Understanding cybercriminals: motives and tactics of the modern day attacker

Cyber breaches have increasingly been dominating headlines around the world over the last few years. In fact, the reality is that moving attacks from the physical to the cyber world is saving criminals a lot of time, effort and money.

Instead of staking out a physical location, cybercriminals today look for well-known vulnerabilities in systems to gain a foothold into network assets and move laterally to their targets. Gone is the time when hackers had to be well-funded computer science experts. Today hackers may take an unpredictable number of forms and chase a very different and complex array of objectives.

The sheer availability of current attack methods can overwhelm even the most sophisticated security operations. Consequently, companies across the hardest-hit industries are taking decisive action, and many others are starting to feel they should do more.

>See also: How a 7-year-old girl hacked a public Wi-Fi network in 10 minutes

A recent survey by Neustar on the perception of DDoS attacks, from 250 companies across the UK and EMEA, showed that 50% of businesses perceive DDoS attacks are a bigger risk today than they were a year ago.

Given the awareness of these issues and the rapidly enhancing legislation, understanding the current state of cyber security, from the profile of a hacker to the methods they use for execution, is becoming more essential than ever. So how can we begin to profile the modern day attacker?

Individual attackers generally fall into four categories: spies, hacktivists, thieves and nation state attackers. The reasons for committing cybercrime in 2015 are as disparate and unpredictable as at any other point in history – nevertheless, we can attempt to bring motives into line with perpetrators.

Cyber spies

Cyber spies in particular aim to acquire sensitive data that can be given to government and businesses for competitive advantage. The British and American governments have recently announced their joint commitment to create a ‘cyber cell’ together.

This cyber cell is a way for governments to work side-by-side to tackle the growing threat of online terrorism attacks on the West. The idea is that the cell will be used to encourage the sharing of information between states about threats that have already occurred in the past.

A plan is also being put in place to simulate attacks on sectors such as the financial, air traffic control and healthcare to test their resilience and train up a new generation of ‘cyber agents’ to fight against the specific threats they are likely to face in the future.

Is this a good tactic? There is no real answer to that question. What is true, however, is that doing nothing about it is no longer an option as the list of cyber security victims is on the rise and a DDoS outage today means on average a mean loss for companies of more then £100,000 – £140,000 in peak hours.


The second profile of hackers that can be drawn from recent cyber-attack trends are cyber activists, also called ‘internet activists’, ‘e-activists’ or ‘hacktivists’. This type of cybercriminal has a point to prove to someone somewhere and will use anything from email, blogs and social networking techniques as their vehicle to initiate a movement towards a specific goal. The internet provides an international stage for hacktivist networks. These groups typically focus their attacks on government, religious and corporate websites.

Cyber thieves

Cyber thieves are the third most common form of cyber attackers. These guys seek financial gains commonly by accessing confidential data such as credit card or personal information, which can then be re-sold over and over again.

Medical identity theft is becoming a great concern on this front. According to a study conducted by the Medical Identity Theft Alliance (MIFA), the number of patients affected by this practice in America has increased by over 20% this year.

The Anthem attack is one of the biggest proof points of this. Attackers gained access to personal data such as street addresses, employment data and email addresses of around 80 million people.

This reality is driving heavier investments in mitigation capabilities – however, more needs to be done. In Neustar’s cyber security report this year, it was found that only 10% of the companies surveyed had been attacked only once, 39% had been attacked two to five times, 24% six to ten times and 17% about once a month.

Nation state attackers

Nation state attackers (often through advanced persistent threats) are another group moving conflict from the battlefield and into cyber space.

A recent, prevalent example of this is related to the ‘Great Firewall’ of China. This is the term given to the Chinese government’s efforts to block thousands of websites to prevent what they deem as ‘politically sensitive’ information on the internet.

To intercept requests coming and going inside the country from banned sites such as Facebook or Twitter, the Great Firewall uses a weak spot of the DNS system. When it identifies a site it wants to ban access to, it redirects that request to a different IP address.

However, when the wrong IP address is entered and it belongs to a real server, this translates into a server from another part of the world being hit with millions of user requests – in other words, it gets hit by a massive cyber attack.

>See also: How do you solve a problem like cybercrime?

All in all, it seems clear that each security breach can teaches its own lessons.

Sometimes it is evidence of how much state action can be drawn as a result of it, as is the case of the ‘cyber cell’ set up by the British and American governments to train up a new generation of ‘cyber agents’.

Other times it is evidence that ideology (including censorship), such as the Great Firewall of China, is turning cyber attacks into one of the most powerful tools to sabotage targets.

Predicting the next crime taking place in the Wall Street of Cybercrime is a rather impossible task. However, past experiences, if anything, help outline a trend that is of escalating concern, and one that is worth understanding and taking actions upon as soon as possible: DDoS attacks are becoming a more dangerous practice than they have ever been.

At best, they take services offline. At worst, they are just another tool (smokescreen) for more devastating attacks.


Sourced from Margee Abrams, Neustar

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics