In a world riddled with cyberattacks, digital espionage, misinformation and a hyper-partisan political landscape, access to accurate and vetted intelligence is vital to overcoming the array of threats and threat actors.
The threat landscape is as diverse at is sophisticated. Staying abreast of these threats, understanding actors’ motivations and knowing their tactics, techniques and procedures (TTPs) is paramount
The Radware Hacker’s Almanac Series serves as a cornerstone for understanding:
Modeling the threat landscape is an essential step to anticipate the impact of external influences such as geopolitics, pandemics and new security threats so your organization can implement a focused security strategy that aligns with your organization’s most valuable resources.
Threat actors can be categorized into five classes based on their motivations and objectives. Terminology can differ across the security community, but the ideas of represented actors are consistent.
A threat actor will typically fit in one of these classes:
Some of the most notorious threat actors are those employed or contracted by national governments. Nation-state actors and threat groups often have close links, and are typically directed by, military or state intelligence services. Recruits are selected based on their high degree of technical expertise, knowledge of a specific language, or ability to engage in propaganda and misinformation campaigns.
Their motivations can range from largescale disruption and influence campaigns to covert espionage. Some states are in it for economic gain, while others provide an environment that allows their contractors to continue non-sanctioned operations after hours.
While nation-state threat groups are capable of sophisticated attacks, most of their activity is composed of simple attack vectors. They typically attempt to follow common traits used by other groups or actors. These actors do not perform attacks to demonstrate capabilities; they often try to achieve a specific objective as covertly as possible. Attribution of nation-state incidents is difficult and has led to the formation of several industry groups that track activities and assign a variety of names to the same attack.
Many nations have advanced cyberwarfare capabilities; however, this guide focuses on only a few diverse and notable nation states that illustrate the concept. Depending on your location, the notion and urgency of a particular nation-state actor will be biased by geopolitics, cultural differences, economic and trading agreements.
Almost all organized crime groups use communication technology to manage their actions. Some groups specialize in using technology to commit cybercrimes. Criminal activity is so rampant that even nation-state employed actors likely perform cybercriminal activity after hours for personal gain.
Crime pays, so whenever there is an opportunity, organized crime will appear. As more people and devices become connected in the wake of digital transformation, ways for cybercriminals to profit continue to emerge. Even traditional criminals have evolved and digitalized. Drug dealers now anonymously sell drugs and stolen goods online for cryptocurrency without the fear of being caught operating on the streets. The internet provides increasing opportunities for cybercriminal activity and ways for threat actors to organize and create environments that support crime and profitability.
One would assume these threat actors would not want to draw large amounts of attention, yet their crimes are often “noisy” and noticeable. Many threat actors will even leverage media attention to publicize their capabilities, putting increased pressure on victims to comply. If they don’t, outages can be massive and sensitive data shared on the darknet to apply more pressure.
Extortion is the practice of gaining something, especially money, through force or threat. Extortion has evolved from the physical world of gangster shakedowns to the cyber realm through hostage-taking of computer networks for profit. From ransomware to Ransom Denial-of-Service (RDoS), threat actors aim to extort cryptocurrency from victims by threatening to degrade networks or encrypt systems and block access to systems until payment is rendered.
Ransomware is malicious software that infects a system and displays messages demanding a fee to receive a key to unlock the system. Ransomware typically works by encrypting all data and system files and rendering them useless. Entire organizations have shut down for days or weeks in the wake of ransomware attacks.
Ransomware operators modified attacks by including fail-safe capabilities that extract sensitive data before encryption. In the so-called double extortion scheme, if a victim does not agree to pay for the decryption key, the actors extort him or her by threatening to publish sensitive data they exfiltrated during the encryption phase of the attack. Threat actors know the implication of the General Data Protection Regulation (GDPR) in the EU and are happy to leverage the damage to reputation that leaked data can cause.
In some cases, threat actors resorted to launching DDoS attacks to get victims back to the negotiating table if initial attempts did not sway them.
Threat actors use RDoS to conduct extortion-based DDoS attacks that are financially motivated. A DDoS extortion victim will receive a message by email, typically using a private mail service such as Protonmail, GMX or even 10 Minute Mail. The message demands a ransom payment. Upon failure to remit before the deadline, a powerful long-lasting DDoS attack starts a few days after receiving the message. The going rate in 2020 was between 10 and 20 BTC. In 2021, due to bitcoin’s surging value, the rate was adjusted between 5 and 10 BTC. The bitcoin address for the payment is uniquely tied to the target and provides threat actors a way to track payments.
Hacktivists are generally considered low-risk threat actors compared to the rest of the field, but they should not be dismissed. One of the properties that makes this group of actors such a formidable threat is their hive mindset. They are able to work together to respond to an event and amplify information within hours, putting severe pressure on the unprepared. Their actions are noticeable because of their impact and the media attention they generate.
