blunt these attacks by dropping and null-routing packets
Configuration mistakes: employ good change control and ensure that defaults settings are always addressed, and that authentication strength is specifically addressed. Network monitoring can’t prevent these mistakes but can usually help identify them rapidly.
Intentional compromise: perform a risk analysis of employees likely to be an attrition risk and ensure that monitoring for network traffic and endpoint activity is adequate.
Remote access exploit / credential stuffing: monitor remote access methods for vulnerabilities and enforce the use of multi-factor authentication for all remote access – including contractors and service providers. Consider a dark web monitoring service for compromised employee credentials.
Phishing – educate users and consider a policy of disallowing personal use on organizational devices.
Technical vulnerability exploit – monitor vendor and open-source information for vulnerability announcements; use a network scanning service; treat Internet-facing vulnerabilities as incidents and prioritize patching and compensating controls when necessary.
Watering hole compromise – use a URL filtering product, and ensure that monitoring can detect aberrational activity following compromise by an intentionally-infected website.
Zero-day vulnerability exploit – invest in the best monitoring and data analytics possible and ensure that aberrational activities, when detected, are immediate investigated.