How do hackers choose their targets?

We explore what goes on in the minds of cyber criminals

What makes your average hacker tick? We hear almost every day about new cyber attacks and data breaches targeting all different kinds of organisations, from forums and social media providers all the way to government departments and major multinational corporations. What makes one company a more attractive target than another, though? Are there any common threads that dictate how hackers pick their victims and, if so, how can organisations use this knowledge to tailor their defences?

Different types of hackers

Before we examine how hackers go about choosing their targets, we must first examine who these hackers are; there are a multitude of different varieties, each with unique motivations that affect how they pick their victims and the tactics they employ.

Arguably one of the best-known varieties of hacker, thanks to the actions of groups like Anonymous, is the hacktivist. They’re often inexperienced, can either operate alone or as part of small cells, and frequently tend to be younger than other kinds of hacker. They are primarily motivated by ideology, targeting institutions or companies whose actions or viewpoints they disagree with. Hacktivists generally try to release incriminating information stolen from targets’ networks or deface websites and social media pages as a form of protest.

Targets of hacktivist activity have previously included terrorist groups like ISIS and US neo-Nazis, government entities such as the states of Michigan and North Carolina (in response to the Flint water crisis and anti-trangender laws, respectively), and private companies such as extra-marital dating site Ashley Madison. While their methods may be brash and eye catching, this type of hacker is actually quite rare.

In contrast to these elusive figures, the most common type of hacker is the financially motivated cyber criminal. These are often linked to organised crime syndicates, which have long understood the potential of online crime as a revenue-generating tool, and use a broad range of different attack campaigns. Many of their activities, such as phishing scams and ransomware campaigns, are designed to operate at scale, indiscriminately targeting as many potential victims as possible to maximise the odds of receiving a payout.

Other strategies are more targeted; many attacks involve identifying wealthy organisations and using spearphishing or direct network intrusion attempts to carry out fraud, theft or blackmail operations. These kinds of attacks are usually aimed at private sector organisations, as these are generally more cash-rich than public sector bodies and individuals.

“A weak cyber security posture that is discoverable on a quick query is the equivalent to painting a target on your back,” says Rois Ni Thuama, head of cyber governance for Red Sift. “There’s a new email standard on its way called BIMI, and that will indicate that a firm has robust email authentication standards in place. Of course, the absence of this identifier will create a new ‘tell’ for hackers so that they won’t need to run a query. They can simply send a message to someone in the firm and the response will reveal to what extent this firm is vulnerable.”

The other main category of hacker is the state-sponsored operative. These hackers operate under the banner of a specific government, and are enlisted to carry out attacks on their behalf. For the purposes of plausible deniability, they are often hacktivists or common cyber criminals whom the government in question employs on a freelance basis, but they can also be part of the state intelligence apparatus. 

Related Resource

Ransomware protection with Veritas NetBackup Appliances

How to use Veritas NetBackup and NetBackup Appliances to protect against and recover from ransomware attacks

Veritas NetBackup - how to protect from ransomware whitepaperDownload now

These nation-state actors are similar to both other kinds of hacker in different respects; they sometimes attack specific victims based on political motivations – often for some perceived slight, as in the case of the Sony Pictures hack, which was widely concluded to have been carried out by North Korea in response to the release of The Interview, or in Russia’s hack on the Democratic National Committee (DNC). However, they have also been observed to carry out financially-motivated attacks; the same North Korean-linked group behind the Sony attack has also been accused of spreading the Magecart credit card skimmer in order to swell the country’s coffers.

“APT actors are genuinely motivated and directed by national policy objectives,” explains Ian Thornton-Trump, CISO of threat intelligence firm Cyjax. “They conduct various offensive and defensive operations in support of those policy objectives. Although infiltration and data exfiltration are common hallmarks of both cyber criminals and APT actors, in general APT actors are focused but on espionage, disinformation, denial, disruption or destruction  generally in support of kinetic or military operations.”

Different goals

What this demonstrates is that there are a wide range of goals that hackers are seeking to accomplish when they identify potential attack targets. For the majority, the biggest goal is simply to increase their own wealth, either by direct payments in the form of ransomware decryption fees, from blackmailing victims with the threat of dumping stolen data, or by using fraud to initiate bogus financial transfers.

If this is the primary factor, then it makes sense for hackers to go after those victims who are most likely to pay up, which generally means wealthy companies, and ideally publicly-traded ones whose share price is liable to take a nasty dip in the event of a hack being made public. An alternative tactic is to go for a mass-impact attack like ransomware distribution which aims to earn a smaller amount from a larger number of victims.

For ideological attacks, however, the motivation becomes a touch murkier. Human nature is such that there are uncountable reasons why someone may take issue with a company’s actions; maybe they disagree with a specific element of your corporate values, maybe your recent actions have outraged them, or maybe you simply represent a worldview or system that they wish to strike a blow at. 

Whatever the specific motivation, the goal is generally to embarrass the victim, which is usually accomplished by shining a light on things that the target would rather remain unseen. Internal emails are often a key target for hackers in this kind of attack, as are financial documents which may indicate potential wrongdoing.

There is, however, one common thread that runs through almost all of the cybercrime that we see in the wild: Hackers are lazy. They will always go for the easier option, which applies just as much to their choice of victims as it does to what methods they use to attack them. No hacker will use a finely-crafted zero-day if they can use a set of unchanged default credentials instead, and similarly, when presented with two potential targets, the less well-defended one will always be the first choice.

Thornton-Trump points out that hackers often cruise for easy targets on portals like Shodan, a search engine that lists unsecured internet-connected devices. “Showing up on Shodan with a whole pile of vulnerabilities… is the ‘hit me’ sign of InfoSec,” he notes, adding that social media controversy or public spats can also attract the attention of cyber criminals.

Hackers now have access to just as many scanning and analysis tools as security teams, if not more. It’s relatively trivial to assess how many potential routes of entry there are into a prospective victim’s network, so it pays to make sure that your own is at least abiding by best-practises. It’s like that old joke: “I don’t have to outrun the lion – I just have to outrun you.”

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now


HackBoss malware is using Telegram to steal cryptocurrency from other hackers

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Russia launched over a million cyber attacks in three months

Russia launched over a million cyber attacks in three months

13 Apr 2021
Hackers leak data from dark web marketplace
cyber security

Hackers leak data from dark web marketplace

9 Apr 2021
Hackers are using fake messages to break into WhatsApp accounts
instant messaging (IM)

Hackers are using fake messages to break into WhatsApp accounts

8 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021