Adversaries and Their Motivations (Part 3)

In part three of the Adversaries and Their Motivations blog series, we’ll explore the following top-level actor motivations: Cyber Warfare, Cyber Terrorism, and Cyber Mischief.

Even Fuzzier Boundaries

The high-level actor motivations covered earlier in this blog series introduced challenges in identifying and attributing activity between Cyber Espionage, Cyber Crime, and Cyber Hacktivism.

Analysis of the remaining motivations covered in this blog post can be even fuzzier considering the following:

• Political debate on definitions: Especially when it comes to international activity that directly results in loss of life, physical destruction of facilities, or negative economic hits, arguments persist over how these should be treated by nation state governments, military, and law enforcement agencies. The most serious debate concerns whether computer network related incidents constitute acts of war between countries.
• Hand-off between motivations: A number of motivations benefit from leveraging Tactics, Techniques, and Procedures (TTPs) and associated tools of another motivation either before or after focal activity. For example, Cyber Espionage can benefit Cyber Warfare operations, and Cyber Hacktivism can extend into Cyber Terrorism.

Cyber Warfare

Cyber Warfare describes operations that alone or complementary to kinetic military activityeliminate or degrade capabilities of a nation-state oriented target.

Associated Actors

Actors operating under this motivation include:

• Military units: Nation states recognize that computer warfare contributes to successful overt and covert operations against traditional military targets, such as adversary command and control (C2) systems, defense networks, and weapons systems.
• Intelligence services: These services often operate distinctly or in conjunction with military units to enable Cyber Warfare objectives through covert means.

Their Objectives

Associated actors seek to accomplish the following, on a nation state level:

• Disrupt operations: Established and critical military and civilian capabilities within a nation can present high value targets to an adversary, especially when combined with concurrent kinetic operations.
• Degrade / corrupt underlying capabilities: This includes sabotage that reduces the effectiveness or resilience of a capability to enable exploitation of that vulnerability in future kinetic and non-kinetic operations.
• Destroy key physical targets: Some attacks leverage Computer Network Attack (CNA) to destroy facilities for political and/or military advantage.

Additional Context for this Motivation

While this blog post attempts to simplify the definition of Cyber Warfare, political and military debate persists over how to define and respond to this class within the international community. Most operations that fall under this motivation are well funded, assessed as highly sophisticated, and backed by government, military, and intelligence resources. Associated activity is often paired with or conducted concurrent to Cyber Espionage operations to maximize effectiveness in progressive targeting, identification of associated weaknesses, and development of attack strategies. Otherwise, none of the other top-level malicious actor motivations typically mixes with Cyber Warfare operations.

Examples

Some examples of Cyber Warfare activity follow:

• The Stuxnet Attack On Iran’s Nuclear Plant Was ‘Far More Dangerous’ Than Previously Thought
• S., Israel Developed Flame Computer Virus to Slow Iranian Nuclear Efforts, Officials Say

Cyber Terrorism

Cyber Terrorism is the convergence of cyberspace and terrorism, distinguished by the threatened or realized loss of life, severe economic damage, and/or disruption of core infrastructure.

Associated Actors

Actors operating under the Cyber Terrorism motivation include:

• Officially recognized terrorist groups: Official terrorist organizations usually maintain public facing venues for communications and marketing.
• Government, military, or intelligence services: The end goal of these services is similar to that of officially recognized terrorist groups; however, it usually focuses internally to the originating country. As an example, in countries known for their human rights violations, respective agencies often use all available mediums to discourage dissent and identify (and “neutralize”) perceived opposition.
• Destructive black hat groups and individuals: The moment a malicious actor employs a virtually or physically destructive CNA method to affect an end goal or send a message their associated motivation is at least partially Cyber Terrorism.

Their Objectives

Actors operating under this motivation focus on:

• Disruption of opposing assets or services: This tactic is mostly used to gain visibility and potential media coverage for an organization based on the inconvenience or material damages accomplished through attacking various government, military, or corporate infrastructure targets. It is most often associated with extremist forms of hacktivism.
• Intimidation of a populace: This can take several forms, depending on the target country, culture, industry organization, and/or circumstances. Some associated attacks go so far as to leverage Computer Network Exploitation (CNE) to expose dissidents and their families to severe consequences within certain countries, extending as far as enabling assassination of key opposing personnel for political and/or military advantage.