The backgrounds of hacktivist threat actors range from concerned citizens with digital means to nation-state threat actors. One of the larger shifts in hacktivism is the growth of local political operations as citizens become more aware and educated about the TTPs used by nation-state actors, organized criminals and other hacktivists. In the past, it was common for nation-state threat actors to use patriotic hacktivism as a cover for their operations, but we now see more citizens running campaigns that are amplified by other parties of interest.
In the digital world, civil disobedience has risen to new heights. It has evolved past the point of simple critical thinking and protest. Hacktivism is the idea of activism and the TTPs of a malicious hacker. Threat actors are typically driven to action by anti-government motives, corporate wrongdoing or social injustice. They achieve their goals by exposing and leaking data associated with those they accuse of wrongdoing and degrading and disrupting their networks. Their toolset can range from rentable and straightforward to sophisticated and advanced.
Generally, hacktivist activity is now more reactionary, social and supportive than the planned and executed attacks of Anonymous. While Anonymous still exists in some capacity, and groups like Ghost Squad Hackers are still active, mainstream hacktivism looks more like the events that unfolded around BlueLeaks or the assassination of Qasem Soleimani.
The term “hacker” is used to describe a person leveraging a computer for malicious purposes. Not all hackers are threat actors, making it complicated to differentiate between them. In general, the group is divided between black, white and gray hat hackers.
A hacker’s background can be extensive and diverse and include those without any formal technical training or knowledge. As for skillsets, hackers in all three groups can range from your common script “kiddies” to advanced programmers. While their activity can range from noble to malicious, ultimately, they all operate for thrills and bragging rights.
Most people assume that other threat groups are more advanced, yet some of the most sophisticated and technical people fit in the category of white hat hackers. Their work, whitepapers and discoveries are often weaponized by other threat groups who lack ethics and morals. Classifying hackers can be complex, with actors occupying multiple threat groups at the same time. Understanding who you are dealing with can help you handle the situation.
The most challenging threat to detect and mitigate is the one that originates from within the circle of trust. Disgruntled insiders are threat actors who are current or former employees who operate out of malice or neglect. These events can include financial fraud, data theft, selling trade secrets, intentional sabotage and internal non-responders. One of the most significant issues is that these threat actors are post-authorization compared to the other groups. They already have initial access and internal knowledge that the other groups have to discover during the reconnaissance stage.
Their tactics are simple compared to other threat actors making them more difficult to detect. They do need to maintain persistence or move laterally. They often act within their domain, looking to cause as much damage as they see fit. This process can include simply copying and pasting trade secrets they already had access to onto a personal device for future competitive use, intentionally deleting or damaging infrastructure/data during or after termination, or simply neglecting to secure critical infrastructure.
Understanding how and why employees turn against their employers might help you understand the psychology, warning signs and how to mitigate the impact of a threat from within.
Angry or disappointed customers can become threat actors. They typically do not persist or pursue a career in crime. Attacks are performed under an intense emotional state of the perpetrator but can nevertheless result in serious damage. Because the actors are not experienced and have no skills to perform their attacks, they will typically rely on hackers-for-hire to conduct the actual attacks. Some of the cheapest and easiest attack tools that can damage an organization’s reputation are DDoS stressers.
Companies in the gaming and gambling industry deal with these threats more often than other industries due to their customers’ emotional involvement. But there are exceptions to every rule.
Download Series 1: The Threat Actors, to further understand cybercriminals and their modus operandi
Download Series II: Tactics, Techniques and Procedures, to understand how TTPs map to the MITRE ATT&CK framework
Nation-state or state-sponsored threat actors work for a government and conduct campaigns to gain access to valuable intelligence or designed to influence, disrupt and compromise the political or economic stability of other nations.
Organized crime conducts malicious activity primarily for economic gain. The groups are structured and are a driving force behind the underground economy.
Hacktivists want to make a statement and are emotionally committed and relentless in their malicious activity in the name of anti-government, anti-corporate or social justice actions.
Hackers are the broader category of threat actors who operate for excitement and bragging rights. Their intentions can be benign, but they can also cross the moral threshold for personal gain. This class of actors is typically a steppingstone into organized crime or security research.
Disgruntled insiders and customers are threat actors who are unhappy and operating out of malice or neglect.
During the last week of December, 2020 and the first week of January, 2021, Radware customers were targeted by DDoS extortionists for a second time by a global ransom DDoS campaign that initially started in August. Organizations received new letters that started with:
“Maybe you forgot us, but we didn’t forget you. We were busy working on more profitable projects, but now we are back.”
