THE THREATS ARE REAL.
THE CHALLENGES HAVE EVOLVED.

The Threats are Real.
The Challenges have Evolved.

The Evolution of Threat Actors in a Post-Pandemic World

The Evolution of Threat Actors in a Post-Pandemic World

Preface

Introduction

Intro

In a world riddled with cyberattacks, digital espionage, misinformation and a hyper-partisan political landscape, access to accurate and vetted intelligence is vital to overcoming the array of threats and threat actors.

The threat landscape is as diverse at is sophisticated. Staying abreast of these threats, understanding actors’ motivations and knowing their tactics, techniques and procedures (TTPs) is paramount

What You'll Learn

Radware’s Hacker’s Almanac Series

The Radware Hacker’s Almanac Series serves as a cornerstone for understanding:

The Cybercriminals and Threat Actors

Their Tactics, Techniques and Procedures


INTELLIGENCE AND DEFENSE

Modeling the threat landscape is an essential step to anticipate the impact of external influences such as geopolitics, pandemics and new security threats so your organization can implement a focused security strategy that aligns with your organization’s most valuable resources.

Part 1

Threat Actor Classification

Threat actors can be categorized into five classes based on their motivations and objectives. Terminology can differ across the security community, but the ideas of represented actors are consistent.

A threat actor will typically fit in one of these classes:

Part 2

Nation States

Some of the most notorious threat actors are those employed or contracted by national governments. Nation-state actors and threat groups often have close links, and are typically directed by, military or state intelligence services. Recruits are selected based on their high degree of technical expertise, knowledge of a specific language, or ability to engage in propaganda and misinformation campaigns.

Their motivations can range from largescale disruption and influence campaigns to covert espionage. Some states are in it for economic gain, while others provide an environment that allows their contractors to continue non-sanctioned operations after hours.

While nation-state threat groups are capable of sophisticated attacks, most of their activity is composed of simple attack vectors. They typically attempt to follow common traits used by other groups or actors. These actors do not perform attacks to demonstrate capabilities; they often try to achieve a specific objective as covertly as possible. Attribution of nation-state incidents is difficult and has led to the formation of several industry groups that track activities and assign a variety of names to the same attack.

Many nations have advanced cyberwarfare capabilities; however, this guide focuses on only a few diverse and notable nation states that illustrate the concept. Depending on your location, the notion and urgency of a particular nation-state actor will be biased by geopolitics, cultural differences, economic and trading agreements.

Some of the most notorious threat actors are those employed or contracted by national governments. Nation-state actors and threat groups often have close links, and are typically directed by, military or state intelligence services. Recruits are selected based on their high degree of technical expertise, knowledge of a specific language, or ability to engage in propaganda and misinformation campaigns.

Their motivations can range from largescale disruption and influence campaigns to covert espionage. Some states are in it for economic gain, while others provide an environment that allows their contractors to continue non-sanctioned operations after hours.

While nation-state threat groups are capable of sophisticated attacks, most of their activity is composed of simple attack vectors. They typically attempt to follow common traits used by other groups or actors. These actors do not perform attacks to demonstrate capabilities; they often try to achieve a specific objective as covertly as possible. Attribution of nation-state incidents is difficult and has led to the formation of several industry groups that track activities and assign a variety of names to the same attack.

Many nations have advanced cyberwarfare capabilities; however, this guide focuses on only a few diverse and notable nation states that illustrate the concept. Depending on your location, the notion and urgency of a particular nation-state actor will be biased by geopolitics, cultural differences, economic and trading agreements.

map_turq

Russia

map_turq

United States

map_turq

North Korea

Nation States:

United States of America

The U.S. is home to some of the most advanced and sophisticated nation-state actors in the world. The Office of Tailored Access Operations (TAO) is a cyber warfare intelligence-gathering unit of the U.S. National Security Agency (NSA). TAO identifies, monitors, infiltrates and gathers intelligence on computer systems used by enemies and friendly foreign entities. The Equation Group is one of the most notorious and highly sophisticated threat actors suspected of being tied to the TAO unit.

