THE THREATS ARE REAL.
The Threats are Real.
Preface
Introduction
Intro
In a world riddled with cyberattacks, digital espionage, misinformation and a hyper-partisan political landscape, access to accurate and vetted intelligence is vital to overcoming the array of threats and threat actors.
The threat landscape is as diverse at is sophisticated. Staying abreast of these threats, understanding actors’ motivations and knowing their tactics, techniques and procedures (TTPs) is paramount
What You'll Learn
Radware’s Hacker’s Almanac Series
The Radware Hacker’s Almanac Series serves as a cornerstone for understanding:
Modeling the threat landscape is an essential step to anticipate the impact of external influences such as geopolitics, pandemics and new security threats so your organization can implement a focused security strategy that aligns with your organization’s most valuable resources.
Want to cut to the chase and download a pdf version?
Download the Complete Hacker’s Almanac to learn about the post-pandemic world riddled with cyberattacks, digital espionage, misinformation and more.
Part 1
Threat Actor Classification
Threat actors can be categorized into five classes based on their motivations and objectives. Terminology can differ across the security community, but the ideas of represented actors are consistent.
A threat actor will typically fit in one of these classes:
Part 2
Nation States
Some of the most notorious threat actors are those employed or contracted by national governments. Nation-state actors and threat groups often have close links, and are typically directed by, military or state intelligence services. Recruits are selected based on their high degree of technical expertise, knowledge of a specific language, or ability to engage in propaganda and misinformation campaigns.
Their motivations can range from largescale disruption and influence campaigns to covert espionage. Some states are in it for economic gain, while others provide an environment that allows their contractors to continue non-sanctioned operations after hours.
While nation-state threat groups are capable of sophisticated attacks, most of their activity is composed of simple attack vectors. They typically attempt to follow common traits used by other groups or actors. These actors do not perform attacks to demonstrate capabilities; they often try to achieve a specific objective as covertly as possible. Attribution of nation-state incidents is difficult and has led to the formation of several industry groups that track activities and assign a variety of names to the same attack.
Many nations have advanced cyberwarfare capabilities; however, this guide focuses on only a few diverse and notable nation states that illustrate the concept. Depending on your location, the notion and urgency of a particular nation-state actor will be biased by geopolitics, cultural differences, economic and trading agreements.
Russia
United States
North Korea
Nation States:
United States of America
The U.S. is home to some of the most advanced and sophisticated nation-state actors in the world. The Office of Tailored Access Operations (TAO) is a cyber warfare intelligence-gathering unit of the U.S. National Security Agency (NSA). TAO identifies, monitors, infiltrates and gathers intelligence on computer systems used by enemies and friendly foreign entities. The Equation Group is one of the most notorious and highly sophisticated threat actors suspected of being tied to the TAO unit.
On the other hand, the U.S. Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the U.S. Department of Defense (DoD). While initially created for defensive purposes, it is increasingly viewed as an offensive force of which the primary objectives consist of espionage, targeting of critical infrastructure and political interference. In June 2019, the New York Times reported that hackers from USCYBERCOM planted malware capable of disrupting the Russian electrical grid. Russia acknowledged the United States potentially attacked its electrical grid.
Nation States:
Russia
When it comes to cyberwarfare capability, the Russian Federation tops most nations’ risk charts. Russia is renowned for targeting critical infrastructure, DoS attacks, dissemination of disinformation and propaganda aiming for political interference and participation of state-sponsored teams in political blogs. It’s also known for internet surveillance using its version of lawful interception interfaces known as SORM (Система оперативно-разыскных мероприятий or System for Operative Investigative Activities), persecution of cyber dissidents and corporate espionage. Some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB (the Federal Security Service of the Russian Federation) and formerly a part of the KGB. The military performed other activities under the Main Directorate of the General Staff of the Armed Forces (GRU) of Russia.
