Who are the bad guys?

Who are the bad guys?

Several questions will inevitably arise out of the cyber-attack on the UK Houses of Parliament, from “why are MPs still using weak passwords?” through to “Why?” and “Who is behind it?”

On the face of it, the answer to the latter two is highly likely to be a hostile intelligence organisation wanting to know what Britain’s lawmakers are discussing.  But there’s a problem, a fairly big one really.  And that is how can anyone prove who did what in cyberspace.  As an example, last month, over 200,000 computers in 150 countries were affected by the Wannacry ransomware.  So far the only attribution has been that it probably came from North Korea although whether it was state-sponsored or the work of a criminal gang known as the Lazarus Group is still up for grabs.  So who are the actors in this particular drama?

Nation States:
If the attack on Parliament was state sponsored Cyber espionage, it’s not unique.   Several countries have admitted to having offensive cyber capabilities including the US and UK.  Others, such as Israel, are less open but are widely believed to be very capable.  Still others such as Russia and China are extremely secretive and their capabilities are unclear although there are reports that China has over 20 Advanced Persistent Threat groups linked to the Chinese Army, one of which is said to occupy a 12 story building employing hundreds of hackers.


Cyber Criminals:
Parliament and Wannacry aside, statistics suggest that there have been over two million cyber security incidents already this year, the vast majority of which are nothing to do with foreign governments, intelligence agents or terrorists.  They are simply criminal acts by low level hackers and crooks.  But low level doesn’t necessary mean unskilled.

Hacking is a multi-billion pound global industry for cyber criminals with estimates of £29 billion in the UK in 2016.  Worldwide that figure hit over £400 Billion.  Some cyber criminals run their own hacks on Banks and businesses, stealing money from bank accounts and data that they can sell.  Others sell their expertise to the highest bidders in what has become known as ‘Cyber Crime as a Service’.  Want someone to take down a rival’s website or to sell you some malware?  Europol, the European Union’s policing office says CCaaS is widely on offer via the Dark Web..


A couple of years ago one of the most common names in IT Security circles was Anonymous, the Hacktivist group with a political message who famously took on the Church of Scientology in 2008, music and movie groups opposed to file sharing in 2010 and later the same year supported Julian Assange with a whole array of attacks on Visa, Mastercard and Paypal.  They’ve also attacked ISIS’ on line presence and took down a huge number of sites on the dark web associated with child pornography.  Anonymous aren’t the only Hacktivist group who support their political stance with direct action but they are probably still the most prominent.




Cyber Terrorists:
Other groups with a political message, but one notably more violent, are the Cyber Terrorists.  As long ago as 2002, Al-Qaeda was reported to be planning cyber-attacks on dams in the US.  Then in 2013 during an attack on the Bowman Avenue Dam in Rye Brook, New York, only luck in that the dam had been manually disconnected for routine maintenance stopped the hackers from taking control of the flood gates.  More recently, in May of this year Islamist hackers linked to ISIS posted graphic images of the war in Syria on the websites of six National Health Service Hospital Trusts in the UK.  The group responsible, the Tunisian Fallaga Team along with two other groups connected to ISIS, the Global Islamic Caliphate and Team System DZ, are believed to have been responsible for hacking airlines and media companies; the US Central Command’s Twitter and YouTube accounts and had published personal details of retired US military personnel.

Script Kiddies:
Young, self-taught, novice hackers are frequently referred to as ‘Script Kiddies’, a phrase derived from the pre-written ‘scripts’ that they use to gain access to or disrupt IT Networks or websites.  Instructions to aspiring Script Kiddies can be found on YouTube and there are multiple sites with downloadable tools available on the Web, as well as Dark Web teaching forums, training websites and practical examples.  Police Organised Crime Units have reported ‘fledgling’ Script Kiddies as young as 12 years old.There’s not usually any malicious intent involved, their aim being recognition from their peers and notoriety from the impact of their activities.  Think this as akin to ‘joyriding’ on the internet, with the outcome being the reputational and financial damage to organisations.  In 2016, an East Midlands 16 year old was arrested as a suspected member of the ‘Crackers with Attitude’ group that targeted email accounts of the US’s Central Intelligence Agency staff, including its Director.

Not all attackers come from outside an organisation.  Some of the most damaging leaks of information have been by ‘Disgruntled Insiders’, trusted employees who have a grudge they want to settle.  In 2007 a database administrator stole 3.2 million customer records, including credit card, banking and personal information from his employer and who can forget Edward Snowdon passing thousands of classified NSA documents to journalists in 2013.  More recently, in what the FBI describe as an inside job, $81 million was stolen by cyber fraud from Bangladesh Bank in February 2016.  Of course not all insiders are deliberate bad guys.  Some, such as the Canadian civil servant in Calgary who accidentally leaked the personal information of 3,700 employees in June 2016, just make mistakes.  Sometimes an insider breach is down to negligence, such as the Nursing Home in Northern Ireland which was fined £15,000 pounds by the Information Commissioner’s Office in 2016 for staff and patients’ personal data on an unencrypted work laptop which was stolen from an employee’s house.  Taken together, even though insider threat events are typically much more infrequent than external attacks, they are more likely to have a serious impact, cost more to fix and so are generally considered to be the most serious cyber threat facing businesses today.

In summary, the bad guys come in all shapes and sizes and are after anything from bragging rights; money; military or political advantage through to a new world order or even anarchy.  But whoever they are and whatever they want, the truth is that even with all the technical expertise of the US National Security Agency or Britain’s GCHQ, it’s really, really hard to prove which of the hundreds and thousands of bad guys is behind these attacks.


Learn more about how to protect your business against cyber security threats from both inside and outside your organisation by downloading No Silver Bullets from our website. 

Lawrie Abercrombie M.Inst.IISP is Technical Director at Arcanum IS Ltd, a specialist Cyber Security Consultancy working with Businesses, Government and Defence Industry. One of few Lead Security & Information Risk Advisors certified by the National Cyber Security Centre, Lawrie originally learnt his trade commanding the British Army’s first Cyber Security team.  Later, as an Army Reserve Officer he worked closely with US Cyber Command to pioneer, trial and test an active cyber defence capability.

To join the conversation, visit us on Linkedin