Understanding Cyber Attackers: Who They Are and How They Work

A cyberattack deliberately exploits a security breach in a computer system to gain unauthorized access, allowing the attacker to modify, steal, or destroy documents or perform other malicious actions.

I know there are attacks such as DDoS, where the so-called intention is only to overflow and disrupt the normal traffic of the service, but it's now more the first step of sophisticated robberies than pure activism.

Disclaimer

There are various blog posts about cyberattacks, so do not hesitate to google "cyber attacks". You'll find very informative articles.

Once you've done that, you know there are various kinds of cyberattacks involving the use of ping, phishing, spoofing, teardrop, session hijacking, or ransomware, and many more.

It's helpful to learn those terms, as you cannot fight something you don't know. However, let's focus here on other words such as strategy, temporality, and goals because they are essential to understand cyber attackers better.

I'm indeed more interested in attackers than attacks.

Goals are more important than tools

Hollywood movies repeatedly use the exact stereotyped representation: a diabolical hacker (and a genius 🙃) wearing a hoodie in a dark room, very late at night, to make a statement. Even the surprisingly accurate Mr. Robot (television series) follows that "convention".

I don't blame them too much. Would you believe Hugh Jackman can hack one of the most complicated security algorithms in 60 seconds after flirting with Halle Berry, drinking Vodka, and, while let's say, "having fun" with another woman?

People made GIFs about this movie!

This scene is unrealistic, and even if it were possible, it would be way more time-consuming. Still, while Swordfish is not the best movie of all time, the plot goes beyond deceptive appearances, at the very least, to describe political goals and some global strategy behind the impossible hack.

In reality, some cyberattacks require enormous budgets and last for years, involving several teams and even support for a specific government against other governments.

The vague concept of attackers

Whether it's a government agency or any other organization (which can be criminal), you'd be surprised by the level of the hierarchy, the division of tasks, and the cooperation required.

It's not uncommon to have various people and even entire teams dedicated to specific tasks:

• gaining unauthorized access

• encrypting communications and other operations

• providing infrastructures for self-protection and hiding

• handling money, for example, with cryptocurrencies (e.g., bitcoins)

Of course, there are less organized predators, but from what I've read so far, it's pretty limited in terms of goals. Most examples in the news involve script kiddies that exploit vulnerabilities to make tiny profits but get, more or less, quickly caught by the authorities.

Why? Because, most of the time, they accidentally discover a source of profit, and they abuse it without adequately covering their tracks.

I can understand what fools them, somehow. Finding vulnerabilities and gaining unauthorized access is not at everybody's reach, so it's probably like winning the jackpot for them when it happens.

Besides, as long as it works, it creates the illusion of invincibility. Nevertheless, if you only know how to sneak into a system, you're just another thief, and you'll have problems sooner or later.

Different kinds of threats

There are different kinds of attackers:

• script kiddies

• sociopaths (not that this one can apply to other categories ^^)

• avengers (not the movie, unless you are a villain of the Marvel Universe ^^)

• mercenaries

• activists

• states

• criminal organizations

• terrorists

The above list is not exhaustive, and those potential threats usually don't operate at the same level. However, the organizational capacity to achieve a specific strategy is a meaningful criterion of classification, IMHO.

The temporality: defense vs. attack

Temporality is a critical concept for cyberattacks. Aside from script kiddies and fools, cyber attackers are meticulously documented and organized.

An attack might require a very long observation period (e.g., six months, one or several years). It can be a massive pain for defenders to re-assemble the puzzle. When the attack occurs, it can result from a long preparation that includes escape strategies, counter-attack measures, and diversions.

While you might think there's a D-day for the operation, it has been running for months, with, for example, several phishing campaigns that look unrelated but target specific parts of your organization.

Besides, it's not uncommon to have multiple small operations providing the required strategic assets and positions for later and much more extensive operations, so striking is a realistic strategy when the time comes.

Skilled attackers would likely use similar strategies, taking their time to maximize profits and minimizing risks, which means they may gain unauthorized access to a computer system without doing anything, like reconnaissance work.

Demystify attackers

Attackers are undeniably dangerous but not invincible.

Humans make mistakes. Hackers are humans. You'd be surprised how many stupid errors they can make, regardless of their level, leading defenders and the authorities to eventually catch them:

• creating patterns unintentionally (using the same tools, the same tricks, the same networks, all the time) that leads to a signature

• using the same networks for personal and "professional" tasks

• misknowing the actual value of their loot

• let their dangerous activities become a routine job

• forgetting to use TOR to access IRC only one time and getting caught by the FBI (e.g. Sabu from LulzSec)

Attacking requires a super high level of concentration, and, for now, there's no way to avoid the human factor.

Don't be obsessed with Mr. Robot

Fortunately, not all attacks are sophisticated, involving government agencies, elite commando units, or a world-class solitary predator.

Otherwise, cybersecurity would be extremely hard, perhaps almost impossible for 99.99% of people, which would not be secure if only a few people could help ^^.

More pragmatically, companies are getting more and more ransomware attacks. However, it does not mean there's no twisted temporality or a more global strategy behind it.

It could be the first attack of a long series, especially if you pay the ransom. Not all companies have the necessary skills to react appropriately.

Wrap up

You don't fight against attackers by focusing on the technical aspect only. Tools are just means, not goals, and what you may consider as unrelated attacks at different periods could be specific steps in a more global strategy.

Also published on https://blog.julien-maury.dev/en/cyberattackers/.