Understanding Cyber Criminals' Motives Key to Addressing Cyber Risks

Several rows of binary bits are superimposed over a hooded cyber hacker on a laptop.

June 15, 2022

Several rows of binary bits are superimposed over a hooded cyber hacker on a laptop.

Cyber criminals fall into different categories with varying motivations that must be understood and considered in underwriting cyber risks, a new report suggests.

The June 6, 2022, report from cyber risk analytics firm CyberCube, titled Understanding Criminal Cyber Threat Actors and Motivations, suggests that there are three main types of cyber-threat actors: state-sponsored, criminal gangs, and hacktivists, the latter group using hacking to bring about social or political change.

The report says that state-sponsored actors are among the greatest concern to the (re)insurance industry, as well as the potential victims of cyber crimes. Their affiliation with government entities tends to result in well-funded, well-organized, and sophisticated cyber criminals with mature procedures and protections from their government sponsors.

State-sponsored actors' objectives tend to align with the government entity sponsoring them, the report says. Consequently, their attacks are generally politically motivated, often focused on espionage, according to CyberCube. Attacks by state-sponsored actors have also included distributed denial of service attacks, destructive wiper malware, misinformation, influence operations, and attacks on critical infrastructure, the report says.

Such attacks carried out on behalf of nation-states tend to be more strategically focused than pure criminal attacks, CyberCube says, often playing out over months or years.

The most destructive nation-state-sponsored attack in recent years was the NotPetya ransomware outbreak in 2017, the report says. In that attack, according to the CyberCube report, Russian military hacking groups allegedly deployed malware to target Ukrainian entities, but the malware's effects became global, affecting global shipping companies, multi-national pharmaceutical companies, financial services organizations, and food manufacturers. Some estimates placed the ultimate losses from the attack at $10 billion, the report says.

Organized criminal gangs are largely focused on ransomware, according to CyberCube, looking to lock up victims' data and demand ransom payments to decrypt it. Their tactics, techniques, and procedures are evolving at a rapid rate, the report says.

The report notes that organized cyber criminals are motivated by financial gain, with cyber-crime trends tending to reflect where the greatest profit can be gained for the least effort. Currently, that's in ransomware, the report says.

The ransomware trend shows no sign of letting up, according to the CyberCube report, with the most evolved and mature ransomware gangs turning to providing sophisticated hacking tools to others through a ransomware-as-a-service (RaaS) model along the lines of the software-as-a-service distribution model.

CyberCube explains the approach allows the larger players to reduce their own risk while generating significant profits and provides less-mature ransomware criminals access to sophisticated ransomware toolkits for a small initial investment. There are now more than 50 RaaS variants in use, according to CyberCube.

While most ransomware attacks still occur in the United States, as criminal groups increase in scale and number, 2022 will see increasing internationalization of ransomware, the report says.

Hacktivists present their own threat to business and the cyber-insurance market. The threat they pose to state secrets and intelligence operations comes with potentially far-reaching implications, CyberCube said.

The report suggests that the hacktivist landscape is somewhat less well-defined and organized than other areas of the cyber-criminal landscape, including individuals and groups with a variety of skill levels and capabilities.

Over the past decade, hacktivism has been shaped by a few major players, the most influential of which has been the Anonymous group, the report says. "Anonymous is made up of proxy organizations, making it difficult to track and properly attribute attacks to the group," the report says. "However, groups like Anonymous often take public credit for their attacks."

In a statement accompanying the report, Darren Thomson, CyberCube's head of Cyber Intelligence Services and a coauthor of the report, said, "While cyber crime is the subject of considerable research, most of it is focused on specific types of attack. In our view, we need to know more about the threat actors behind these attacks. The more we understand their motivations and allegiances, the more we can predict their moves.

"A greater understanding of the key cyber actors will help the insurance sector predict how and where future attacks could arise and inform estimations of attack frequency and severity," Mr. Thomson said.

CyberCube notes that current estimates suggest that global losses resulting from cyber crime will reach $10.5 trillion by 2025.

"A greater understanding of the key cyber actors, their motivations, and how these lead to the utilization of specific techniques will help (re)insurers and brokers predict how and where future attacks could arise and inform estimations of attack frequency and severity," the report says.

The report concludes that while there is extensive documentation of the tactics, techniques, and procedures used in modern cyber attacks, focusing solely on those details and not on the threat actors involved as well will likely result in weaker cyber-catastrophe modeling underwriting practices and cyber-risk defense strategies.

"The world of the threat actor is a complex one with a variety of motivations," the report says. "Not all cyber criminals are built equally, and the cyber attacks we see every day come from actors whose competencies and maturities vary widely. Cyber-risk professionals will be best prepared if they factor these elements into their cyber-risk strategies."

June 15, 2022