An analysis by the U.S. Defense Intelligence Agency in 2017 outlines Russia’s view of “Information Countermeasures” or IPb (informatsionnoye protivoborstvo) as “strategically decisive and critically important to control its domestic populace and influence adversary states,” dividing “Information Countermeasures” into two categories of “Informational-Technical” and “Informational-Psychological” groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to attempts to change people’s behavior or beliefs in favor of Russian governmental objectives.
Nation States:
North Korea
North Korean state actors representing the Democratic People’s Republic of Korea (DPRK) are some of the most ruthless. These highly skilled threat actors typically work for Bureau 121, the DPRKs cyberwarfare unit, a division of the Reconnaissance General Bureau (RGB) of the DPRK’s military. Their goal mainly consists of state-sponsored espionage, targeting government agencies and organizations in multiple verticals across the world, destructive and disruptive campaigns, as well as a broad range of financially-motivated attacks.
Want to Learn more about Nation-State attacks?
Download the Full Hacker’s Almanac To Learn More About These Countries and Others Such as China, Iran and More
Part 3
Organized Crime
Almost all organized crime groups use communication technology to manage their actions. Some groups specialize in using technology to commit cybercrimes. Criminal activity is so rampant that even nation-state employed actors likely perform cybercriminal activity after hours for personal gain.
Crime pays, so whenever there is an opportunity, organized crime will appear. As more people and devices become connected in the wake of digital transformation, ways for cybercriminals to profit continue to emerge. Even traditional criminals have evolved and digitalized. Drug dealers now anonymously sell drugs and stolen goods online for cryptocurrency without the fear of being caught operating on the streets. The internet provides increasing opportunities for cybercriminal activity and ways for threat actors to organize and create environments that support crime and profitability.
One would assume these threat actors would not want to draw large amounts of attention, yet their crimes are often “noisy” and noticeable. Many threat actors will even leverage media attention to publicize their capabilities, putting increased pressure on victims to comply. If they don’t, outages can be massive and sensitive data shared on the darknet to apply more pressure.
Cybercrime-as-a-Service
Cyberware-as-a-Service
Bulletproof Hosting
Hacking-as-a-Service
DDoS-as-a-Service
Industrial Espionage
Extortion
Financial
Organized Crime:
Threats-As-a-Service
Cybercrime-as-a-Service
Cybercrime-as-a-service is the cornerstone of organized cybercrime groups. Threat actors develop advanced tools and services which are sold or rented to other cybercriminals. Criminals who leverage cybercrime-as-a-service range from novices who lack experience or knowledge to technically adept and well-organized criminals looking to build on existing platforms for even better return margins. Cybercrime services include crimeware-as-a-service, bulletproof hosting and hacking-as-a-service.
Cyberware-as-a-Service
Crimeware-as-a-Service is the rental or sale of sophisticated exploits and malware. Services are varied and include the sale of zero-day exploits, ransomware packages on underground forums and marketplaces and paid access to large botnets used to distribute malware. TrickBot and Emotet are two well-known examples of the latter. Both have evolved from specialized banking trojans to generic malware-as-a-service networks to deliver custom payloads by organized cybercrime and nation-state actors. While these botnets serve a wide variety of customers, most deliver malware designed to steal sensitive information or deploy ransomware. The botnets typically spread through MalSpam with lures designed to socially engineer their targets. Once they reach a foothold, the actors or their customers gain remote access, run reconnaissance, steal and exfiltrate sensitive data, move laterally across the network and deploy more backdoors or accounts to maintain persistence.
Hacking-as-a-Service
Hacking-as-a-Service is the commercialization of hacking skills. Experienced actors offer their skills to threat actors who do not possess the ability to perform the crime or attack. Some of the services offered by hackers-for-hire include breaking into the social network accounts of significant others, DDoS attacks, manipulation of school grades, clearing and updating loan account balances, malware development for any operating system, trojans, tracking apps, password recovery, and deletion of loan default records, among other services.
DDoS-as-a-Service
One form of Hacking-as-a-Service — DDoS-as-a-Service — has significantly impacted the DDoS threat landscape. Also known as Booter or Stresser services, they provide professionally designed portals that allow anyone to perform devastating attacks with just a few clicks. Subscriptions range from $9.99 per month for an unlimited number of DDoS attacks with five minutes of attack time/15 Gbps, up to thousands of dollars for unlimited attack time/200Gbps+.
