How do hackers choose their targets?

We explore what goes on in the minds of cyber criminals

We hear almost every day about new cyber attacks and data breaches targeting all different kinds of organisations, from forums and social media providers all the way to government departments and major multinational corporations.

What makes one company a more attractive target than another? Are there any common threads that dictate how hackers pick their victims and, if so, how can organisations use this knowledge to tailor their defences?

Different types of hackers

Related Resource

Ransomware report

The global state of the channel

Global state of the channel - ransomware report from DattoDownload now

First on the agenda is actually gaining an understanding of who these people are and what motivates them. Hackers do what they do for a variety of reasons, and these motivations inform who they target, their methods of compromise and favoured infiltration tactics.

The hacktivist is one of the most widely-known, with this cohort of hackers rising in prominence thanks to the activities of groups like Anonymous. They generally tend to be younger and more inexperienced and often operate as part of a small group or even alone. The primary motivation here is an ideology or an agenda they’re willing to pursue, with their targets more often than not institutions or companies that are at odds with these strongly held beliefs. These operatives will often try to leak information that moves public opinion. They’ll also protest against these entities by vandalising their online platforms, or social media sites.

Hacktivists normally target terrorist organisations, including ISIS or white supremacist outfits, but they can even target local government organisations, as happened in Michigan after the Flint water crisis. Private companies, too, such as extramarital dating site Ashley Madison might also come under fire. Although their activities tend to be eye-catching, they’re actually in the minority.

The most common type of hacker is motivated by money. These cyber criminals are often tied with established crime gangs, either directly or indirectly, with these groups forming an industry with sophisticated methods and practices. As such, cyber criminals can take advantage of a plethora of intrusion methods, tools and campaigns. Common activities include phishing scams and ransomware campaigns, with these operations normally running on a large scale. It’s quite common for such campaigns to indiscriminately target as many victims as possible in order to maximise the potential earnings.

Other strategies are more targeted; many attacks involve identifying wealthy organisations and using spearphishing or direct network intrusion attempts to carry out fraud, theft or blackmail operations. These kinds of attacks are usually aimed at private sector organisations, as these are generally more cash-rich than public sector bodies and individuals.

"A weak cyber security posture that is discoverable on a quick query is the equivalent to painting a target on your back," says Rois Ni Thuama, head of cyber governance for Red Sift. "There's a new email standard on its way called BIMI, and that will indicate that a firm has robust email authentication standards in place. Of course, the absence of this identifier will create a new 'tell' for hackers so that they won't need to run a query. They can simply send a message to someone in the firm and the response will reveal to what extent this firm is vulnerable."

The other main category of hacker is the state-sponsored operative. These hackers operate under the banner of a specific government, and are enlisted to carry out attacks on their behalf. For the purposes of plausible deniability, they are often hacktivists or common cyber criminals whom the government in question employs on a freelance basis, but they can also be part of the state intelligence apparatus. 

Related Resource

Ransomware report

The global state of the channel

Global state of the channel - ransomware report from DattoDownload now

These nation-state actors are similar to both other kinds of hacker in different respects; they sometimes attack specific victims based on political motivations – often for some perceived slight, as in the case of the Sony Pictures hack, which was widely concluded to have been carried out by North Korea in response to the release of The Interview, or in Russia's hack on the Democratic National Committee (DNC). However, they have also been observed to carry out financially-motivated attacks; the same North Korean-linked group behind the Sony attack has also been accused of spreading the Magecart credit card skimmer in order to swell the country's coffers.

"APT actors are genuinely motivated and directed by national policy objectives," explains Ian Thornton-Trump, CISO of threat intelligence firm Cyjax. "They conduct various offensive and defensive operations in support of those policy objectives. Although infiltration and data exfiltration are common hallmarks of both cyber criminals and APT actors, in general APT actors are focused but on espionage, disinformation, denial, disruption or destruction  generally in support of kinetic or military operations."

What motivates a hacker?

This shows that cyber criminals can be motivated by a myriad of goals, and these will often dictate who will be chosen as their next victim. For the majority, the incentive is simple and somewhat unsurprising: money. Most hackers will be focused on growing their personal wealth, that is why they will often resort to blackmailing their victims through ransomware or using various phishing techniques to trick them into making a bogus financial transfer.

When money is the primary motivator, it makes sense to go after a target who is known for their wealth. This includes large corporations, especially the publicly-traded ones which are known to generate a substantial profit. An additional motivator is that these companies are likely to pay the ransom and not disclose the attack, as public knowledge of the incident is likely to negatively impact their share price and reputation.

However, this doesn't mean that smaller companies and individuals are inherently safe from hackers. Another popular tactic used by cyber criminals is a mass-impact attack, which targets a large number of victims by extorting a small amount of money from each individual. For example, £10 might not seem like much when stolen from one person, but when stolen from a thousand people at once using ransomware distribution – that's already £10,000. An additional benefit to this tactic is that the stolen sum might go unnoticed, while even those who take note of the unexplained transaction are unlikely to report it to the police if the amount is that small.

For ideological attacks, however, the motivation becomes a touch murkier. Human nature is such that there are uncountable reasons why someone may take issue with a company's actions; maybe they disagree with a specific element of your corporate values, maybe your recent actions have outraged them, or maybe you simply represent a worldview or system that they wish to strike a blow at. 

Whatever the specific motivation, the goal is generally to embarrass the victim, which is usually accomplished by shining a light on things that the target would rather remain unseen. Internal emails are often a key target for hackers in this kind of attack, as are financial documents which may indicate potential wrongdoing.

There is, however, one common thread that runs through almost all of the cybercrime that we see in the wild: Hackers are lazy. They will always go for the easier option, which applies just as much to their choice of victims as it does to what methods they use to attack them. No hacker will use a finely-crafted zero-day if they can use a set of unchanged default credentials instead, and similarly, when presented with two potential targets, the less well-defended one will always be the first choice.

Thornton-Trump points out that hackers often cruise for easy targets on portals like Shodan, a search engine that lists unsecured internet-connected devices. "Showing up on Shodan with a whole pile of vulnerabilities… is the 'hit me' sign of InfoSec," he notes, adding that social media controversy or public spats can also attract the attention of cyber criminals.

Hackers now have access to just as many scanning and analysis tools as security teams, if not more. It's relatively trivial to assess how many potential routes of entry there are into a prospective victim's network, so it pays to make sure that your own is at least abiding by best-practises. It's like that old joke: "I don't have to outrun the lion – I just have to outrun you."

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

BillQuick billing software exploit lets hackers deploy ransomware
Security

BillQuick billing software exploit lets hackers deploy ransomware

26 Oct 2021
Ransomware hit industrial sector the hardest in the third quarter
ransomware

Ransomware hit industrial sector the hardest in the third quarter

25 Oct 2021
Tesco services knocked offline after suspected cyber attack
hacking

Tesco services knocked offline after suspected cyber attack

25 Oct 2021
Microsoft touts new cyber security help for nonprofits
cyber security

Microsoft touts new cyber security help for nonprofits

22 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first
Technology

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021