Additional Context for this Motivation

These are the extreme cyber bullies of the world, relying on fear and destruction as their preferred tools. Similar to Cyber Warfare, public agreement on a definition for this motivation remains elusive. Kevin G. Coleman of the Technolytics Institute took a commendable stab at a definition:

“The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.”

Yet, even this definition generates significant overlap across subsets of malicious activity found within other motivations. Focusing on the context and severity of associated activity will often disambiguate underlying motivation; however, certain outliers will always fall in a mixed category and/or rely on less than moderate levels of confidence.

Enlisted participants in affecting campaign objectives can range in technical ability and sophistication. From contractors to hacktivists, certain third parties may be recruited to affect principle actor objectives in attack campaigns associated with this motivation.

While most actors under this motivation currently focus on disruption through techniques such as Distributed Denial of Service (DDoS), we’ve seen some lean towards destructive activity. This includes the use of tools such as wiper malware to perform the digital equivalent of sacking a city – but in this case, sacking an enterprise. In the future, similar tools and techniques as those successfully employed by Cyber Espionage and Cyber Warfare actors may lead to more devastating attacks against Cyber Terrorism targets.

Examples

Some examples of Cyber Terrorism activity follow:

• Kazakhstan: The Alleged Killer of Journalist Gennady Pavlyuk – Known Kyrgyz Special Services Officer
• Russia Accused of Unleashing Cyberwar to Disable Estonia
• Inside the “Wiper” Malware That Brought Sony Pictures to its Knees [Update]

Cyber Mischief

Cyber Mischief encompasses a majority of the remaining cyber threat noise on the Internet.

Associated Actors

In general, Cyber Mischief is associated with any malicious actor that doesn’t fit into the other high-level motivations. Examples include:

• Fledgling hackers: Individuals or groups that are new to the malicious hacking discipline and typically use publicly available attack tools without a deeper comprehension of underlying concepts and techniques. These parties are sometimes referred to as “script kiddies,” and in some cases they may cause damage but they generally do not harbor malicious intent.
• Internet nuisances: Individuals or groups that are experimenting with their TTPs and tools in arbitrary or capricious ways that do not directly lead to objectives of other motivations. Instead, these parties are often cultivating their skills and proficiencies to eventually apply them towards another top-level malicious actor motivation when they feel suitably prepared and confident.

Their Objectives

The objectives of actors that fall under the Cyber Mischief motivation can include:

• Small-scale personal benefit: Some actors execute related activity for minor tangible and/or intangible gains.
• Seeking to learn and/or teach: Knowledge and excellence in execution require extensive practice. Once comfortable enough, this practice often moves to the wild (i.e., Internet), to test an actor’s skill against live targets.
• Refining tradecraft: In the course of navigating through and beyond the fledgling hacker stage, some actors focus on strengthening their associated skills and proficiencies to elude detection and attribution.
• Exploring identity: The modern Internet offers a medium for bonding and integration of new experiences that can lure susceptible personality types and age ranges into this category of behavior.
• Just to be a nuisance: As in the physical world, some folks just like to stir up trouble.

Additional Context for this Motivation

A tricky aspect of Cyber Mischief is that it builds up the Internet noise that defenders must wade through to find threats posed by other high-level malicious actor motivations. As actor experience and competence increases, respective activity may begin to look more like the progressive high-level motivation that the party is evolving towards. Additionally, savvy actors under other motivations may tailor certain activity to blend in with this noise or employ these techniques to distract defenders.

Examples

Some examples of Cyber Mischief activity follow:

• Teens Expelled in Keylogging of School Computers
• Teen Pays for DDoS on School, Faces Felony Charges
• Lizard Squad claims responsibility for Black Friday PSN Outage

Closing Thoughts

As with any attempt to standardize or generalize, exceptions and outliers are a very real possibility. It’s often better to be approximately right than precisely wrong when it comes to tailoring a framework for any environment. Regardless of how you might break out and define categories of malicious actors attacking a network, one thing should remain consistent: assessment methodology. This ensures a basis for comparative analysis and subsequent prioritization of threats.

Finally, it can often be just as important to eliminate a given motivation or attribution from consideration as it is to isolate those with the highest confidence. After all, it’s about making the best-informed decisions possible about these threats given incomplete situational awareness and limited resources, such as people, technology, and – often the most critical – time.

Happy hunting and tracking!

Rob Downs

[Palo Alto Networks Blog]