Organized Crime:
Extortion
Extortion is the practice of gaining something, especially money, through force or threat. Extortion has evolved from the physical world of gangster shakedowns to the cyber realm through hostage-taking of computer networks for profit. From ransomware to Ransom Denial-of-Service (RDoS), threat actors aim to extort cryptocurrency from victims by threatening to degrade networks or encrypt systems and block access to systems until payment is rendered.
Ransomware
Ransom DoS
-
Ransomware
Ransomware is malicious software that infects a system and displays messages demanding a fee to receive a key to unlock the system. Ransomware typically works by encrypting all data and system files and rendering them useless. Entire organizations have shut down for days or weeks in the wake of ransomware attacks.
Ransomware operators modified attacks by including fail-safe capabilities that extract sensitive data before encryption. In the so-called double extortion scheme, if a victim does not agree to pay for the decryption key, the actors extort him or her by threatening to publish sensitive data they exfiltrated during the encryption phase of the attack. Threat actors know the implication of the General Data Protection Regulation (GDPR) in the EU and are happy to leverage the damage to reputation that leaked data can cause.
In some cases, threat actors resorted to launching DDoS attacks to get victims back to the negotiating table if initial attempts did not sway them.
-
Ransom Denial-of-service
Threat actors use RDoS to conduct extortion-based DDoS attacks that are financially motivated. A DDoS extortion victim will receive a message by email, typically using a private mail service such as Protonmail, GMX or even 10 Minute Mail. The message demands a ransom payment. Upon failure to remit before the deadline, a powerful long-lasting DDoS attack starts a few days after receiving the message. The going rate in 2020 was between 10 and 20 BTC. In 2021, due to bitcoin’s surging value, the rate was adjusted between 5 and 10 BTC. The bitcoin address for the payment is uniquely tied to the target and provides threat actors a way to track payments.
Want to learn more?
Download the complete Hacker’s Almanac, Series I and Learn About Ransomware, Bulletproof Hosting and Other Organized Cyber Crimes.
Part 4
Hacktivists
Hacktivists are generally considered low-risk threat actors compared to the rest of the field, but they should not be dismissed. One of the properties that makes this group of actors such a formidable threat is their hive mindset. They are able to work together to respond to an event and amplify information within hours, putting severe pressure on the unprepared. Their actions are noticeable because of their impact and the media attention they generate.
The backgrounds of hacktivist threat actors range from concerned citizens with digital means to nation-state threat actors. One of the larger shifts in hacktivism is the growth of local political operations as citizens become more aware and educated about the TTPs used by nation-state actors, organized criminals and other hacktivists. In the past, it was common for nation-state threat actors to use patriotic hacktivism as a cover for their operations, but we now see more citizens running campaigns that are amplified by other parties of interest.
In the digital world, civil disobedience has risen to new heights. It has evolved past the point of simple critical thinking and protest. Hacktivism is the idea of activism and the TTPs of a malicious hacker. Threat actors are typically driven to action by anti-government motives, corporate wrongdoing or social injustice. They achieve their goals by exposing and leaking data associated with those they accuse of wrongdoing and degrading and disrupting their networks. Their toolset can range from rentable and straightforward to sophisticated and advanced.
Generally, hacktivist activity is now more reactionary, social and supportive than the planned and executed attacks of Anonymous. While Anonymous still exists in some capacity, and groups like Ghost Squad Hackers are still active, mainstream hacktivism looks more like the events that unfolded around BlueLeaks or the assassination of Qasem Soleimani.
Want to learn more?
Download the complete Hacker’s Almanac, Series I To Learn About Additional Hacktivist Groups.
Part 5
Hackers
The term “hacker” is used to describe a person leveraging a computer for malicious purposes. Not all hackers are threat actors, making it complicated to differentiate between them. In general, the group is divided between black, white and gray hat hackers.