Organizations that received this letter were companies that received threats in August and September of 2020. Analysis of this new wave of ransom letters suggests that the same threat actors from the middle of 2020 are behind these malicious communications.
|Destruction||Critical infrastructure||Social engineering|
While government filings are thin, there is a high level of confidence that the Equation Group, a unit of threat actors suspected to be part of the NSA’s TAO, was responsible for some of the most infamous hacks, including Stuxnet and Flame.
Stuxnet is a computer worm discovered in 2010 that targeted the Supervisor Control and Data Acquisition (SCADA) systems of Iran’s nuclear program. Stuxnet was designed to target programmable logic controllers (PLC), which are automation devices used to control machinery and industrial processes. Once deployed, the malware targeted Microsoft operating systems and networks to search for a specific piece of software made by Siemens. The malware compromised the Iranian nuclear centrifuges’ PLC through the Siemens controller software, causing them to spin out of control, ultimately destroying themselves.
This attack is considered by many to be the first time nation-state threat actors maliciously acted to destroy industrial systems. The malware was spread indiscriminately in the wild but would only target Siemens Step-7 software for SCADA systems in embargoed equipment smuggled into Iran.
One of the interesting caveats from the Stuxnet event was the collaboration between nation-state hackers in the United States and Israel.
|Destruction||education, utilities & government||exploit of public-facing applications|
In October 2020, the U.S. DOJ charged six Russian GRU officers connected with a worldwide deployment of destructive malware and other disruptive actions. These actions included disrupting the 2017 French elections, as well as the 2018 Winter Olympics and causing nearly $1 billion in damages to Heritage Valley Health System, TNT Express B.V. and a U.S. pharmaceutical manufacturer.
These men are accused of being part of the GRU Military Unit, 74455, also known as Sandworm. This unit is also known within the GRU as the Main Center for Special Technologies (GTsST). They deployed destructive malware and launched disruptive attacks for the strategic benefit of Russia. In December of 2015 and 2016, they launched a destructive malware campaign against Ukraine’s electric power grid, Ukraine’s Ministry of Finance and the State Treasury Service, leveraging BlackEnergy, KillDisk and Industroyer.
|Espionage, financial, destruction||Financial, entertainment, defense, technology, education, utilities & virtual currency||Social engineering, spear-phishing|
In September of 2018, the U.S. DOJ indicted Park Jin Hyok, a North Korean nation-state threat actor, charging him with conspiracy to conduct multiple cyberattacks and intrusion.
Hyok is accused of being a member of the Lazarus Group, a unit reportedly under the control of the Reconnaissance General Bureau (RGB) that is responsible for the 2017 global WannaCry 2.0 ransomware attack, the destructive attacks on Sony Pictures in 2014 and the $81 million SWIFT hack that targeted the Central Bank in Bangladesh in 2016.
Hyok is a highly skilled programmer but was also known to contract actors from around the globe to conduct his malicious activity. While Hyok’s tactics may seem simple, they are highly effective. In advance of attacks, he researches vulnerabilities, exploits, techniques, and an organization’s employees and their social media accounts. Using this information, Hyok launches successful social engineering attacks leveraging spear-phishing messages to access the targeted networks. Hyok has been known to drop rapidly spreading, destructive malware designed to wipe machines and exfiltrate information of interest, build botnets and steal money for the DPRK.
A hacker called The Janitor has created multiple versions of a program called BrickerBot, a system that searches out and bricks insecure IoT devices. A researcher named Pascal Geenens has followed the worm for a few weeks and has seen it pop up and essentially destroy infected webcams and other IoT devices.
The devices all used a Linux package called BusyBox and had exposed telnet-based interfaces with default passwords. These devices were easily exploited by the Mirai botnet, which essentially turned them into denial-of-service weapons.
BrickerBot finds these devices and renders them unusable. The first version attacked about a thousand devices and alternate versions attacked thousands more. It disabled the devices by formatting the internal memory.
Over the last few years corporations, independents researchers and law enforcement agencies around the world have attempted to curb the growth of the DDoS-for-Hire industry through a series of takedowns and arrests. Despite global efforts, the illicit industry continues to grow, utilizing new attack vectors and producing largescale, record-breaking DDoS attacks.
In December 2019, a former General Electric (GE) engineer was arrested and plead guilty to conspiring to steal trade secrets from GE. He and his business partner, who was sentenced in December, conspired to compete against GE globally by leveraging stolen trade secrets related to turbine technology, stolen marketing data and pricing information. The perpetrators downloaded thousands of files and used social engineering techniques to target the IT department to grant them access to additional information. The attack was discovered in 2012 when GE was underbid for a service contract in Saudi Arabia by the company the two men started.