On the other hand, the U.S. Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the U.S. Department of Defense (DoD). While initially created for defensive purposes, it is increasingly viewed as an offensive force of which the primary objectives consist of espionage, targeting of critical infrastructure and political interference. In June 2019, the New York Times reported that hackers from USCYBERCOM planted malware capable of disrupting the Russian electrical grid. Russia acknowledged the United States potentially attacked its electrical grid.

The U.S. is home to some of the most advanced and sophisticated nation-state actors in the world. The Office of Tailored Access Operations (TAO) is a cyber warfare intelligence-gathering unit of the U.S. National Security Agency (NSA). TAO identifies, monitors, infiltrates and gathers intelligence on computer systems used by enemies and friendly foreign entities. The Equation Group is one of the most notorious and highly sophisticated threat actors suspected of being tied to the TAO unit.

On the other hand, the U.S. Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the U.S. Department of Defense (DoD). While initially created for defensive purposes, it is increasingly viewed as an offensive force of which the primary objectives consist of espionage, targeting of critical infrastructure and political interference. In June 2019, the New York Times reported that hackers from USCYBERCOM planted malware capable of disrupting the Russian electrical grid. Russia acknowledged the United States potentially attacked its electrical grid.

Nation States:

Russia

When it comes to cyberwarfare capability, the Russian Federation tops most nations’ risk charts. Russia is renowned for targeting critical infrastructure, DoS attacks, dissemination of disinformation and propaganda aiming for political interference and participation of state-sponsored teams in political blogs. It’s also known for internet surveillance using its version of lawful interception interfaces known as SORM (Система оперативно-разыскных мероприятий or System for Operative Investigative Activities), persecution of cyber dissidents and corporate espionage. Some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB (the Federal Security Service of the Russian Federation) and formerly a part of the KGB. The military performed other activities under the Main Directorate of the General Staff of the Armed Forces (GRU) of Russia.

An analysis by the U.S. Defense Intelligence Agency in 2017 outlines Russia’s view of “Information Countermeasures” or IPb (informatsionnoye protivoborstvo) as “strategically decisive and critically important to control its domestic populace and influence adversary states,” dividing “Information Countermeasures” into two categories of “Informational-Technical” and “Informational-Psychological” groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to attempts to change people’s behavior or beliefs in favor of Russian governmental objectives.

When it comes to cyberwarfare capability, the Russian Federation tops most nations’ risk charts. Russia is renowned for targeting critical infrastructure, DoS attacks, dissemination of disinformation and propaganda aiming for political interference and participation of state-sponsored teams in political blogs. It’s also known for internet surveillance using its version of lawful interception interfaces known as SORM (Система оперативно-разыскных мероприятий or System for Operative Investigative Activities), persecution of cyber dissidents and corporate espionage. Some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB (the Federal Security Service of the Russian Federation) and formerly a part of the KGB. The military performed other activities under the Main Directorate of the General Staff of the Armed Forces (GRU) of Russia.

An analysis by the U.S. Defense Intelligence Agency in 2017 outlines Russia’s view of “Information Countermeasures” or IPb (informatsionnoye protivoborstvo) as “strategically decisive and critically important to control its domestic populace and influence adversary states,” dividing “Information Countermeasures” into two categories of “Informational-Technical” and “Informational-Psychological” groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to attempts to change people’s behavior or beliefs in favor of Russian governmental objectives.

Nation States:

North Korea

North Korean state actors representing the Democratic People’s Republic of Korea (DPRK) are some of the most ruthless. These highly skilled threat actors typically work for Bureau 121, the DPRKs cyberwarfare unit, a division of the Reconnaissance General Bureau (RGB) of the DPRK’s military. Their goal mainly consists of state-sponsored espionage, targeting government agencies and organizations in multiple verticals across the world, destructive and disruptive campaigns, as well as a broad range of financially-motivated attacks.

