Profiling Modern Hackers: Hacktivists, Criminals, and Cyber Spies. Oh My!

Sun Tzu, the renowned military strategist and author of The Art of War, was known for the saying, “Know thy enemy and known thyself, and you will not be imperiled in a hundred battles.” While the true intention of this quote is likely to remind us that knowing our own strengths and weaknesses is equally important to knowing those of your enemy, I can’t help but simplify it to the rudimentary,  “know thy enemy.”

I suspect most security professionals, me included, spend much more time analyzing the technical and mechanical aspects of cyber crime than the social and psychological ones. We dissect attacker’s malware and exploit tools, analyze their code and exploit techniques, but don’t always study who they are and why they do what they do. According to General Tzu, this is a good way to lose many battles.

In order to better understand the nature of the cyber threat, security professionals need to act more like criminal investigators, and consider means, motive, and opportunity. We’ve got the means down (tools and techniques), but some of us may need to work a bit on motive. One of the ways to do that is to understand the different hacker profiles.

Over the last few years, the general hacker profiles and motives have changed quite a bit. We no longer live in a world of fame seeking hackers, script kiddies, and cyber criminals—there are some new kids on the block. It’s important for you to understand these motive and profile changes, since they dictate what different types of hackers are ultimately after, whom they target, and how they tend to do business. Knowing these things can be the key to helping your understand which of your resources and assets need the most protection, and how you might protect them.

With that in mind, I’d like to share some quick highlights about the three main type of attackers I think plague us today:

1. The Hacktivist

Simply put, hacktivists are politically motivated cyber attackers. We’re all familiar with traditional activists, including the more extreme ones. Over the past five years, activist have realized the power of the Internet, and have started using cyber attacks to get their political message across. A few examples of hacktivist groups include the infamous Anonymous, and the more recent Syrian Electronic Army. Most hacktivist groups tend to be decentralized and often not extremely organized. For instance, there can be cases where one factor of Anonymous may do things another factor doesn’t even agree with.

As disorganized as they may sound, these activist groups can cause significant problems for governments and businesses. They tend to rely on fairly basic, freely available “Skript Kiddie” tools. For instance, their most common weapon is a DDoS attack, using tools like HOIC or LOIC. However, the more advanced hacktivists also rely on web application attacks (like SQLi) to steal data from certain targets, with the goal of embarrassing them—something they like to call Doxing.

While hacktivists are arguably the least worrisome of today’s attackers, they still have succeeded in causing havoc for many big companies and governments. Since these hacktivist’s political agendas vary widely, even small businesses can find themselves a target depending on the business they are in or partnerships they have.

2. Cyber Criminals

You’re probably most familiar with the cyber criminal hacker profile, since they’ve been around longer than the other two. This group’s motive is pretty obvious; to make money using any means necessary.

Cyber criminal groups can range from a few lone actors who are just out for themselves, to big cyber crime organizations, often financed and headed by traditional criminal organizations. They are the group of hackers responsible for stealing billions of dollars from consumers and businesses each year.

These criminal attackers participate in a rich underground economy, where they buy, sell and trade attack toolkits, zero day exploit code, botnet services, and much more. They also buy and sell the private information and intellectual property they steal from victims. Lately, they’re focusing on web exploit kits, such as Blackhole, Phoenix, and Nuclear Pack, which they use to automate and simplify drive-by download attacks.

Their targets vary from small businesses and consumers, whom they attack opportunistically, to large enterprises and industry verticals, who they target with specific goals in mind. In a recent attack on the banking and credit card industry, a very organized group of cyber criminals was able to steal 45 million dollars globally from ATMs, in a highly synchronized fashion. The attack was made possible due to an initial, targeted network breach against a few banks and a payment processor company.

 3. Nation States (or State-Sponsored Attackers) 

The newest, and most concerning new threat actors are the state-sponsored cyber attackers. These are government-funded and guided attackers, ordered to launch operations from cyber espionage to intellectual property theft. These attackers have the biggest bankroll, and thus can afford to hire the best talent to create the most advanced, nefarious, and stealthy threats.

Nation state actors first appeared in the public eye during a few key cyber security incidents around 2010, including:

      • The Operation Aurora attack, where allegedly Chinese attackers gained access to Google and many other big companies, and supposedly stole intellectual property, as well as sensitive US government surveillance information.
      • The Stuxnet incident, where a nation state (likely the US) launched an extremely advanced, sneaky, and targeted piece of malware that not only hid on traditional computers for years, but also infected programmable logic controllers (PLCs) used in centrifuges. The attack was designed to damage Iran’s nuclear enrichment capabilities.

