HiddenText Ltd

Seven types of cyber criminals : 2018 version

/

,

It was in 2012 that I first wrote about the 7 Levels of Hackers. Up till that point, there were six levels previously discussed in blogs etc, but I added “The Automated Tool” as at that time, I was seeing more and more automated attacks on websites.

The 2012 list looked as follows:

  1. Script Kiddies
  2. The Hacking Group
  3. Hacktivists
  4. Black Hat Professionals
  5. Organised Criminal Gangs
  6. Nation States
  7. The Automated Tool

At the time of writing that blog, I did not realise how this blog would continue to influence, from research from HP and neither did I realise how important some of the threats listed would become.Since 2012, we have seen:

  • New technologies coming online and mainstream e.g. Artificial Intelligence, Blockchain, CryptoCurrencies,
  • A significant increase in reliance of the internet with more home technologies being internet connected (Internet of Things) as well as Enterprise and Critical National Infrastructure,
  • Culture shift in the way we absorb media from TV and Radio to internet services such as Netflix and Youtube,
  • Shift in gaming from single player to multiplayer open world games,
  • A change in culture for social interaction and even politics from face-to-face to social media.
However, we are also seeing a shift in the Threat:
  • Bigger breaches,
  • Bigger leaks,
  • Higher profile attacks,
  • New types of attack such as ransomware,
  • Greater use of the ‘dark web’
  • The DDoS threat landscape has changed,
  • Botnets have changed and some great take-downs have also been noted.
I also want to get away from the term ‘hacker‘ and call the actions for what they truly are – cybercrime.It is time to re-visit this list, reflect on it’s relevance, perhaps add some more insight into the list and bring it up-to-date. 

The 2012 List updated

1. Script Kiddies

For sure, we still have script kiddies as we did in 2012. A script kiddie is a person who is running tools they find on the internet to generally cause some mischief, rarely with serious other intent. More than ever, we are seeing this in the gaming industry with ‘stressers’ designed to knock other players out of games. At a recent gaming convention, I was approached several times by players of Pubg, a leading gaming title in 2018, who were losing real money in the game due to individuals using criminal tools to gain advantage. This problem was not limited to Pubg, but certainly the most prevalent game that was discussed. Another change with script kiddies is that we no longer see ‘skiddies’ using ‘scripts’ but instead an enablement from groups higher up the list, we now have “cybercrime-as-a-service” type environments available for all with easy-to-use interfaces, an almost click-and-attack type environment.

We, within the cyber security industry, still refer to them as ‘skiddies’ or ‘script kiddies’ but maybe we need some new term as rarely are they running scripts and instead use crimeware-as-a-service? App Kiddies?

 

2. The Hacking Group

In 2012 we had Lulz Security (aka Lulzsec), who were a prolific group at the time running campaigns such as “50 days of lulz”. Now, most of the original team have served their punishment and have instead turned to using their skills for good and lessons were learned. It is interesting to note that in 2018 we do not appear to have that kind of prolific group making the headlines. I do wonder if the reason that there are less is because of the big take-downs that happened around 2012. For sure they still exist – a simple look at Zone-h.org and you can see plenty of groups still defacing websites etc. But mainstream hacks?

  • Maybe Lazarus? but the jury is still out as to if this is a Nation State splinter group – see below.
  • One that has hit the headlines is Magecart who at this time are attacking British Airways and Ticketmaster – although there are many who claim this still needs more work before we are sure of attribution.

The intent of this group of cyber criminal is still the same as previously, to raise their own profile and show off the group’s skills and making little by way of successful money from their attacks.

I believe we need to keep this level in, but their importance at this time is somewhat diminished and I feel this group should be renamed to “The Small Criminal Groups” to reflect their real intent.

 

3. Hacktivists

This group has fallen from the mainstream in recent times. Where once, we were almost in fear of this subversive group – Anonymous to name the most prolific, this group has certainly gone underground. With the “dark web” at their disposal and greater use of technologies like Discord, Slack etc, the organisation of these groups has moved from Facebook to much more private areas and more structured. However, we have also seen a rapid decline in the Anonymous movement, there are still some stalwarts to the cause, but the mainstream sway certainly has declined. We have not seen main Hacktivist groups taking the place of Anonymous with only smaller highly organised groups appearing with the intent of raising political or religious causes.

I certainly think this level has not gone away, but instead has diminished in size but still as potent as it ever was. I also think with the global political unrest we see, these groups also have a stronger message to fight for so they should not be ignored and we may well see this layer grow over time.

 

4. Black Hat Professionals

Another set of people that have diminished from the limelight are the one-off career criminals. Maybe they have been put off by the law enforcement prioritising cyber investigations. Maybe they have been influenced by seeing other high-profile black hats becoming a positive force e.g. Kevin Mitnick etc. and taking lucrative career options. We are definitely seeing more ex-black hats at conferences talking about their roles in organisations now and the work they are doing to defend, so I believe the assertion is correct that the older players have moved into legitimate employ. Modern day black-hat professionals seem to be very few and far between – an example of a name I have seen which may appear in this category would be Guccifer 2.0, however, the jury is still out if this was a criminal gang rather than an individual. Black hat professionals were very educated people who were generally trying to learn more about the world they live in.

For sure, the image of the lonely master criminal has definitely declined, the question is has it gone away? I believe that with the proliferation of knowledge on the internet, the many learning platforms that exist and the early-career signposting to careers in cyber, I believe that this group will reduce and continue to do so.

 

5. Organised Criminal Gangs

An area that is definitely on the increase is the organised criminal gangs. This group are very well structured, global, well tooled, defined goals and objectives. They run themselves like a normal company would and they are reaping the benefits of this structure financially. We only have to look at the Indian ATM hacks to see their effectiveness. This group is for sure growing and growing in effectiveness with the tools and things to attack. I also see a definite blurring of the lines now between “The Hacking Group” and the “Organised Criminal Gangs”. The difference is that the Hacking Group use their attacks for fun, mischief, raising profile, whereas the organised Criminal gang is making money out of their efforts e.g. mining and cryptojacking and have mobilised themselves to have clearer objectives – maybe they are Hacking Groups that just grew up?

This area will continue to grow as the number of internet users grows and the internet-connected technology base grows – everyday this group has new targets to attack, new technologies to go after, new currencies to trade in.

 

6. Nation States

It seems that every day we hear of yet another Nation State attacking some country in the world. Some revelation about “hacking of elections” etc. In the cyber security industry, call it rolling the attribution dice, the options are:

Certainly in 2012, this group was not publicly discussed or in the news and perhaps it was just assumed it just went on in the backgrounds but it did go on. As the cyber security industry grew better at sharing intelligence, the rise of threat intelligence feeds, so these background attacks are now publicly known to the organisations looking at this intelligence. If we then couple into this the sensational leaks via Wikileaks et al, the tools and methods of these Nation States are now public domain and make for good privacy discussions. Maybe in the future we will add the UK to this list? The intent for Nation States is to create some advantage over the victim country either by gaining data or control.

I therefore state that with the increase in internet usage, the further integration of the internet into our daily lives, the global political unrest we see, so this area will certainly grow and the impact will be felt across the internet.

 

7. The Automated Tool

This was the addition I added to the pre-2012 list and I felt it was an important addition at the time. In 2012, I was witnessing automated scans and automated tools finding vulnerabilities in computers and also automated tools gaining a foothold on these computers. In 2018, these tools are still here, they are still active and still automated. However, there is also some automation in their activity by way of retaliation.

I recently watched a threat intelligence map – https://threatmap.fortiguard.com/ and an attack that was going on towards one country. What I noticed was that this country was coming under attack from different countries. What I was actually seeing was infected computers from different countries under the command of one country hitting a target. The victim country then started to attack outwards to apparently random countries which in turn then started their own attacks. In other words, the automated tools were attacking a target which then automatically set up its own attack back. This automation plays out every day on the internet, the same internet we are using every day. These attacks are part of the background to the web.

However, did I make a mistake with this addition? What is the intent to these tools? Is this not just a tool that the Nation States are using? Should this not be included in the above cyber criminal type?

I believe at some point with the growth in Artificial Intelligence, we will see ‘AI bots’ intelligently picking their targets across the internet to take swipe at the opposition. There will be no human operator behind them, this will be a pure computer-based attack. It will pick its own target from a list of adversaries, pick the time to attack based on a known weakness to the infrastructure, e.g. peak power usage.  It will then find the weaknesses and expose them during attack. This may indeed be happening right now for all we know and will only be disclosed in some Wikileaks-style leak in the future. The intent will be the same as Nation-State attack, power etc a

This will be an advancing technology – still a way away from maturity, but for sure, with the increase in threat intel feeds, we will be able to track this better.

  

Conclusion

So, does the list need to change? Well, I certainly think it should remain, but the bar graph of importance and prevalence should be altered. We see more “App Kiddie” attacks at the personal level reaching into the lives of our children. We see more “Organised Criminal Gang” activity going after financial and data reward and succeeding a large proportion of the time. “Nation States” are now front and centre of the population’s mind as privacy matters have also come to the attention of the average user. The “Automated Tool” is still an immature market and I believe we will see, through the support of Nation States, that this market too will grow.On the horizon, I think we also need to think about the accidental criminal. The user who inadvertently makes a mistake, an unconscious error which leads to criminal gain elsewhere – although this is not a new type, it is usually swept into “Insider Threat” and I think it needs to be recognised that this could be perceived as a new type of cyber criminal albeit an accidental one. I have deliberately left them off the list though as the intention of the user is not to create a criminal act. If so, they could come under “App Kiddie” or perhaps being influenced by one of the other groups. This group does need effort to monitor as they are the easiest route into an organisation or home. 

In Summary:

The 2018 List:
  1. App Kiddies – use crimeware-as-a-service tools to cause mischief
  2. The Small Criminal Group – highly organised group raising the profile of their skills through large name attacks
  3. Hacktivists – highly organised group existing to raise the profile of their cause by government/media website attacks
  4. Black Hat Professionals – a limited group with fantastic skills and trying to learn more
  5. Organised Criminal Gangs – a highly organised group with intent on turning their skills to money
  6. Nation States – highly organised, well-funded groups trying to disrupt other nation states
  7. The Automated Tool – automated attacks to disrupt adversaries systems
 

Thanks to the sources quoted in this post:

  • Bizjournals
  • Reddit
  • KnowB4
  • Silicon
  • Politico
  • CNET
  • Bloomberg
  • Washington Post
  • FCW
  • Infosecurity Magazine
  • Fortinet
  • HiddenText
 If you would like to discuss this further, use this in your research, blog about this – feel free to reach out to me.[gravityform id=”1″ title=”false” description=”false”]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.