What Types of Cybercriminals Are There?
For a few weeks now, Netflix has been streaming a series called Zero Day, which depicts a massive cyberattack on a country (in this case, the victim is the United States) and how such a conflict is addressed—a highly relevant and probable scenario (needless to say, there are already recorded cases).
In our previous column, we discussed zero-dayattacks. Now, we will address another phenomenon: “attribution”—the process by which analysts attempt to identify the origin of a cyberattack or, at the very least, determine the type of threat actor(who did it).
In the series, shortly after the occurrence of the massive cyberattack, a “State/Nation Actor” is identified as the likely threat actor.
But what does this mean? Let's try to answer that.
The world of cybercrime is huge—truly vast. Therefore, classifying and grouping it is a necessary and significant task. Why? It is essential because the more accurately it is done, the more tailored and effective my defensive strategy will be. It is also extremely complex due to a factor present in virtual threats that doesn't occur in physical criminality: anonymity.
If someone fires a weapon, I can see it, or at worst, I can reconstruct the scene to identify the perpetrator (CSI-style). However, in cyberspace, the shot isn't visible; only the impact is. And that impact could have originated from countless sources.
The same tools that protect our privacy while browsing the internet are the ones that conceal the trail of a cyber threat.
So, let me warn you: forget about knowing for certain who attacked you.
Their identification, so to speak, is essentially carried out by classifying them based on their intentions or self-attribution (“I did it”), always running the risk of false flag attacks.
On what factors is this possible identification based? On the firepower of the cyber threat? On its origin? On its techniques?
Let's go from the most innocent to the most lethal.
Script Kiddie refers to the lowest level on the criminal scale (if it can be identified as such). It's about a beginner who tests tools obtained from open sources (accessible to anyone).
These “kids,” after several trials, realize they can gain something from this practice (be it money or simple recognition in the community), and that's when the first evolutionary ring appears: The Lone Wolf—individuals operating in cybercrime who already cause some type of limited damage by acting independently.
These Lone Wolves, identified in the underworld by their aliases (“aka”), begin to showcase their credentials (medals) in dark web forums and, like anyone seeking a job, await their opportunity to enter the Champions League of Cybercrime: joining already organized groups, the big leagues.
Now: What is the intention of this Lone Wolf?
Is it solely to uphold an idea and/or cause some reputational damage, without personal gain? Well, then we can classify them as hacktivists. But this is the minority...
Surely, these wolves seek the greatest treasure: economic gain. In this case, these actors are sheltered in Cybercriminal Syndicates: entities with criminal purposes, extremely organized, like any company we know (or even better than these). The only differences we might find with a normal work environment are that here, the “employees” most likely don't know each other, and their contact with the organization is limited to a “supervisor” who manages the link between the criminal and the cybercriminal syndicate.
It's also known that, replicating what happens in classic criminal organizations (from the physical world, like cartels or mafias), criminal actors, while aware they might be participating in illicit activity (at best), are unaware of the true identity of the organization they belong to. The less you know, the better.
Now, let's pause here.
For some time now, these cybercriminal organizations have found a strategic advantage in a current scenario where armed conflicts abound: they can operate from these nations, attacking their enemies. Thus, in an implicitly agreed contract between the nation and the organization, they become an armed arm of the state, killing two birds with one stone: achieving the primary goal of generating financial gains from cybercriminal activity while simultaneously obtaining the state's protection from which they operate (acting as cyber-mercenaries)
And here lies the greatest threat to nations: State/Nation Actors—cybercriminal organizations that, regardless of their purpose (be it financial or other), act aligned with geopolitical interests.
Today, State/Nation Actors are the most feared scourge in cyberspace, and their techniques vary in nature.
The most notable of these are pure cybercriminality (financial or hacktivist) or the Advanced Persistent Threat (APT). hackivista) o la Amenaza Persistente Avanzada (APT).
Just as cybercriminal syndicates seek quick action (strike quickly with immediate results), APTs seek the opposite: to remain in the shadows for an extended period, implementing advanced techniques of stealth and persistence, staying in the affected system for a long time without being detected, with the sole objective of listening and stealing information.
And that's it. If you've made it this far and understood everything, you can now consider yourself a cyber threat intelligence analyst. Now, all that's left is to see a news story about a data breach in government agencies, turn around, and shout confidently to the four winds: “Ohhh, this is most likely the work of an APT.” You're welcome.