Unlike the other hackers’ tools, state-sponsored attackers create very customized and advanced attack code. Their attacks often incorporate previously undiscovered software vulnerabilities, called zero day, which have no fix or patch. They often leverage the most advanced attack and evasion techniques into their attack, using kernel level rootkits, stenography, and encryption to make it very difficult for you to discover their malware. They have even been known to carry out multiple attacks to reach their ultimate target. For instance, they might attack a software company to steal a legitimate digital certificate, and then use that certificate to sign the code for their malware, making it seem like it comes from a sanctioned provider. These advanced attacks are what coined the new industry term, advanced persistent threat (APT).

While you’d expect nation state attackers to have very specific targets, such as government entities, critical infrastructure, and Fortune 500 enterprises, they still pose some threat to average organizations as well. For instance, sometimes these military attackers target smaller organizations as a stepping-stone for a bigger attack. Furthermore, now that these advanced attacks and malware samples have started to leak to the public, normal criminal hackers have begun to adopt the advanced techniques, upping the level of traditional malware as well.

Understanding the motives, capabilities, and tools of these three hacker profiles gives you a better idea of what types of targets, resources, and data each one is after. This knowledge should help cater your defenses to the types of attacker you think are most relevant to the business or organization you protect.

Now that you know a little about your enemy, you can focus on getting to know yourself, and match your defenses to your most likely enemy. Once you’ve done that, you will not be imperiled in a hundred cyber battles. — Corey Nachreiner, CISSP (@SecAdept)

To spread the knowledge about today’s three main cyber threat actors, WatchGuard has created a fun and fact-filled info-graphic. Check it out below, and be sure to share it with your friends and co-workers to spread the word. 

WatchGuard profiles the three main classes of cyber attackers.

WatchGuard profiles the three main classes of cyber attackers.

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

9 Responses to “Profiling Modern Hackers: Hacktivists, Criminals, and Cyber Spies. Oh My!”

  1. Great information! We are gearing up for an inspection from the government to see if we are protected against such cyber criminals. It’s a scary word we live in, especially when we are dealing with such important personal data that can be reached in so many ways. We are currently going with a company named InfoSafe to make sure we stay compliant. Phoenix IT Support and consulting can help you learn all about InfoSafe and why it is important to be protected against hackers!

  2. Indeed, we know much less about means/motive/opportunity of bad guys, then they know about means/motive/opportunity of victims. That’s why “social engineering” was and will be one of the successful and “hard-to-protect-against” hack factor.
    Thanks for interesting article!

  3. Interesting article, As a hacktivist, you publicize your hack as broadly as possible to convey a political or social message. As a criminal you do the opposite, hoping to slip through unnoticed. As a victim you may not be aware, let alone report it. When it comes down to it, this is really about poor security and not covering holes for them to get into. This is why it’s important to hire the right kind of IT staff with updated certifications. Corporations especially need to worry more about making these right hires and less about how it affects revenue. Check out this infographic on cyber hacktivism:

  4. Hi! I’ve been reading your web site for some time now and finally got the bravery to go ahead and give you a shout out from Kingwood Texas! Just wanted to say keep up the good job!


  1. Most Dangerous Hackers Motives and Methods Revealed | WebHostMagazine | The Hosting Authority - May 31, 2013

    […] how they do business,” said Corey Nachreiner, director of security strategy at WatchGuard, in a recent blog post. “Knowing these things can be the key to helping you understand which of your resources and […]

  2. Infografía recoge los motivos y métodos utilizados por los tres tipos de hackers más peligrosos | diarioti - June 26, 2013

    […] apunta Corey Nachreiner, director de estrategia de seguridad de WatchGuard, en un reciente blog.  “Tener conocimiento de estas cosas puede ser la clave para ayudar a entender qué recursos y […]

  3. Infografía recoge los motivos y métodos utilizados por los tres tipos de hackers más peligrosos | - June 27, 2013

    […] apunta Corey Nachreiner, director de estrategia de seguridad de WatchGuard, en un reciente blog.  “Tener conocimiento de estas cosas puede ser la clave para ayudar a entender qué recursos y […]

  4. Most Dangerous Hackers Motives and Methods Revealed | Static Data Hosting - July 7, 2013

    […] how they do business,” said Corey Nachreiner, director of security strategy at WatchGuard, in a recent blog post. “Knowing these things can be the key to helping you understand which of your resources and […]

  5. Security-Marathon » Hackers and criminals . They are not synonyms - January 23, 2014

    […] Profiling Modern Hackers: Hacktivists, Criminals, and Cyber Spies. Oh My! […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 7,966 other followers

%d bloggers like this: