Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you

From disorganised crime to state-backed hackers these groups can make the internet a dangerous place. Here's a guide to the major menaces to avoid.
Written by Steve Ranger, Global News Director

Criminals are drawn to the internet for as many different reasons as the rest of us. Some of them just want to break things, many want to get rich, and some want to change the world.

Some are lone wolves, some are part of sophisticated criminal gangs and some even work with the tacit approval and support of their governments. But thanks to the borderless nature of the internet you could be unlucky enough to find that some -- or all -- of these groups could be targeting you.

Just as the rise of the web created new business models and allowed existing firms to sell and communicate globally, so it has also created new types of crime that didn't exist before, as well as giving existing crimes a turbo boost by allowing crooks to perpetrate them from anywhere in the world.

Download all the Cyberwar and the Future of Cybersecurity articles as a free PDF ebook (free TechRepublic registration required)

And as the web has grown up over the past three decades the types of cybercrime have changed too. Go back a decade or two and the majority of digital crime was really a form of online vandalism; defacing websites and the like. That still occurs, but much of today's internet crime is now about getting rich.

As online crime has grown it has also evolved -- or mutated -- into a set of occasionally overlapping groups that pose distinct threats to organisations of different sizes. These groups have different tools, objectives and specialities, and understanding this can help defend against them.

Disorganised crime

The bulk of cybercrime is carried out by the equivalent of real-world opportunist thieves. These are the petty criminals of the online world, the crooks you're most likely to come across, or at least feel the impact of, as an individual. These may be individuals or very small groups of criminals working together. They might have started hacking out of curiosity-- the classic script-kiddie--and then graduated to using these skills to raise money.

Increasingly these individuals don't need deep technical knowledge to get started because there are many tools available either for free or at low cost on Dark Web forums. Inexperienced hackers can buy data-stealing malware at relatively low cost if they know where to look, or can hire a botnet for a few hundred dollars to spam out a million emails filled with offers for counterfeit goods, or with malware hidden inside.

Would-be hackers have found ransomware particularly lucrative in recent years. They buy a ransomware package from an underground forum then spread it as widely as possible, in the hope of infecting as many PCs as possible before demanding a bitcoin ransom in order to decrypt the scrambled hard drives.

In the past year or so the trend has been away from ransomware and towards cryptocurrency mining. Instead of encrypting your PC, these crooks surreptitiously use its processor to mine for cryptocurrency, which is then deposited in the hacker's account - while you pay for the power and the wear and tear on your PC.

Disorganised crime also covers many other scams: denial-of-service attacks that threaten to take down your website unless you pay the perpetrators a fee; hackers that threaten to break your website unless you pay up because they have spotted a small flaw; or those attempting to fool you into advance-fee scams where the unwary are promised a big payday in return for paying (often a substantial) sum of money up-front. They might be opportunists but they can still create significant damage and misery.

Still, basic IT security is often enough to keep this sort of crime at bay. Update those default passwords, use two-factor authentication where possible, encrypt data, use anti-malware technologies and keep patching up to date, as well as training staff in good security practices and you're going to be in fairly good shape.

Organised crime

These groups will have a loose organisation and may utilise many contractors, including many from the disorganised crime group above. Some will have expertise in developing hacking tools and vulnerabilities, others will carry out the attack, and yet others will launder the cash. At the centre of the web is a cybercrime boss with the ideas, the targets and the contacts.

These are the groups with the capability to mount attacks on banks, law firms, and other big businesses. Organised cybercrime groups are also increasingly performing long-term, targeted attacks instead of indiscriminate scatter-gun campaigns.

SEE Cyberwar: The smart person's guide (TechRepublic)

Europol's 2018 Internet Organised Crime Threat Assessment shows how sophisticated these groups are using the example of the Carbanak and Cobalt malware attacks, which cost financial services €1bn across 40 countries.

First, the malware was developed by the gang, then sent in phishing emails to bank staff. From there, the malware infiltrated the bank networks and found its way to the servers and ATMs. Money was then transferred to accounts, which were emptied by mules visiting ATMs and that cash was then laundered by being converted into cryptocurrency.

Europol said ransomware continues to be a big area of interest for criminal gangs, with cryptomining malware joining it as a lower-risk option. New data breach legislation -- like GDPR -- will likely lead to greater reporting of breaches to law enforcement and increasing cases of cyber-extortion, it warned. Card skimming continues to be another area gangs are making money, while many of the classic scams, such as technical-support scams, advanced-fee fraud and romance scams are still resulting in a considerable numbers of victims. One change that Europol has spotted: cyber-attacks that historically targeted traditional financial instruments are now targeting businesses and users of cryptocurrencies.

It's worth remembering that you could end up a target of one of these groups, even as a small business or an individual, especially if you do business with larger organisations. Being part of the supply chain could be enough to get you on their radar.

Just as the line between disorganised and organised crime is often blurred, so the line between organised crime and nation-state backed hackers is sometimes hard to spot. "Transnational criminals will continue to conduct for-profit, cyber-enabled crimes, such as theft and extortion against US networks. We expect the line between criminal and nation-state activity to become increasingly blurred as states view cyber criminal tools as a relatively inexpensive and deniable means to enable their operations," warned the US director of national intelligence Dan Coats early this year.


These may be individuals or groups driven by a particular agenda -- perhaps a particular issue or a broader campaign. Unlike most cybercriminals, hacktivists aren't out to make money from their exploits, rather to embarrass an organisation or individual and generate publicity. This means their targets may be different: rather than a company's accounts system or customer database, they may well want to access embarrassing emails from the CEO or other company officials, or to get their logo onto your homepage or to interrupt your social media posts.


Despite the hype, the threat from cyber terrorism remains low, largely because these groups lack the skills, money, and infrastructure to develop and deploy effective cyber weapons, which only the largest nations can hope to build. As Europol notes: "While [Islamic State] sympathisers have demonstrated their willingness to buy cyber-attack tools and services from the digital underground, their own internal capability appears limited."

The US government's worldwide threat assessment also suggests limited digital terrorists have very limited digital capabilities.

"Given their current capabilities, cyber operations by terrorist groups mostly likely would result in personally identifiable information disclosures, website defacements, and denial-of-service attacks against poorly protected networks."

State-backed hackers

While standard criminality accounts for the vast majority of cyber threats, the use of the web by state-backed hackers has been widely publicised in recent years, but the history goes back much further; the famous Stuxnet worm campaign most likely created by the US and Israel aimed to disrupt Iran's nuclear programme well over a decade ago.

Much state-backed hacking still takes the form of cyber espionage -- attempts to steal data on government personnel or on expensive defence projects. Sometimes this data is used by the governments themselves, sometimes it is passed on to businesses within their own countries. While spying on other nations is generally accepted if not exactly encouraged, cyber industrial espionage is something that the US in particular is keen to discourage. For example, after a few years where Chinese attempts to steal US industrial secrets declined, in the face of an emerging trade war between the two countries there are fears that hacking attempts will soon increase again, with companies working in tech, biotech, aerospace, robotics and power equipment among the most at risk of attack.

But not all state-backed hackers are after industrial secrets. The US has, for example, regularly warned that the networks that control much of its critical infrastructure -- including financial systems and power grids -- are probed for vulnerabilities by foreign governments and criminals. This could be seen as nations doing the ground work for future more dangerous incidents.

Some are after money: much of the activity by North Korea seems to be focused on raising money, whether that's from ransomware or bank heists. And they can be destructive too - North Korea was blamed for the attack on Sony Pictures that destroyed data and disabled thousands of computers.

State-backed hackers can also behave in some respects like hacktivists. In the run up to the 2016 US presidential elections, Kremlin-backed hackers managed to break into the email of the Democratic National Committee and released them online to create embarrassment.

Worse, nation-state hackers may be interested in creating physical effects by digital means -- bringing down a power grid or forcing open the doors of a dam at the wrong time, for example. This is where cybercrime tips over into cyberwarfare.

With the emergence of the Internet of Things (IoT) -- where everyday objects from thermostats to home security systems -- can be controlled online, the risk of well-funded groups attempting to hack into these devices increases.

SEE Network Security Policy Template (Tech Pro Research)

If your organisation is being attacked by state-sponsored groups, keeping them out is likely to be extremely difficult: you should consider how to limit the damage, by segmenting networks and encrypting sensitive data, for example.

Concentrating on blocking attacks at the perimeter will not be enough. If your attackers are this well funded and motivated they will play a long, slow game and you have to assume they will get inside; limiting the damage then becomes the key issue.

Insider threats

With all the focus on external threats, is it possible that companies are forgetting a danger much closer to home?

Not every criminal is on the outside. Insiders have privileged access to systems, they know the routines and potentially the flaws in the system. Confidential company documents stored on shared drives and weak internal controls on who can access data mean that the disgruntled or greedy insider could still be one of the biggest risks to businesses. But it might not be to do with money; staff can also be blackmailed by criminals into doing what they want. Intelligence agencies have also consistently warned that foreign governments will set honey traps in order to then blackmail employees into handing over data or passwords, and, because of their extensive access to corporate systems, IT staff have been targeted in this way.

Blurred lines

In reality, there's a lot of overlap between these groups, in personnel, the tools they use and the targets they choose. Indeed, organised crime is happy to borrow or steal tools and techniques from state-sponsored hackers (indeed, the same hackers may wear two hats) and as these attack methods become well known they gradually filter down the chain so that even the most junior crooks are able to latch onto them.

All of this has driven up the cost to business of preventing and clearing up after attacks -- as with many types of real world crime, the costs of cleaning up can be vastly higher than the loot the crooks manage to get away with.

According to one set of research sponsored by IBM Security and conducted by Ponemon Institute, the average cost of a data breach with 2,500-100,000 lost or stolen records in 2018 is $3.86 million. The vast majority of the biggest breaches the researchers looked at were the result of malicious and criminal attacks. In these cases, the costs of a data breach involving one million compromised records was nearly $40 million.

Changes in the legal framework could also make cyber attacks even more expensive for businesses. The arrival of Europe's General Date Protection Regulation (GDPR) means that companies could face substantial fines if, following a leak of personal data, they are discovered to have not taken security seriously.

All of these pressures are driving up spending on IT security. According to analyst firm Gartner, worldwide spending on security products and services will reach $114bn this year and $124bn next year thanks to GDPR, risk management, and data privacy concerns. Cybercriminals will keep trying, and the cost of keeping them out will go up -- but the cost of letting them in will be even greater.


Governments and nation states are now officially training for cyberwarfare: An inside look
Europe, Canada, USA, Australia, and others are now running training exercises to prepare for the outbreak of cyberwar. Locked Shields is the largest simulation and TechRepublic takes you inside.

Devastating attacks to public infrastructure 'a matter of when' in the US
Cybercriminals are focusing on public infrastructure to disrupt services and cause mayhem as new targets are emerging and expanding throughout the world.

Understanding the military buildup of offensive cyber weapons
Over the past few years, offensive cyberweapons have risen in prominence as a part of international military efforts. The full impact of these weapons remains to be seen, however.

Cybercrime Inc: How hacking gangs are modeling themselves on big business
Over the past few years, offensive cyberweapons have risen in prominence as a part of international military efforts. The full impact of these weapons remains to be seen, however.

Why ransomware is exploding, and how your company can protect itself
Ransomware attacks on businesses grew exponentially in the past year. Here's what you need to know and how you can prepare.

Cyberwar predictions for 2019: The stakes have been raised
Cybersecurity will define many of the international conflicts of the future. Here's an overview of the current threat landscape, UK and US policy in this area, and some expert predictions for the coming year.

Editorial standards