North Korean state actors representing the Democratic People’s Republic of Korea (DPRK) are some of the most ruthless. These highly skilled threat actors typically work for Bureau 121, the DPRKs cyberwarfare unit, a division of the Reconnaissance General Bureau (RGB) of the DPRK’s military. Their goal mainly consists of state-sponsored espionage, targeting government agencies and organizations in multiple verticals across the world, destructive and disruptive campaigns, as well as a broad range of financially-motivated attacks.

Part 3

Organized Crime

Almost all organized crime groups use communication technology to manage their actions. Some groups specialize in using technology to commit cybercrimes. Criminal activity is so rampant that even nation-state employed actors likely perform cybercriminal activity after hours for personal gain.  

Crime pays, so whenever there is an opportunity, organized crime will appear. As more people and devices become connected in the wake of digital transformation, ways for cybercriminals to profit continue to emerge. Even traditional criminals have evolved and digitalized. Drug dealers now anonymously sell drugs and stolen goods online for cryptocurrency without the fear of being caught operating on the streets. The internet provides increasing opportunities for cybercriminal activity and ways for threat actors to organize and create environments that support crime and profitability.  

One would assume these threat actors would not want to draw large amounts of attention, yet their crimes are often “noisy” and noticeable. Many threat actors will even leverage media attention to publicize their capabilities, putting increased pressure on victims to comply. If they don’t, outages can be massive and sensitive data shared on the darknet to apply more pressure.

Almost all organized crime groups use communication technology to manage their actions. Some groups specialize in using technology to commit cybercrimes. Criminal activity is so rampant that even nation-state employed actors likely perform cybercriminal activity after hours for personal gain.  

Crime pays, so whenever there is an opportunity, organized crime will appear. As more people and devices become connected in the wake of digital transformation, ways for cybercriminals to profit continue to emerge. Even traditional criminals have evolved and digitalized. Drug dealers now anonymously sell drugs and stolen goods online for cryptocurrency without the fear of being caught operating on the streets. The internet provides increasing opportunities for cybercriminal activity and ways for threat actors to organize and create environments that support crime and profitability.  

One would assume these threat actors would not want to draw large amounts of attention, yet their crimes are often “noisy” and noticeable. Many threat actors will even leverage media attention to publicize their capabilities, putting increased pressure on victims to comply. If they don’t, outages can be massive and sensitive data shared on the darknet to apply more pressure.

Cybercrime-as-a-Service

Cyberware-as-a-Service

Bulletproof Hosting

Hacking-as-a-Service

DDoS-as-a-Service

Industrial Espionage

Extortion

Financial

Organized Crime:

Threats-As-a-Service

Cybercrime-as-a-Service

Cybercrime-as-a-service is the cornerstone of organized cybercrime groups. Threat actors develop advanced tools and services which are sold or rented to other cybercriminals. Criminals who leverage cybercrime-as-a-service range from novices who lack experience or knowledge to technically adept and well-organized criminals looking to build on existing platforms for even better return margins. Cybercrime services include crimeware-as-a-service, bulletproof hosting and hacking-as-a-service.

Cyberware-as-a-Service

Crimeware-as-a-Service is the rental or sale of sophisticated exploits and malware. Services are varied and include the sale of zero-day exploits, ransomware packages on underground forums and marketplaces and paid access to large botnets used to distribute malware. TrickBot and Emotet are two well-known examples of the latter. Both have evolved from specialized banking trojans to generic malware-as-a-service networks to deliver custom payloads by organized cybercrime and nation-state actors. While these botnets serve a wide variety of customers, most deliver malware designed to steal sensitive information or deploy ransomware. The botnets typically spread through MalSpam with lures designed to socially engineer their targets. Once they reach a foothold, the actors or their customers gain remote access, run reconnaissance, steal and exfiltrate sensitive data, move laterally across the network and deploy more backdoors or accounts to maintain persistence.

