Cyberattacks’ evolution: From single actors to professionalized coordinated teams

Author: Andrés Rieznik
Senior Researcher

Cybercrime becomes more pervasive every day as the complexity of the technological ecosystem grows. This has been driving the professionalization of the threat actors during the last decade.

They keep evolving, constantly analyzing their operations, adjusting, and optimizing their businesses.

Consistently with this vision, a recent study from the Bruno Kessler Foundation, in Trento, Italy, [1] showed that industrial professional hackers aim to elaborate automated and reproducible deterministic attacks, in contrast to old-style practitioners who prefer to minimize efforts and try many different manual tasks. Human decisions generally belong to the second stage of an attack.

In another recent study developed by a group led by Samuel Chng from the University of Technology and Design in Singapore [2], a comprehensive framework for hacker types, motivations and strategies was introduced. They identified and reviewed 11 classifications and typologies of hackers and their motivations published over three decades and summarized the state of the art. As a result, a complex scenario emerges, where motivations and strategies overlap among different hacker types.

As an example, attackers classified as “Nation States” (government sponsored) hackers perform complex operations for ideological and revenge motivations, but can also be described as financially motivated, at least instrumentally. If an opportunity for monetization arises they may choose to collect money in order to obtain additional resources for their cause. For example, buying credentials from an initial-access broker to break into an additional target.

Under this framework, it does not make sense to describe an incident as a “ransomware attack”. Rather it should be considered a “financially motivated intrusion”, where ransomware is used as a monetization strategy.

We've seen a marked increase in financially motivated attacks, evolving from pure single strategy actors to more versatile operators that can execute mixed strategies.

Take the case of the group DEV-0537, also known as LAPSUS$, which Microsoft has been actively tracking, describing its operation as a large-scale social engineering and extortion campaign against multiple organizations: they are known for using a pure extortion and destruction model without deploying ransomware payloads.

According to Microsoft “their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets.”

LAPSUS$ even actively reached out to other hackers, asking for credentials to access their targets, also enticing employees or contractors to take part in the operation. There is a booming market of credentials and initial access brokers, as revealed in Microsoft’s blog, where they show a screenshot of an ad received by an employer:

Something similar happened in previous times with stolen credit card data: initially, individuals who accessed the information needed to use the credit card themselves in order to monetize it, but years later a huge market emerged where standard pricing for credit card numbers, names or other data, depending on the nationality, was established.

Social engineering is not a problem just for the big companies attacked by LAPSUS$. A recent study by the Newcastle University Centre [3] reveals that in Manchester, United Kingdom, phishing attacks are among the most common cyberattacks posing a significant threat to Small and Medium Enterprises (SMEs) as there was a steady increase and more frequent incidents on SMEs during the 2018-2020 period.

Meanwhile, international law does little to prevent non-state cyber attacks [3]. This is why we expect many organizations to start considering the attacker’s motivation when defining their security strategies. Particularly for financially driven attackers, we believe companies will begin to study and apply monetization options available to dissuade their adversaries from performing attacks. This viewpoint could control and limit the damage caused by incidents, which is the ultimate purpose of a security strategy.

[1] Ceccato, M., Tonella, P., Basile, C., Falcarin, P., Torchiano, M., Coppens, B., & De Sutter, B. (2019). Understanding the behaviour of hackers while performing attack tasks in a professional setting and in a public challenge. Empirical Software Engineering, 24(1), 240-286.

[2] Chng, S., Lu, H. Y., Kumar, A., & Yau, D. (2022). Hacker types, motivations and strategies: A comprehensive framework. Computers in Human Behavior Reports, 5, 100167.

[3] Panditharathna, R., Jesutoye, B. G., & Shevels, T. (2021). Trends and impact od cyber-attacks on small and medium enterprises in Manchester, United Kingdom.

[4] Katagiri, N. (2021). Why international law and norms do little in preventing non-state cyber attacks. Journal of Cybersecurity, 7(1), tyab009.

Contact us