How do hackers choose their targets?
We explore what goes on in the minds of cyber criminals
What makes your average hacker tick? We hear almost every day about new cyber attacks and data breaches targeting all different kinds of organisations, from forums and social media providers all the way to government departments and major multinational corporations. What makes one company a more attractive target than another, though? Are there any common threads that dictate how hackers pick their victims and, if so, how can organisations use this knowledge to tailor their defences?
Different types of hackers
Before we examine how hackers go about choosing their targets, we must first examine who these hackers are; there are a multitude of different varieties, each with unique motivations that affect how they pick their victims and the tactics they employ.
Arguably one of the best-known varieties of hacker, thanks to the actions of groups like Anonymous, is the hacktivist. They're often inexperienced, can either operate alone or as part of small cells, and frequently tend to be younger than other kinds of hacker. They are primarily motivated by ideology, targeting institutions or companies whose actions or viewpoints they disagree with. Hacktivists generally try to release incriminating information stolen from targets' networks or deface websites and social media pages as a form of protest.
Targets of hacktivist activity have previously included terrorist groups like ISIS and US neo-Nazis, government entities such as the states of Michigan and North Carolina (in response to the Flint water crisis and anti-trangender laws, respectively), and private companies such as extra-marital dating site Ashley Madison. While their methods may be brash and eye catching, this type of hacker is actually quite rare.
In contrast to these elusive figures, the most common type of hacker is the financially motivated cyber criminal. These are often linked to organised crime syndicates, which have long understood the potential of online crime as a revenue-generating tool, and use a broad range of different attack campaigns. Many of their activities, such as phishing scams and ransomware campaigns, are designed to operate at scale, indiscriminately targeting as many potential victims as possible to maximise the odds of receiving a payout.
Other strategies are more targeted; many attacks involve identifying wealthy organisations and using spearphishing or direct network intrusion attempts to carry out fraud, theft or blackmail operations. These kinds of attacks are usually aimed at private sector organisations, as these are generally more cash-rich than public sector bodies and individuals.
"A weak cyber security posture that is discoverable on a quick query is the equivalent to painting a target on your back," says Rois Ni Thuama, head of cyber governance for Red Sift. "There's a new email standard on its way called BIMI, and that will indicate that a firm has robust email authentication standards in place. Of course, the absence of this identifier will create a new 'tell' for hackers so that they won't need to run a query. They can simply send a message to someone in the firm and the response will reveal to what extent this firm is vulnerable."
The other main category of hacker is the state-sponsored operative. These hackers operate under the banner of a specific government, and are enlisted to carry out attacks on their behalf. For the purposes of plausible deniability, they are often hacktivists or common cyber criminals whom the government in question employs on a freelance basis, but they can also be part of the state intelligence apparatus.
Defend your organisation from evolving ransomware attacks
Learn what it takes to reduce risk and strengthen operational resiliencyDownload now
These nation-state actors are similar to both other kinds of hacker in different respects; they sometimes attack specific victims based on political motivations – often for some perceived slight, as in the case of the Sony Pictures hack, which was widely concluded to have been carried out by North Korea in response to the release of The Interview, or in Russia's hack on the Democratic National Committee (DNC). However, they have also been observed to carry out financially-motivated attacks; the same North Korean-linked group behind the Sony attack has also been accused of spreading the Magecart credit card skimmer in order to swell the country's coffers.
"APT actors are genuinely motivated and directed by national policy objectives," explains Ian Thornton-Trump, CISO of threat intelligence firm Cyjax. "They conduct various offensive and defensive operations in support of those policy objectives. Although infiltration and data exfiltration are common hallmarks of both cyber criminals and APT actors, in general APT actors are focused but on espionage, disinformation, denial, disruption or destruction generally in support of kinetic or military operations."
What motivates a hacker?
This shows that cyber criminals can be motivated by a myriad of goals, and these will often dictate who will be chosen as their next victim. For the majority, the incentive is simple and somewhat unsurprising: money. Most hackers will be focused on growing their personal wealth, that is why they will often resort to blackmailing their victims through ransomware or using various phishing techniques to trick them into making a bogus financial transfer.
When money is the primary motivator, it makes sense to go after a target who is known for their wealth. This includes large corporations, especially the publicly-traded ones which are known to generate a substantial profit. An additional motivator is that these companies are likely to pay the ransom and not disclose the attack, as public knowledge of the incident is likely to negatively impact their share price and reputation.
However, this doesn't mean that smaller companies and individuals are inherently safe from hackers. Another popular tactic used by cyber criminals is a mass-impact attack, which targets a large number of victims by extorting a small amount of money from each individual. For example, £10 might not seem like much when stolen from one person, but when stolen from a thousand people at once using ransomware distribution – that's already £10,000. An additional benefit to this tactic is that the stolen sum might go unnoticed, while even those who take note of the unexplained transaction are unlikely to report it to the police if the amount is that small.
For ideological attacks, however, the motivation becomes a touch murkier. Human nature is such that there are uncountable reasons why someone may take issue with a company's actions; maybe they disagree with a specific element of your corporate values, maybe your recent actions have outraged them, or maybe you simply represent a worldview or system that they wish to strike a blow at.
Whatever the specific motivation, the goal is generally to embarrass the victim, which is usually accomplished by shining a light on things that the target would rather remain unseen. Internal emails are often a key target for hackers in this kind of attack, as are financial documents which may indicate potential wrongdoing.
There is, however, one common thread that runs through almost all of the cybercrime that we see in the wild: Hackers are lazy. They will always go for the easier option, which applies just as much to their choice of victims as it does to what methods they use to attack them. No hacker will use a finely-crafted zero-day if they can use a set of unchanged default credentials instead, and similarly, when presented with two potential targets, the less well-defended one will always be the first choice.
Thornton-Trump points out that hackers often cruise for easy targets on portals like Shodan, a search engine that lists unsecured internet-connected devices. "Showing up on Shodan with a whole pile of vulnerabilities… is the 'hit me' sign of InfoSec," he notes, adding that social media controversy or public spats can also attract the attention of cyber criminals.
Hackers now have access to just as many scanning and analysis tools as security teams, if not more. It's relatively trivial to assess how many potential routes of entry there are into a prospective victim's network, so it pays to make sure that your own is at least abiding by best-practises. It's like that old joke: "I don't have to outrun the lion – I just have to outrun you."
B2B under quarantine
Key B2C e-commerce features B2B need to adopt to surviveDownload now
The top three IT pains of the new reality and how to solve them
Driving more resiliency with unified operations and service managementDownload now
The five essentials from your endpoint security partner
Empower your MSP business to operate efficientlyDownload now
How fashion retailers are redesigning their digital future
Fashion retail guideDownload now