Reverse Deception: Organized Cyber Threat Counter-Exploitation (101 page)

Sometimes this motivation can result in a reversal of the old saying that “the ends justify the means,” becoming “the means justify the ends.” In a number of cases where ego is the main motivating factor, the fact that the code does something beneficial or does something malicious is moot. The intensity of the technical aesthetic embodied in the code (for example, the primacy of the quality of the hack and the level of difficulty in getting the code to work) reigns over all other rational evaluation criteria.

The technical skill sets of groups that regularly produce and deploy APTs are usually higher than those of other kinds of hacking groups. For them, the most difficult challenges are often the most attractive ones. Attacks on computer systems and networks that are protected by sophisticated security technology, such as ones associated with military or governmental entities, have great appeal for these individuals and groups. Sometimes the true reward for individuals who are highly motivated by ego is merely the successful compromise of the network or computer system and egress without ever being detected. This is similar to the practice of counting coup performed by Native Americans of the Great Plains of North America. In this practice, a warrior risks serious physical injury or death by touching his enemy in battle with a coup stick (often a beaded stick specifically used for this purpose) without causing harm to the other combatant. This was considered the highest honor in battle in this culture (Linderman, 1957).

Ego can be a very powerful motivation, especially for individuals who are very highly skilled. Nation-states can sometimes exploit this motivation, often in combination with appeals to nationalistic or patriotic sympathies, to enlist these very highly skilled individuals into special cyber warfare units. The combination of extreme technical challenges, coupled with the skills to meet them, makes this motivation an important factor when profiling or evaluating sophisticated and persistent threats.

Ego as a motivation for hacking can also be used to manipulate highly skilled individuals into performing specific acts. For example, if you believe that a specific exploit is being tightly held by a targeted individual or group, and the objective is to get the attackers to deploy that exploit, you might set up a specific server or network and widely spread claims over the Internet that this server or network is totally immune to the specific class of attack that the exploit employs. If the targeted group or individual is motivated by ego, then you have produced a scenario where it is much more likely that the attacker will deploy the exploit in question against the target, thereby allowing the profiling team to collect valuable data on the exploit itself.

Entrance to Social Group

Entrance to social groups is the third motivation for performing malicious online acts cited by Kilger. He asserts that hacking groups are more or less status homogenous in terms of technical expertise. That implies that in order for individuals to join a hacking gang, they must possess some level of expertise in hardware or software that is commensurate with the level of expertise present in that group. One way that an individual may demonstrate that level of expertise is to write an elegant piece of code that is then shown to the members of the group. If the group consensus is that the code demonstrates expertise or potential talent that approaches the minimum acceptable level for the group, then the candidate is accepted into the group, sometimes donating the code to the group as a type of initiation fee for joining.

There often are one or two individuals within a hacking group (sometimes more within larger hacking groups) who are considered to possess a level of technical skill that puts them at the bottom of the skill pool for the group. These individuals may be new to the group but have potential (newbies), or they may be longer-term members who have failed to live up to the full technical standards of the group but are tolerated largely because of social bonds they have formed with other members. These lower skilled individuals may also serve a function as boundary markers for minimum entrance into the group when new candidates are considered for membership.

Profilers may also use entrance to a social group as a method to gather information from an individual. For example, the team might establish an elite hacking group through the development of a comprehensive legend. The idea is to lure targeted individuals into disclosing valuable information in order to facilitate their membership into the group. While this deception probably will not be sustainable for very long, the information gained during the duration of the deception may be valuable enough to deploy this strategy.

Cause

Cause is the fourth motivation for malicious online acts, and it can play a key role in motivating individuals under the right circumstances. Kilger notes the following:

Cause as a motivational factor for malicious actors is often a complex result of one or more of the consequences of more macro-level geo-political, cultural, ideological, nationalistic or religious forces. There are a number of potential objectives and courses of action available to a cause-oriented malicious online actor. One of these objectives may involve the attempt to pressure an entity—particular government, political party, military, commercial or non-governmental organization, etc.—to do something that supports the actor’s favored cause.

The significant increase in recent years in the incidence of cause as a motivational factor in malicious online acts has encouraged the search for better understanding of this aspect of cyber crime and cyber espionage.

Some of the malicious acts motivated by cause may have benign consequences. Website defacement demonstrates one popular malicious act driven by this motivation. Individual actors or groups of actors who oppose the ideals or actions of a specific organization or nation-state may take it upon themselves to deface one or more official websites for that entity with slogans or rhetoric that attacks the organization. But often, no effort is made to interfere with the functions of the site. Examples of this include the 2008 attacks on CNN websites in protests related to coverage of the Olympics in China and the attacks on Australian government websites during 2009 and 2010 to protest the Australian government’s plan to filter websites that it concluded contained objectionable material.

A more serious threat motivated by cause comes in the form of the theft of confidential or secret documents from an institution or government. The purpose of the theft is often to coerce the institution or government to change a policy or action that the malicious actor or group considers unethical or morally wrong. Perhaps the best and most recent example is the WikiLeaks case involving theft of more than 400,000 government documents, many of them classified, that detailed the inner workings of various diplomatic and policy positions of the US government. Here, the ostensible purpose was to embarrass the US government by revealing the inner machinations of various government entities to influence the policies and actions of foreign governments and actors. However, when we more closely examine the actions and behaviors of the main protagonist, Julian Assange, it becomes apparent that cause is perhaps at best a secondary motivation for his actions. We’ll examine this issue in more detail when we discuss status as a motivation for malicious online activities.

