Posted March 27, 2019
We’ve all heard stories of espionage, mafia crime, and lone wolf attackers throughout history. These real-life stories have inspired some of the most iconic characters ever known—Mata Hari, the Godfather, The Jackal, Unabomber – to name a few. As threats move from the physical world into cyberspace, enterprises are beginning to see these same types of actors targeting their organizations online. Though they use different means to their desired end, the threat actors behave similarly to their traditional counterparts. As your organizations analyze these actors, it’s important to understand the actors’ target, motivation, and your best defense against them.
Target: Any and every computer
Motivation: Cyberwarfare/espionage for political, economic, and/or military agendas
Best Defense: Patch/Vulnerability management
A true force to be reckoned with the infrastructure, power; and substantial technical, financial, and material resources behind nation state-sponsored cyber attacks is unparalleled. State-sponsored threat actors are typically well-funded and sophisticated, and – as the name suggests – sponsored or supported by a government entity. This support doesn’t always come in the form of money, but sometimes direction. These attackers are more calculated and measured and are known to play the “long-game,” meaning they deploy tactics and attacks that grant them access to your systems and networks quietly, possibly hanging around for months or years. Nation-state activity has included distributed denial of service (DDoS) attacks, destructive wiper malware, disinformation, influence operations, and cyber reconnaissance of critical infrastructure. Though nation-states targeted other government entities in the past, they are aiming for new targets—like your organization to gain access to your sensitive company data.
One of the better-known nation-state attacks is the massive NotPetya ransomware outbreak that according to some researchers is still considered the single most expensive computer security incident in history. A little background: conflict between Ukraine and Russia has resulted in the cyber arm of the Kremlin reaching across the Russian border into Ukraine many times. This caused power outages and destroyed terabytes of Ukraine’s data. The political tension and undeclared war had been going on for four years by 2017. By using Ukraine as a testing ground for its cyberwar tactics, Russia left doors open in the form of software vulnerabilities that they could re-enter whenever they wanted. One of these open doors provided the perfect passageway for NotPetya—the fastest-propagating malware ever— to enter. Russian military hacking groups deployed the malware to target Ukraine, but the effect was global almost instantaneously.
Damage from NotPetya affected global shipping magnates, multi-national pharmaceutical companies, financial services organizations, and food manufacturers. It caused $10 billion in damage worldwide. Modern state-sponsored cyber attacks reach farther than traditional warfare ever could, and the results can be catastrophic in all industry verticals. NotPetya exploited a software vulnerability that had a known fix—many of the organizations impacted by NotPetya could have avoided this fate if they had patched this vulnerability. While there is no single answer to defending against nation-states, one of the easiest defenses is patching and updating your systems as soon as a fix is available.
Motivation: Financial gain/profits
Best Defense: Good cyber hygiene
Cybercrime is a gold mine for successful criminals. Not only because there’s a lot of money in the game – some say global damage related to cybercrime is expected to reach $6 trillion by 2021 – but also because actors don’t need to be sophisticated to carry out these crimes. Organized cybercriminals are motivated by profits, so it only makes sense that they would exploit the financial opportunities that hacking presents. Cybercriminal actors are most interested in stealing personally identifiable information (PII) like credit card numbers, account credentials, and Social Security Numbers. They will either steal directly from their victims or steal information and/or accesses that can be monetized in cybercrime forums, and will use any means to carry out this goal – phishing, ransomware, cryptominers, remote access Trojans, exploit kits, social media, data/financial theft, extortion, and blackmail. Unlike original mafia groups, the barrier to entry on the cybercrime market is low. There is no need for bribing law enforcement or killing people off when the Dark Web can provide ample anonymity to these threat actors.
Hacking group Fin7 is notorious for being well-organized and disciplined in their craft. If you have had your credit card number stolen at a restaurant, you have most likely come into contact with Fin7 yourself. They developed their own malware and attack styles, proving very effective for the group. Chipotle, Trump Hotels, and Whole Foods have been victims of Fin7’s point-of-sale malware, breaching more than five million credit and debit card numbers. Because of their highly organized nature, Fin7 can operate efficiently—to the tune of $50 million in profit per month. Fin7 uses phishing tactics to deliver malware that are developed and tested by its many departments. After discovering a weak spot in Microsoft applications, Fin7 needed only a day to create a file-less malware attack designed to steal as many credit card numbers as possible.