Hacking-as-a-Service

Hacking-as-a-Service is the commercialization of hacking skills. Experienced actors offer their skills to threat actors who do not possess the ability to perform the crime or attack. Some of the services offered by hackers-for-hire include breaking into the social network accounts of significant others, DDoS attacks, manipulation of school grades, clearing and updating loan account balances, malware development for any operating system, trojans, tracking apps, password recovery, and deletion of loan default records, among other services.

DDoS-as-a-Service

One form of Hacking-as-a-Service — DDoS-as-a-Service — has significantly impacted the DDoS threat landscape. Also known as Booter or Stresser services, they provide professionally designed portals that allow anyone to perform devastating attacks with just a few clicks. Subscriptions range from $9.99 per month for an unlimited number of DDoS attacks with five minutes of attack time/15 Gbps, up to thousands of dollars for unlimited attack time/200Gbps+.

Organized Crime:

Extortion

Extortion is the practice of gaining something, especially money, through force or threat. Extortion has evolved from the physical world of gangster shakedowns to the cyber realm through hostage-taking of computer networks for profit. From ransomware to Ransom Denial-of-Service (RDoS), threat actors aim to extort cryptocurrency from victims by threatening to degrade networks or encrypt systems and block access to systems until payment is rendered.

Ransomware

Ransom DoS

  • Ransomware

    Ransomware is malicious software that infects a system and displays messages demanding a fee to receive a key to unlock the system. Ransomware typically works by encrypting all data and system files and rendering them useless. Entire organizations have shut down for days or weeks in the wake of ransomware attacks.

    Ransomware operators modified attacks by including fail-safe capabilities that extract sensitive data before encryption. In the so-called double extortion scheme, if a victim does not agree to pay for the decryption key, the actors extort him or her by threatening to publish sensitive data they exfiltrated during the encryption phase of the attack. Threat actors know the implication of the General Data Protection Regulation (GDPR) in the EU and are happy to leverage the damage to reputation that leaked data can cause.

    In some cases, threat actors resorted to launching DDoS attacks to get victims back to the negotiating table if initial attempts did not sway them.

  • Ransom Denial-of-service

    Threat actors use RDoS to conduct extortion-based DDoS attacks that are financially motivated. A DDoS extortion victim will receive a message by email, typically using a private mail service such as Protonmail, GMX or even 10 Minute Mail. The message demands a ransom payment. Upon failure to remit before the deadline, a powerful long-lasting DDoS attack starts a few days after receiving the message. The going rate in 2020 was between 10 and 20 BTC. In 2021, due to bitcoin’s surging value, the rate was adjusted between 5 and 10 BTC. The bitcoin address for the payment is uniquely tied to the target and provides threat actors a way to track payments.

Part 4

Hacktivists

Hacktivists are generally considered low-risk threat actors compared to the rest of the field, but they should not be dismissed. One of the properties that makes this group of actors such a formidable threat is their hive mindset. They are able to work together to respond to an event and amplify information within hours, putting severe pressure on the unprepared. Their actions are noticeable because of their impact and the media attention they generate.

The backgrounds of hacktivist threat actors range from concerned citizens with digital means to nation-state threat actors. One of the larger shifts in hacktivism is the growth of local political operations as citizens become more aware and educated about the TTPs used by nation-state actors, organized criminals and other hacktivists. In the past, it was common for nation-state threat actors to use patriotic hacktivism as a cover for their operations, but we now see more citizens running campaigns that are amplified by other parties of interest.

In the digital world, civil disobedience has risen to new heights. It has evolved past the point of simple critical thinking and protest. Hacktivism is the idea of activism and the TTPs of a malicious hacker. Threat actors are typically driven to action by anti-government motives, corporate wrongdoing or social injustice. They achieve their goals by exposing and leaking data associated with those they accuse of wrongdoing and degrading and disrupting their networks. Their toolset can range from rentable and straightforward to sophisticated and advanced.

Generally, hacktivist activity is now more reactionary, social and supportive than the planned and executed attacks of Anonymous. While Anonymous still exists in some capacity, and groups like Ghost Squad Hackers are still active, mainstream hacktivism looks more like the events that unfolded around BlueLeaks or the assassination of Qasem Soleimani.