The most serious instances of cause-motivated malicious online activities involve cyber attacks on nation-states’ critical industrial, military, and governmental infrastructures, with the intent to obtain intelligence and develop plans to interrupt, damage, or destroy them. One class of malicious actors involved in these cause-based activities consists of individuals who are formal members of nation-state teams for whom these are official, sanctioned objectives. These teams are experts at deploying APTs through a number of different channels, including direct attacks on networked technologies, placement of individuals within targeted organizations, and social engineering designed to extract key documents and data.

A second class of individuals are those who are semiofficially or unofficially encouraged to engage in activities to devise exploits, conduct intrusions, and gather information on a foreign nation-state’s critical industrial infrastructure, secret government documents, and military capabilities. Perhaps the most obvious example of this is the significant number of hacking groups working in the PRC. Many of these groups consist of individuals with strong nationalistic ties to their homeland, and they consider their technical expertise in hardware and software as a personal manifestation of the power that their country projects.
³
One potential example of this is a 2009 Google incident that involved probable collaboration with Chinese officials. Chinese hackers compromised databases within Google, as well as 34 other major US corporations, including defense contractor Northrup Grumman. John Markoff and David Barboz reported that two Chinese technical universities were linked to the intrusions and attacks. The reporters cited James Mulvenon from the Center for Intelligence Research and Analysis, who stated, “the Chinese government often involves volunteer ‘patriotic hackers’ to support its policies” (Markoff and Barboza, 2010).

Finally, some individuals do not have any ties or support from governments and act either alone or in concert with others supporting their cause through attacking institutions and infrastructure elements of other foreign nations to further their political, religious, or ethnic cause. While these individuals usually do not figure in most APT scenarios, they do present a clear danger to foreign national infrastructures. Even individuals who do not possess significant technical skills can produce significant harm to online assets through the use of malicious software tools adapted by others who do have those skills. Note that this type of cause-motivated threat could be directed in a cyber attack on domestic critical infrastructure. This issue of the “civilian cyber warrior” is one worthy of further discussion and will be revisited later in this chapter.

Entertainment

Entertainment is probably the least known and least prominent motivation for malicious online acts. It reflects the individual’s sense of humor, as well as a mild form of social control. Individual hackers torment and play with less sophisticated system administrators, breaking into their weakly secured networks and leaving them messages admonishing them to better secure their systems.

In the past several years, this motivation has seen somewhat of a resurgence due to the spread of networked consumer devices. Devices such as mobile phones, MP3 players, and other networked digital consumer items owned by individuals with little or no technical expertise provide a large and rich target environment for members of the hacking community. These hackers may take delight in forcing the devices to transmit humorous messages or behave in an unexpected manner.

Status

Status is the last motivator in the MEECES acronym. Kilger describes the nature of the hacking community as a strong meritocracy. The position of an individual in the status hierarchy—both the hierarchy within his hacking group and externally within the larger status hierarchy of the hacking community as a whole—depends on the level of expertise in hardware, software, and networking that the individual possesses. The higher the level of technical skills, the higher the status position that person occupies.

Acquiring status can come about in a number of different ways. For example, writing an elegant piece of code or malware can elevate the status of an individual (or a team of individuals if it was a team effort). Being able to bypass a sophisticated security system is another example of how an individual might accrue status and move up the status hierarchy.

One issue that arises within this strong meritocracy is a paucity of status markers that can signal an individual’s position in the status hierarchy. Interestingly, many of the forms of digital communications that members of the hacking community use are narrow bandwidth channels, such as e-mail, IRC chat rooms, SMS texting, and the like—the metier of the hoi polloi. These narrow bandwidth communication channels do not carry many status clues that give each of the participants an idea of the other person’s position in the status hierarchy. This lack of available status cues is one reason you see the large amount of derogatory communications within the community.

Even those members who communicate via VoIP schemes like Skype or video calls using webcams are subject to limitations on the transmission of status cues, such as looking while speaking and looking while listening. This is also why hacker conventions play such an important role in the hacking community. It gives individuals the opportunity to meet face-to-face. Interpersonal communication bandwidths are much bigger, and verbal and nonverbal status cues can be exchanged more effectively. This reduces the frequency of status conflicts between individuals and helps satisfy the egos of the higher status individuals, who are expecting to be treated with respect and deference. Thus, hacker conventions play a very functional role in attenuating conflict within the community.

Status can also be acquired through the acquisition of objects with status value. The status value of these objects can be transferred to other individuals. A good example of a status object is a confidential or classified document. The personal possession of expressly forbidden information can elevate one’s status within the group. Thus, hackers or cyber criminals can improve their status by coming into possession of status objects. This brings the WikiLeaks discussion back to the table.

Private Bradley Manning, one of the principals at the center of the WikiLeaks controversy, was not considered a hacker. As an Army intelligence analyst, he had access to a vast number of classified documents. Through simple deception, he was able to copy large numbers of these documents and transfer these copies out of their classified environment. He had only some minor assistance from several technical individuals, who gave him encryption software and showed him how to use it so that he could more safely transport the copies. Even though he used only nominal technical skills in his actions, the documents he obtained had significant status value.