Your best defense against this type of organized cybercrime network? Good cyber hygiene! If we have said it once, we have said it 1,000 times. Change your passwords often, be highly skeptical when it comes to unexpected emails or calls, and patch and update regularly.
Target: Government entities, corporations, or individuals
Motivation: Political, social, religious, economic, and environmental causes
Best Defense: Understanding TTPs
Hacktivism describes individuals or groups that use hacking to affect political or social change. These actors meld traditional political activism with the Internet, allowing them to express social and political discontent via cyberspace. The hacktivist landscape is diverse, encompassing individuals and groups of various levels of skillsets and capabilities. Hacktivists are known to use malware, DDoS attacks, “doxing,” web page defacement, and social media to expose damning information about their target, from unjust business practices to government secret-keeping. Hacktivists have been active since the mid-90’s. Modern hacktivism was shaped heavily by group Anonymous throughout the past decade. Unlike organized cybercriminals Fin7, Anonymous is amorphous, made up of many different proxy organizations and affiliated hackers.
In recent years, the group targeted the 2016 presidential campaign of U.S. President Donald Trump, as well as the Islamic State (IS) and the Ku Klux Klan (KKK). After the Islamic State attacks on Paris in 2015, Anonymous set out to dismantle the large network of Islamic State social media accounts to stifle the dissemination of propaganda. Though their motive was for social justice, their methods were brought into question and could have caused more damage than good. It is highly unlikely that Anonymous has the counterterrorism skillset to properly vet these accounts, and the takedown of alleged IS accounts and forums hampers intelligence operations of actual counterterrorism experts and the intelligence community working to dismantle these terrorist groups.
Hacktivists like Anonymous face high-risk of infiltration due to the disorganization of its members and associates—possibly allowing nation-states or other dangerous actors to leverage them for the proliferation of government propaganda. It is a dangerous game to play when state secrets and intelligence operations are put in harms way. Your best defense against organizations like these are to understand their TTP’s—hacktivists are known to target unjust business practices at the corporate level.
The Lone Wolf
Target: Financial institutions and their networks
Motivation: Financial gain, Network access
Best Defense: Understanding tactics, techniques, and procedures (TTPs)
Lone wolf threat actors are a powerful force in the cybercrime underground. As we have written before, the popularization of the cybercrime-as-a-service model is furthering the reach of these lone-wolf actors. Traditional lone wolf attackers were difficult to track, and cyber lone wolf actors are equally difficult to find. The reason? They operate individually (in rare cases work with other accomplices) and they operate on the Dark Web, known for the anonymity it provides. Threat actors like “gookee”–a lone wolf malware developer hawking his wares on cybercrime forums—are prime examples of what today’s lone wolf threat actor looks like.
Gookee, thought to be Russian, has been operating on one cybercrime forum since January 2018 selling his malware to other less skilled cybercriminals. Like many other threat actors, gookee provides cybercrime-as-a-service, and similar to threat actor Glad0ff, gookee has proved his bona fides on his forum of choice through customer reviews of his service and products. His malware du jour is an ATM exploit that allows his customers to manually extract cash from ATMs. ATM exploits provide an immediate source of cash to criminals, but even more dangerous is the access that they provide into bank networks—potentially putting millions of dollars at risk. These types of actors prove difficult for law enforcement to catch due to their business model, which allows them to distance themselves from the crimes their customers commit. These threat actors are just the accomplice to their bank robberies and other criminal pursuits.
The best defense enterprises have against lone wolf actors is collecting intelligence on their TTPs to better understand how and where these actors continue to operate. This intelligence will also alert you to new threat actors selling cybercrime-as-a-service, providing the situational awareness needed to protect your organization’s most sensitive information.
Traditional crime groups and tactics will never go away—but they will evolve and move to new landscapes. Keeping your organization abreast of emerging threat actors is the best way to defend against them. Knowing your adversary is the only way to anticipate their next move. LookingGlass’ intelligence team provides finished intelligence, including Threat Actor Profiles. If you are looking for information similar to what’s in this blog, or would like a more in-depth look at one of these threat actors contact us.