A hacker’s background can be extensive and diverse and include those without any formal technical training or knowledge. As for skillsets, hackers in all three groups can range from your common script “kiddies” to advanced programmers. While their activity can range from noble to malicious, ultimately, they all operate for thrills and bragging rights.
Most people assume that other threat groups are more advanced, yet some of the most sophisticated and technical people fit in the category of white hat hackers. Their work, whitepapers and discoveries are often weaponized by other threat groups who lack ethics and morals. Classifying hackers can be complex, with actors occupying multiple threat groups at the same time. Understanding who you are dealing with can help you handle the situation.
Black Hat Hacker
Gray Hat Hacker
White Hat Hacker
Black Hat Hackers
Black hat hacker is a title that can be applied to any of the threat actors in the groups above. They are threat actors who conduct criminal activity for personal gain or malice. They are considered to lack morals and ethical boundaries. Their goals include illegally accessing networks so they can modify, steal or destroy data or degrade services.
In May of 2020, the Security Service of Ukraine (SSU) arrested a hacker known as a “Sanix” in the Ivano-Frankivsk region of Ukraine for selling billions of stolen credentials on forums and private channels. He and his partner were responsible for the most extensive set of stolen data in history. In January 2019, they began posting sets of data for sale known as the “Collection#1” that contained an assemblage of old users’ credentials, repacked for monetization.
Gray Hat Hackers
Gray hat hackers are actors whose activities are not always deemed a threat. While conducting research, they may violate the law or ethical standards, but they are not operating with malicious intent. Their goal is not to disrupt the confidentiality, integrity or availability of a network. Nor is it to modify, steal or destroy user data. Instead, they seek to identify exploits and vulnerabilities in network systems, with or without permission.
Once a vulnerability is discovered, they typically contact the vendor to patch the vulnerability, but they often ask for money or recognition for their discovery. In other cases, they leave messages of compromise or take responsibility into their own hands. When dealing with grey hat hackers, it is best to show respect and avoid escalating the discovery from private to public disclosure.
White Hat Hackers
White hat hackers are ethical actors who specialize in advanced research and penetration testing. Their activities are not a threat but leverage similar tactics and techniques used by criminal hackers. These actors have legal approval to conduct research on targeted networks and devices.
Their job often includes identifying exploits and patching vulnerable systems for clients. Unfortunately, when they publish their findings, research and tools for educational purposes, others can potentially leverage the discoveries for malicious purposes.
Want to learn more?
Download the complete Hacker’s Almanac, Series I to read more examples and learn more about cyber threats from Hackers and Hacktivists.
Part 6
Disgruntled Insiders
The most challenging threat to detect and mitigate is the one that originates from within the circle of trust. Disgruntled insiders are threat actors who are current or former employees who operate out of malice or neglect. These events can include financial fraud, data theft, selling trade secrets, intentional sabotage and internal non-responders. One of the most significant issues is that these threat actors are post-authorization compared to the other groups. They already have initial access and internal knowledge that the other groups have to discover during the reconnaissance stage.
Their tactics are simple compared to other threat actors making them more difficult to detect. They do need to maintain persistence or move laterally. They often act within their domain, looking to cause as much damage as they see fit. This process can include simply copying and pasting trade secrets they already had access to onto a personal device for future competitive use, intentionally deleting or damaging infrastructure/data during or after termination, or simply neglecting to secure critical infrastructure.
Understanding how and why employees turn against their employers might help you understand the psychology, warning signs and how to mitigate the impact of a threat from within.
Part 7
Angry Customers
Angry or disappointed customers can become threat actors. They typically do not persist or pursue a career in crime. Attacks are performed under an intense emotional state of the perpetrator but can nevertheless result in serious damage. Because the actors are not experienced and have no skills to perform their attacks, they will typically rely on hackers-for-hire to conduct the actual attacks. Some of the cheapest and easiest attack tools that can damage an organization’s reputation are DDoS stressers.
Companies in the gaming and gambling industry deal with these threats more often than other industries due to their customers’ emotional involvement. But there are exceptions to every rule.