Hacktivists are generally considered low-risk threat actors compared to the rest of the field, but they should not be dismissed. One of the properties that makes this group of actors such a formidable threat is their hive mindset. They are able to work together to respond to an event and amplify information within hours, putting severe pressure on the unprepared. Their actions are noticeable because of their impact and the media attention they generate.

The backgrounds of hacktivist threat actors range from concerned citizens with digital means to nation-state threat actors. One of the larger shifts in hacktivism is the growth of local political operations as citizens become more aware and educated about the TTPs used by nation-state actors, organized criminals and other hacktivists. In the past, it was common for nation-state threat actors to use patriotic hacktivism as a cover for their operations, but we now see more citizens running campaigns that are amplified by other parties of interest.

In the digital world, civil disobedience has risen to new heights. It has evolved past the point of simple critical thinking and protest. Hacktivism is the idea of activism and the TTPs of a malicious hacker. Threat actors are typically driven to action by anti-government motives, corporate wrongdoing or social injustice. They achieve their goals by exposing and leaking data associated with those they accuse of wrongdoing and degrading and disrupting their networks. Their toolset can range from rentable and straightforward to sophisticated and advanced.

Generally, hacktivist activity is now more reactionary, social and supportive than the planned and executed attacks of Anonymous. While Anonymous still exists in some capacity, and groups like Ghost Squad Hackers are still active, mainstream hacktivism looks more like the events that unfolded around BlueLeaks or the assassination of Qasem Soleimani.

Part 5

Hackers

The term “hacker” is used to describe a person leveraging a computer for malicious purposes. Not all hackers are threat actors, making it complicated to differentiate between them. In general, the group is divided between black, white and gray hat hackers.

A hacker’s background can be extensive and diverse and include those without any formal technical training or knowledge. As for skillsets, hackers in all three groups can range from your common script “kiddies” to advanced programmers. While their activity can range from noble to malicious, ultimately, they all operate for thrills and bragging rights.

Most people assume that other threat groups are more advanced, yet some of the most sophisticated and technical people fit in the category of white hat hackers. Their work, whitepapers and discoveries are often weaponized by other threat groups who lack ethics and morals. Classifying hackers can be complex, with actors occupying multiple threat groups at the same time. Understanding who you are dealing with can help you handle the situation.

The term “hacker” is used to describe a person leveraging a computer for malicious purposes. Not all hackers are threat actors, making it complicated to differentiate between them. In general, the group is divided between black, white and gray hat hackers.

A hacker’s background can be extensive and diverse and include those without any formal technical training or knowledge. As for skillsets, hackers in all three groups can range from your common script “kiddies” to advanced programmers. While their activity can range from noble to malicious, ultimately, they all operate for thrills and bragging rights.

Most people assume that other threat groups are more advanced, yet some of the most sophisticated and technical people fit in the category of white hat hackers. Their work, whitepapers and discoveries are often weaponized by other threat groups who lack ethics and morals. Classifying hackers can be complex, with actors occupying multiple threat groups at the same time. Understanding who you are dealing with can help you handle the situation.

Black Hat Hacker

Gray Hat Hacker

White Hat Hacker

Black Hat Hackers

Black hat hacker is a title that can be applied to any of the threat actors in the groups above. They are threat actors who conduct criminal activity for personal gain or malice. They are considered to lack morals and ethical boundaries. Their goals include illegally accessing networks so they can modify, steal or destroy data or degrade services.

In May of 2020, the Security Service of Ukraine (SSU) arrested a hacker known as a “Sanix” in the Ivano-Frankivsk region of Ukraine for selling billions of stolen credentials on forums and private channels. He and his partner were responsible for the most extensive set of stolen data in history. In January 2019, they began posting sets of data for sale known as the “Collection#1” that contained an assemblage of old users’ credentials, repacked for monetization.

