The three types of online attackers

Patrick Lambert describes the three main groups of attackers that security specialists are guarding against.

As Internet access becomes more pervasive across the world, and each of us spends more time on the web, there's no question that our attack surface -- how 'juicy' a target we are -- grows as well. Attackers in turn take advantage of this, and they use every tool and technique they have to try and attack us. Hardly a week goes by without some news report about a new botnet, malware infection, or hacked website. Lists of user names and passwords get distributed on pastebin, or a company front page is found to have been injected with a piece of extra code that infects every visitor with some spyware, inciting them to spend a hundred bucks on a fake antivirus product. These things are now commonplace, and we barely think twice about them when we read the headlines. Administrators go out, restore the sites, clean the infections, and life moves on. Sometimes, if it's a big enough deal, the FBI or some other law enforcement agency will get a call, but then it's their problem. Hardly a thought goes out to who exactly is behind all these attacks, why they are happening, and where the attackers are. But a recent TED talk by Mikko Hypponen raised the question to the attendees, and suggested that there are three groups making these attacks.


The first group is the one most of us probably think of when something like this occurs. It's the criminals, the organized crime gangs, those nasty people in other countries that want to steal our money or our company secrets. Indeed, this may well be the biggest and most active type of attacker out there, launching attack after attack against our personal and corporate networks. In his talk, Mikko showed a long list of photographs of people who had all become millionaires from doing online crimes. Whether it's installing key loggers on personal computers to steal credit card numbers, infecting web sites to show their fake drug ads, or taking down competitor websites. Everything can be done for a price, and since the vast majority are in Russia, China and other countries, it's hard to go after them. These aren't kids who just want to play around, or at least they aren't anymore. Back in the early 90s, the hot thing they did to show off were floods -- IRC floods -- or filling up that T1 connection to a chat server, kicking everyone out. That's how the bad guys had their laughs. But now, we're talking big money. Maybe it's even the same people, who knows? Now it's not about laughing at how many users you can disconnect from a sex chat room, it's about how many bucks you can steal from their bank accounts.


The second group of attackers is much more recent, and only now starting to get into the public view: hacktivists. Those are people who believe in a cause, and want to do everything they can to see it through. The biggest name here is probably Anonymous, a group that could technically include anyone who has an axe to grind, and who can follow simple instructions. These attacks are very different. They are much less sophisticated. This is truly a case of online hacking brought to the masses. Here, all you need to do is follow a Twitter account, and when the call for action is given, you're sent to a page with a button that says click here. Your attack is then under way, and if the 200,000 followers click at the same time, no site in the world is going to survive long. It's been used more and more lately, like in the recent Megaupload case, when several government sites were brought down by hacktivists within a single day of the new 'operation' being called out. Interestingly enough, while the hacktivists are typically college students, or well meaning people who just want to send a message to the big corporations, or big governments, it's the criminal groups that benefit here. Who makes all these easy to use DDOS tools? Who provides those thousands of infected computers, ready to bring down any site you want, for a very reasonable price? The organized crime lords, of course.


The last group is perhaps surprising, or perhaps completely obvious -- it's the governments. There's no questions that many governments in this world spend a lot of resources on attack tools and personnel, and are actively launching online wars against their targets. Mikko talked about the well known story of East Germany forcing every typewriter owner to register themselves with the government, so that any piece of paper could be traced back to its creator, in case you would print out something they didn't like. The Western world was appalled to find out about that. Yet to this day, every single ink jet printer manufacturer encodes every single page we print from our personal printers so that they can be traced back to who printed it. But this is for security, to prevent people from printing money and such, so no one complains about it. But what about actual attacks? The government surely doesn't hack into corporations or individual computers? Again, of course they do. Just last year we read the whole story on how government agencies managed to infiltrate the Iranian nuclear facilities with Stuxnet, and how this couldn't have happened without first getting some critical pieces of information, such as driver signing codes, from manufacturing plants. But again, few people complained about that: what's a private signing key when you're talking about infecting an enemy's nuclear facility? Surely ultra-secretive government agencies wouldn't misuse it. Right?

Know your enemy

It's interesting how when we read most headlines about attacks and hacks, we immediately think about some kid in his garage, somewhere in a remote country, using cracking scripts to break into unpatched systems, when the truth is that it's hardly ever the case. It's far more likely to be sophisticated, well-funded millionaires, with multiple yachts, large screen TVs, and a vast network of computer experts, controlling the destiny of unpatched servers all over the world, and making a lot of money. Or it's hacktivists trying to make a point, probably completely unrelated to your particular machine, just borrowing its bandwidth to flood an 'evil' site. Or it's a government agency, on the hunt for some criminal -- at least we hope that's what they're paid for. In the end, it doesn't really change our situation as network admins or computer professionals; we still get to clean up the mess. But perhaps by actually understanding who is attacking us, we may stand a better chance to survive the attack with our shirts on.

Which group do you think is the biggest threat at the moment? The concept of hacktivism is relatively new -- are there any emerging threat groups you would add to this list?