Making Sense of Cyber Attacks

Cyber attacks happen for various reasons. For a CTI analyst, it’s crucial to understand the different functions of cyber attacks for various actors in order to interpret these attacks effectively. In this post, we’ll explore the motivations behind these incidents. By the end, we’ll have outlined the different types of purposes that help us understand cyber attacks in a broader context.

The Purpose of Cyber Attacks

The primary reason for cyber attacks isn’t mindless destruction, but the benefits they offer those orchestrating it. We can categorize all known cyber incidents into three main groups: Profit making, denial and coercion, and information superiority.

Profit Making

Cyber attacks can be motivated by the desire to make a profit. There are four main ways to profit from a cyber attack:

1. Extortion — Criminals may attempt to extort companies by launching DDoS attacks, encrypting files with ransomware, or threatening to release sensitive data that could lead to reputational damage, regulatory fines, and more.
2. Selling of Commodity — Criminals may attempt to sell acquired goods such as customer databases, premium accounts, coupon codes, credit cards, bank accounts, or sensitive documents.
3. Exploitation of Computing Resources — Sometimes, criminals can leverage the processing power of compromised systems. Examples include clicking on ads, generating fake video views/app downloads, creating website traffic, boosting social media followers, and the most notable, cryptocurrency mining.
4. Providing Tertiary Services — While a campaign itself may appear technically simple and straightforward, the process from preparation to cashing out can be lengthy and complex. Recognizing this, some criminals offer services that facilitate various aspects of cyberattacks to other hackers.

For more detailed insights on this topic, you can refer to my article here: Predictive Defense: How to do Cyber Crime Forecasting with Examples.

Denial and Coercion

States often employ cyber attacks. The significance of such a tool for states lies in its plausible deniability and potential to cause material damage. States use these operations for military purposes during wartime or to exert diplomatic pressure during peacetime. Cyber attacks in this context serve three functions:

• Sabotage: disrupting critical systems to cause material damage.
• Deterrence: exerting diplomatic pressure through small or large-scale sabotage.
• Destruction: causing physical destruction through cyber means.

A recent instance of such cyber attacks is the DDoS attack targeting Israeli websites, which are used for alerting civilians about rocket attacks, occurring only 12 minutes after the assault by Hamas. — https://blog.cloudflare.com/cyber-attacks-in-the-israel-hamas-war/

Three books I’ll suggest below provide excellent case studies on the use of cyber capabilities in interstate conflicts. These books are:

1. A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 (https://www.amazon.de/-/en/Jason-Healey/dp/098932740X)
2. Cyber Strategy: The Evolving Character of Power and Coercion (https://www.amazon.de/-/en/Brandon-Valeriano/dp/0190618094)
3. Offensive Cyber Operations: Understanding Intangible Warfare (https://www.amazon.de/Offensive-Cyber-Operations-Understanding-Intangible/dp/1787385612)

An example from the first book discusses the Russo-Georgian War of 2008:

The cyber attacks on the banking sector in Georgia had several repurcussions that affected everyday life in Georgia and made the period of the invasion more difficult for the population. The persistent attacks on the systems of several banks forced them to shut down their electronic services until the threat had pased. This not only significantly disrupted the connection to foreign banks, but also apparently paralyzed the Georgian payment system, leaving some Georgians without access to money. Due to limited or zero access to financial means, many Georgians could not buy anything in stores. This in turn significantly decreased demand for goods during the time.

Information Superiority

A common goal among states, hybrid actors, and criminal organizations in using cyber capabilities is to achieve information superiority. There are four main methods to this end:

Espionage: The most common activity, cyber espionage, is a key tool for gaining information superiority.

Propaganda / Information Operations (IO): The internet’s mass communication capabilities allow both states and hybrid actors to steer public opinion. Cyber attacks are often used as a significant propaganda tool, especially by terrorist organizations.

For more detailed insights on this topic, you can refer to my articles here:

• Psychological Operations in the Cyber World
• Psychological Operations in the Cyber World 2

Deception: Considering the legal and diplomatic implications of cyber attacks, they are well-suited for deceptive operations. There have been instances of false flag traces in cyber incursions, whether planned or accidental.

Fame and Reputation: For cyber criminal organizations, fame and reputation are crucial. Therefore, these groups often engage in high-profile attacks that may not directly yield financial gains. The growing popularity of the ransomware-as-a-service (RaaS) model, hinging on the recruitment of affiliates, further highlights the need of a group’s reputation and fame.

Making Sense of Cyber Attacks

Having understood the diverse applications of cyber attacks, the question arises: how can we determine the objective of a specific attack? Contrary to what one might expect, it’s really hard to pinpoint the exact purpose of a single event. This complexity arises because cyber attacks often serve multiple purposes simultaneously. For instance, attempting to map various types of attacks to their respective objectives typically results in a complex web of interrelated motives.

The most effective method involves grouping similar incidents using the Diamond model or a comparable approach and analyzing them over an extended period. For instance, making sense of a single defacement act by a hacktivist group can be challenging. Yet, long-term observation may show that these actions are strategically arranged to influence public opinion. This allows us to reinterpret the actors involved from a new perspective. The same can be said for ransomware, hack & leak, and other types of cyber attacks.

I hope you found this article informative. See you in the next one!