Gray Hat Hackers

Gray hat hackers are actors whose activities are not always deemed a threat. While conducting research, they may violate the law or ethical standards, but they are not operating with malicious intent. Their goal is not to disrupt the confidentiality, integrity or availability of a network. Nor is it to modify, steal or destroy user data. Instead, they seek to identify exploits and vulnerabilities in network systems, with or without permission.

Once a vulnerability is discovered, they typically contact the vendor to patch the vulnerability, but they often ask for money or recognition for their discovery. In other cases, they leave messages of compromise or take responsibility into their own hands. When dealing with grey hat hackers, it is best to show respect and avoid escalating the discovery from private to public disclosure. 

White Hat Hackers

White hat hackers are ethical actors who specialize in advanced research and penetration testing. Their activities are not a threat but leverage similar tactics and techniques used by criminal hackers. These actors have legal approval to conduct research on targeted networks and devices.

Their job often includes identifying exploits and patching vulnerable systems for clients. Unfortunately, when they publish their findings, research and tools for educational purposes, others can potentially leverage the discoveries for malicious purposes.

Part 6

Disgruntled Insiders

The most challenging threat to detect and mitigate is the one that originates from within the circle of trust. Disgruntled insiders are threat actors who are current or former employees who operate out of malice or neglect. These events can include financial fraud, data theft, selling trade secrets, intentional sabotage and internal non-responders. One of the most significant issues is that these threat actors are post-authorization compared to the other groups. They already have initial access and internal knowledge that the other groups have to discover during the reconnaissance stage.

Their tactics are simple compared to other threat actors making them more difficult to detect. They do need to maintain persistence or move laterally. They often act within their domain, looking to cause as much damage as they see fit. This process can include simply copying and pasting trade secrets they already had access to onto a personal device for future competitive use, intentionally deleting or damaging infrastructure/data during or after termination, or simply neglecting to secure critical infrastructure.

Understanding how and why employees turn against their employers might help you understand the psychology, warning signs and how to mitigate the impact of a threat from within.

The most challenging threat to detect and mitigate is the one that originates from within the circle of trust. Disgruntled insiders are threat actors who are current or former employees who operate out of malice or neglect. These events can include financial fraud, data theft, selling trade secrets, intentional sabotage and internal non-responders. One of the most significant issues is that these threat actors are post-authorization compared to the other groups. They already have initial access and internal knowledge that the other groups have to discover during the reconnaissance stage.

Their tactics are simple compared to other threat actors making them more difficult to detect. They do need to maintain persistence or move laterally. They often act within their domain, looking to cause as much damage as they see fit. This process can include simply copying and pasting trade secrets they already had access to onto a personal device for future competitive use, intentionally deleting or damaging infrastructure/data during or after termination, or simply neglecting to secure critical infrastructure.

Understanding how and why employees turn against their employers might help you understand the psychology, warning signs and how to mitigate the impact of a threat from within.

Part 7

Angry Customers

Angry or disappointed customers can become threat actors. They typically do not persist or pursue a career in crime. Attacks are performed under an intense emotional state of the perpetrator but can nevertheless result in serious damage. Because the actors are not experienced and have no skills to perform their attacks, they will typically rely on hackers-for-hire to conduct the actual attacks. Some of the cheapest and easiest attack tools that can damage an organization’s reputation are DDoS stressers.

Companies in the gaming and gambling industry deal with these threats more often than other industries due to their customers’ emotional involvement. But there are exceptions to every rule.

Angry or disappointed customers can become threat actors. They typically do not persist or pursue a career in crime. Attacks are performed under an intense emotional state of the perpetrator but can nevertheless result in serious damage. Because the actors are not experienced and have no skills to perform their attacks, they will typically rely on hackers-for-hire to conduct the actual attacks. Some of the cheapest and easiest attack tools that can damage an organization’s reputation are DDoS stressers.

Companies in the gaming and gambling industry deal with these threats more often than other industries due to their customers’ emotional involvement. But there are exceptions to every rule.

Interested in a deeper dive?

