Out-Law / Your Daily Need-To-Know

The who and how of cyber-attacks: types of attackers and their methods

Out-Law Analysis | 08 Feb 2017 | 11:18 am | 6 min. read

ANALYSIS: The people who carry out cybersecurity attacks have a wide range of capabilities and motives but can be broken down into a few types.

Having looked at the 10 things you always wanted to know about cybersecurity but were afraid to ask, we will share our findings in a themed series. Here we look at the kinds of people behind cybersecurity breaches and the methods they use.

Who are the attackers?

The sources of attacks are many and varied. The attackers behind some of the highest profile attacks in the past 18 months have ranged from a teenager with a basic skillset managing to infiltrate a major consumer brand, resulting in a record UK fine, through to an alleged state sponsored attack claimed to have influenced the presidential election of one of the most powerful countries.

Broadly, the sources of attacks can be grouped into one of four categories: script kiddies; hacktivists; organised crime; or nation states or their proxies.

'Script kiddies'

Increasingly, attacks are being perpetrated by relatively unskilled individuals who use scripts or programs developed by others to attack computer systems and networks. These individuals are not professionals but merely exploit weaknesses in others’ computers or systems that have been exposed by others, with these weaknesses usually shared on the 'dark web'.

Sometimes these 'script kiddies' will attack entirely at random and often with limited understanding of the effects of their actions. They may do it purely for the thrill or to increase their reputation amongst peers. 

An example of an attack perpetrated by a 'script kiddie' is the TalkTalk hack in October 2015. The attack, which reportedly cost the company £42 million and resulted in the ICO’s record fine to-date, was the work of a 17-year-old boy who claimed he was "just showing off" to friends.

'Hacktivists'

Hactivists are individuals or groups whose objective is to create public interest and generate media hype, usually in order to bring attention to a political, social or ideological cause. Hacktivists tend not to be profit-motivated but aim to embarrass victims or expose controversial issues.

The April 2016 'Panama Papers' scandal, the breach of the Panamanian law firm Mossack Fonseca, was arguably an example of hacktivism: an ideologically motivated attack by an anonymous whistle-blower, seeking to expose the offshoring activities of a number of high-profile individuals. The exposure of some 11.5 million documents caused controversy and embarrassment worldwide.

Organised crime

Organised criminals behind cyber attacks are usually motivated by financial gain and aim to obtain financial data or to control payment systems. This may be by extortion in relation to sensitive or confidential data, or by the use of ransomware.

By way of example, in July 2014 attackers infiltrated the European Central Bank’s systems exposing emails and contact details in an attempt at extortion. 

In relation to ransomware, in 2015 a group of computer criminals known as ‘DD4BC’ began threatening targets with massive distributed denial of service (DDoS) attacks unless they paid a ransom using Bitcoins. These attackers generally threaten to bring down vital business services and cause disruption and financial loss unless a payment is made via methods that are almost impossible to trace.

Nation state/state proxy

The high water mark of cyber attackers are those alleged attacks by nation states or state proxies, which tend to be motivated by political gain. Key objectives in such attacks tend to be to disrupt critical infrastructure, military operations or political stability.

For obvious reasons the details surrounding such events are shrouded in secrecy, however examples include the recent alleged involvement in the US election by the Russian state, and the Stuxnet cyber attack against Iran’s Natanz nuclear enrichment facility discovered in June 2010 which was alleged, but never confirmed, to be by US intelligence agents.

Insiders

It is important to note the threat that insiders present too. Disgruntled existing or ex-employees may commit, or even invite, cyber attacks out of spite or personal revenge rather than for financial reward. Their aims might be to damage systems or to steal information or intellectual property. In 2015 a disgruntled Morgan Stanley employee allegedly removed approximately 730,000 customer details.

It is clear that the range of potential attackers is varied in nature, capability and motive, and includes both internal and external threats. 

What are the common methods of attack?

Broadly, there are three categories of attack:

  • information theft: attackers seek to obtain confidential information from the target.
  • espionage: attackers monitor activities of targets and use that information in order to expose secrets or to obtain a competitive advantage.
  • sabotage: attackers aim to blackmail, defame or even destroy targets. The Sony and Ashley Madison mega-hacks are examples of this type of attack but so is Stuxnet, an attack that involved physical damage to the nuclear facilities of Iran.

Motives for attacks generally fall into four categories:

  • financial gain: an attacker aims to make money by stealing and using your information or extortion.
  • political: these come in the form of sophisticated, well-funded, state-sponsored attacks; as well as loosely affiliated 'hacktivists' who use publicity or stolen information to further their political goals.
  • prestige: attacks can be driven by the thrill of a challenge, the need for publicity or prestige.
  • nation state: there is much less publicly available information about such attacks. They may seek physically to damage infrastructure or to influence the outcome of elections.

The actual methods of attack commonly used are too numerous to list in their entirety and are continuously changing, but very many of them rely on employees being insufficiently aware of information security hygiene. It is much easier for attackers to socially engineer an employee than to carry out a brute force attack on the IT infrastructure of an organisation.

Typical methods of attack include the following:

  • phishing and spear phishing and vishing: tricking employees into revealing private/sensitive information, usually by email, phone or text. Spear phishing is a highly targeted version of phishing whereby specific individuals are targeted. Suspicious signs of phishing include: unusual sender details, poor spelling, unnecessary urgency, offers too good to be true, suspicious attachments, strange subject lines.
  • whaling: attacks hunting for sensitive or personal data targeting, in particular, people in powerful positions. Typically, a whaling attack works by an attacker masquerading as a senior executive asking an employee to transfer money. This is achieved through the use of fraudulent emails that appear to be from trusted sources. For instance, an attacker pretending to be CEO or CFO emails a high-level employee in the finance department to wire money or provide payment/account details.
  • waterholing: this is where an attacker infects websites that they know or believe are regularly visited by a target victim. They deploy malicious software (malware) on those sites and rely on employees from their intended victim having trust in those sites and clicking links or engaging other prompts to trigger the malware which will then help them access systems and data of the intended victim.
  • DDoS – DDoS attacks typically involve attackers using malware-infected computers to take remote control of those machines and bombard systems with such large amounts of traffic that the systems cease to function. It can involve, for example, hundreds of thousands or even millions of machines being used to request access to the same web-page at the same time.
  • malware – so-called 'malicious software'. It comes in many forms and is deployed by those who intend to disrupt the way systems operate, collect data or display unwanted information. This broad term includes viruses, worms, trojans, ransomware, spyware, adware, and other malicious programs.
  • malvertising – this is a specific use of malware where it is deployed within third party advertising networks that often display ads on popular websites. One such attack hit the BBC and New York Times websites in 2016.

Marc Dautlich and Philip Kemp are experts in information law and cybersecurity regulation at Pinsent Masons, the law firm behind Out-Law.com.