Over the last few years, the number of cyber attacks has risen with the fast-paced evolution of the digital world. Just last year, big names were stained by large hacks breaching their security. Even tech-savvy organisations like Equifax, Uber, Deloitte, are vulnerable to attacks. Cybersecurity is an issue concerning everyone, but many do not know it is important. Here, we introduce the actors striking from the dark.
Identifying the parties behind attacks does not repair the harm made to cyber-victims, but it definitely helps in understanding the gears activating the cyber-threat machine. The motive appears to be a no-brainer, even if the reasons behind hackers’ actions can become more nuanced depending on their political agenda.
It is good to note that the umbrella term ‘hacker’ covers an array of specific roles, especially when placed in organised groups. Generally, these roles are more or less modelled on your typical IT organisation – programmers, IT experts, and the like; however, there are also more specific roles such as fraudsters, cashiers, and money mules (here is a short list of these roles).
A good part of cyber criminals consists of lone wolves disposing of a more or less deep IT knowledge and willing to use their skills or position to fulfil their revenge, operate scams, blackmail, and conduct other flimflams. They are responsible for a large part of so-called cybercrimes, going from hacking university systems to insider data theft, and are usually sporadic outlaws. An interesting trend to note is the now common occurrence of seeing hackers go from amateurs to ‘freelance’ professionals, selling their skills to the highest bidder.
Regarding corporate data theft, concerns from employers are justified, as the risk encountered by their organisations in case of such misdemeanours is high and can lead to heavy losses. Thus, a good policy is necessary to approach these types of issues. Small, independent actors can cause significant harm to organisations and therefore must not be overlooked.
Organised threat groups
Individuals are not the only ill-intentioned parties, nor are they the most treacherous. Many of the attacks perpetrated these last few years against public and private entities were the doing of hacker groups. These kinds of groups make use of extensive tool sets–malware, ransomware, Trojans–which are generally complex and complicated to develop, and use them to infiltrate systems and retrieve data while staying undercover. These entities display skills in some cases only equalled by national security agencies, and are hardly traceable. Unlike individual hackers, they are conducting larger operations, targeted and driven by well-conceived and consistent motives.
If looked at from a distant perspective, and brushing a fast portrait of their rationale, such groups can be something akin to anarchists, releasing powerful hacking tools to the public, putting implements in individuals’ hands who otherwise would never have had the chance to use them.
One example of such organisations is the newly-uncovered MoneyTaker, who hacked millions in the past two years from US, Russian and British banks. The group targeted card-processing systems, such as SWIFT and the Russian Interbank System AWS CBR. Their location and nature are still unknown to the public.
Another group, The Shadow Brokers, is one of the most talked about, infamous for their release of leaked exploits (software tool). Last year, they were behind the release of the WannaCry virus, some of the Equation Group hacking tools (see below), and more of NSA’s hot material. This group was skilled enough to outsmart one of the most prepared security organisations in the world, and as far as we know get away with it. The tools they released were enabling hackers to direct their attacks against Microsoft, against routers, and allowed them to break into the SWIFT banking network. How the Shadow Brokers did it is still unknown, and several scenarii are considered plausible.
Many governments have their own agencies overseeing rather shady actions, fuelled by geopolitical and lobbying purposes. Amongst the top countries buccaneering around on the web, Russia, China, the United States, Israel, Iran and North Korea are the most active, aiming to get their hands on foreign intellectual property, sensitive intelligence and public funds.
The nature of harm caused by these actors can go very far. Banking systems, but also national security, are constantly under attack and ultimately at risk to be breached.
One of the most famous examples of such actors is The Equation Group, which, according to Kaspersky Lab, is a “threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades”. They are, according to Kaspersky report, a US-sponsored group likely to have ties with the NSA. They were behind the release of malwares such as EquationDrug or GrayFish.
Another illustrative example is the NotPetya ransomware release last June. The White House dubbed it as “the most destructive and costly cyber-attack in history,” and it spread worldwide “causing billions of dollars in damage across Europe, Asia, and the Americas.” The US government, along with the UK, Canada and Australia formally accused the Russians of being behind the launch.
The list of nation-state hacking groups is long and inexact. Fancy Bear (Russia), Lazarus (North Korea), the Comment Crew (China) and APT35 (Iran) are amongst the most important.
By Jean Leguy, Research Coordinator