Download Series 1: The Threat Actors, to further understand cybercriminals and their modus operandi

Download Series II: Tactics, Techniques and Procedures, to understand how TTPs map to the MITRE ATT&CK framework

Download Series III: Intelligence and Defense, to understand how to apply threat intelligence for a modern security strategy

Stay Informed

eBook Download Series I

The Threat Actors, to further understand cybercriminals and their modus operandi

eBook Download Series II

Tactics, Techniques and Procedures, to understand how TTPs map to the MITRE ATT&CK framework

eBook Download Series III

Custom Image
  • Close Up of a Professional Office Specialist Working on Desktop Computer in Modern Technological Monitoring Control Room with Digital Screens. Manager Typing on keyboard and Using Mouse.
  • Two Professional IT Programers Discussing Blockchain Data Network Architecture Design and Development Shown on Desktop Computer Display. Working Data Center Technical Department with Server Racks

Nation-state / state-sponsored threat actors

Nation-state or state-sponsored threat actors work for a government and conduct campaigns to gain access to valuable intelligence or designed to influence, disrupt and compromise the political or economic stability of other nations.

  • Hacker using computers with digital business interface. Hacking and theft concept. Double exposure
  • Hacker using digital business interface on blurry office interior background. Future and phishing concept. Double exposure

Organized crime threats

Organized crime conducts malicious activity primarily for economic gain. The groups are structured and are a driving force behind the underground economy.

  • Hacker wear an anonymous mask.
  • Group of female activists is protesting

Hacktivists

Hacktivists want to make a statement and are emotionally committed and relentless in their malicious activity in the name of anti-government, anti-corporate or social justice actions.

  • Nerd hacker with glasses working with a computer in the dark, cybersecurity concept
  • Dangerous Hooded Hacker Breaks into Government Data Servers and Infects Their System with a Virus. His Hideout Place has Dark Atmosphere, Multiple Displays, Cables Everywhere.

Hackers

Hackers are the broader category of threat actors who operate for excitement and bragging rights. Their intentions can be benign, but they can also cross the moral threshold for personal gain. This class of actors is typically a steppingstone into organized crime or security research.

  • Disappointed businessman looking at financial documents while talking on smartphone in cafe. Disgruntled man working on laptop

Disgruntled insiders and Customers

Disgruntled insiders and customers are threat actors who are unhappy and operating out of malice or neglect.

Customers targeted by DDoS extortionists for a second time

During the last week of December, 2020 and the first week of January, 2021, Radware customers were targeted by DDoS extortionists for a second time by a global ransom DDoS campaign that initially started in August. Organizations received new letters that started with:

“Maybe you forgot us, but we didn’t forget you. We were busy working on more profitable projects, but now we are back.”

Organizations that received this letter were companies that received threats in August and September of 2020. Analysis of this new wave of ransom letters suggests that the same threat actors from the middle of 2020 are behind these malicious communications.

eBook Download

eBook Download

eBook Download

Figure: NSA TAO Equation Group

Stuxnet vs. Iran

ObjectiveTargetInitial Access
DestructionCritical infrastructureSocial engineering

While government filings are thin, there is a high level of confidence that the Equation Group, a unit of threat actors suspected to be part of the NSA’s TAO, was responsible for some of the most infamous hacks, including Stuxnet and Flame.

Stuxnet is a computer worm discovered in 2010 that targeted the Supervisor Control and Data Acquisition (SCADA) systems of Iran’s nuclear program. Stuxnet was designed to target programmable logic controllers (PLC), which are automation devices used to control machinery and industrial processes. Once deployed, the malware targeted Microsoft operating systems and networks to search for a specific piece of software made by Siemens. The malware compromised the Iranian nuclear centrifuges’ PLC through the Siemens controller software, causing them to spin out of control, ultimately destroying themselves.

This attack is considered by many to be the first time nation-state threat actors maliciously acted to destroy industrial systems. The malware was spread indiscriminately in the wild but would only target Siemens Step-7 software for SCADA systems in embargoed equipment smuggled into Iran.

One of the interesting caveats from the Stuxnet event was the collaboration between nation-state hackers in the United States and Israel.

Figure: Russian GRU officers wanted by the FBI

The United States of America vs. Andrienko, Detistov, Frolov, Kovalev, Ochichenko, & Pliskin

ObjectiveTargetInitial Access
EspionageDefense, technology, Phishing
Destructioneducation, utilities & governmentexploit of public-facing applications

In October 2020, the U.S. DOJ charged six Russian GRU officers connected with a worldwide deployment of destructive malware and other disruptive actions. These actions included disrupting the 2017 French elections, as well as the 2018 Winter Olympics and causing nearly $1 billion in damages to Heritage Valley Health System, TNT Express B.V. and a U.S. pharmaceutical manufacturer.

These men are accused of being part of the GRU Military Unit, 74455, also known as Sandworm. This unit is also known within the GRU as the Main Center for Special Technologies (GTsST). They deployed destructive malware and launched disruptive attacks for the strategic benefit of Russia. In December of 2015 and 2016, they launched a destructive malware campaign against Ukraine’s electric power grid, Ukraine’s Ministry of Finance and the State Treasury Service, leveraging BlackEnergy, KillDisk and Industroyer.

Figure: Wanted by the FBI: Park Jin Hyok

The United States of America vs. Park Jin Hyok

ObjectiveTargetInitial Access
Espionage, financial, destructionFinancial, entertainment, defense, technology, education, utilities & virtual currencySocial engineering, spear-phishing

In September of 2018, the U.S. DOJ indicted Park Jin Hyok, a North Korean nation-state threat actor, charging him with conspiracy to conduct multiple cyberattacks and intrusion.

Hyok is accused of being a member of the Lazarus Group, a unit reportedly under the control of the Reconnaissance General Bureau (RGB) that is responsible for the 2017 global WannaCry 2.0 ransomware attack, the destructive attacks on Sony Pictures in 2014 and the $81 million SWIFT hack that targeted the Central Bank in Bangladesh in 2016.

Hyok is a highly skilled programmer but was also known to contract actors from around the globe to conduct his malicious activity. While Hyok’s tactics may seem simple, they are highly effective. In advance of attacks, he researches vulnerabilities, exploits, techniques, and an organization’s employees and their social media accounts. Using this information, Hyok launches successful social engineering attacks leveraging spear-phishing messages to access the targeted networks. Hyok has been known to drop rapidly spreading, destructive malware designed to wipe machines and exfiltrate information of interest, build botnets and steal money for the DPRK.

BrickerBot: A Perfect Example Of a Gray Hat Hacker In Action

A hacker called The Janitor has created multiple versions of a program called BrickerBot, a system that searches out and bricks insecure IoT devices. A researcher named Pascal Geenens has followed the worm for a few weeks and has seen it pop up and essentially destroy infected webcams and other IoT devices.

The devices all used a Linux package called BusyBox and had exposed telnet-based interfaces with default passwords. These devices were easily exploited by the Mirai botnet, which essentially turned them into denial-of-service weapons.

BrickerBot finds these devices and renders them unusable. The first version attacked about a thousand devices and alternate versions attacked thousands more. It disabled the devices by formatting the internal memory.

DDoS-as-a-Service

Over the last few years corporations, independents researchers and law enforcement agencies around the world have attempted to curb the growth of the DDoS-for-Hire industry through a series of takedowns and arrests. Despite global efforts, the illicit industry continues to grow, utilizing new attack vectors and producing largescale, record-breaking DDoS attacks.

Jean Patrice Delia vs. General Electric Company

In December 2019, a former General Electric (GE) engineer was arrested and plead guilty to conspiring to steal trade secrets from GE. He and his business partner, who was sentenced in December, conspired to compete against GE globally by leveraging stolen trade secrets related to turbine technology, stolen marketing data and pricing information. The perpetrators downloaded thousands of files and used social engineering techniques to target the IT department to grant them access to additional information. The attack was discovered in 2012 when GE was underbid for a service contract in Saudi Arabia by the company the two men started.