Threat Actors. Who is Attacking Us?

Blog Images (2)

Brand attacks are a growing concern for companies in today’s digital world with attacks having risen over 381% in 2020 alone. In 2022 cyberattacks saw a 38% increase compared to 2021, with over 1 thousand attacks per week per organization. With the rise of social media and other online platforms, it’s easier than ever for individuals and organizations to launch attacks that can harm a brand’s reputation.

Source : Check Point

These attacks can come from various sources, such as competitors, disgruntled customers, and malicious actors, and each has its own motivations and playbooks for how they operate. To effectively protect against these threats, it’s essential to understand the different types of brand attacks and the unique reasons and tactics used by each.

However, it’s not just about understanding individual attacks. The threat landscape becomes even more complex when multiple sources launch a coordinated attack on a brand. In these cases, the motivations of each attacker may overlap and amplify the attack’s impact.

To stay ahead of these evolving threats, companies must develop strategies that consider the dynamic nature of brand attacks and can adapt as the threat evolves. This requires a deep understanding of the different types of brand attacks, the motivations that drive them, and the ability to anticipate and respond to changing attack patterns.

In this blog, we explore the different threat actors at play and investigate how their combined talents increase the threat and what your organization can do with their platform security to mitigate it. 

Rogues Gallery of Threat Actors

Threat actors, whether acting individually or as an organized group, are motivated by various factors when launching brand attacks. Some may be driven by financial gains and attempt to steal sensitive information or engage in phishing scams to achieve their goal. Others may have more complex motivations, such as seeking revenge or trying to damage a company’s reputation. Regardless of the motivation, it’s crucial to understand what drives threat actors to effectively defend against their attacks.

Knowing the Players

While there are numerous niche varieties of threat actors, they all generally break down into a handful of categories. Each of these categories has its own motivations that help to determine their overall targets and how they will pursue attacking them.

Threat Actor Motivation and Goal
Cyber Terrorist Aim to cause as much damage and destruction as possible. They have little interest in stealing anything of monetary value unless it furthers their ability to drive more significant damage by spreading their ideology and causing fear in the population.
Initial Access Broker (IAB) These cybercriminals are specialized in gaining access to networks and resources through stolen credentials. They sell off this information to other cybercriminals giving them an entry point that allows them to conduct further attacks as they see fit.
Government or state-sponsored These threats are highly-skilled attackers with nation-state entities backing their efforts, providing money, intelligence, and other resources to conduct advanced wide-scale attacks. They use brand attacks as part of advanced and complex engagements targeting foreign government entities.
Organized Crime Cyber criminals operating in groups commit more advanced crimes by leveraging their combined skill sets. They may be affiliated with known criminal organizations that also have their fingers in traditional crime or may exist as a digital-only band of criminals. Generally, this variety of threats focuses on attacks that will net them money, such as ransomware, theft, and extortion.
Hacktivists These threat actors have reasons to hate a given brand and work to share their grievances with the outside world and cause as much damage to the organization as they can. They want to disrupt your ability to operate efficiently and disrupt the customer experience.
Insider Insider threats are challenging to catch and have legitimate access to sensitive information but malicious intents. They may operate alone for monetary gain or, like hacktivists, seek to damage the organization they are a part of that they likely feel has done something to them.
Script Kiddies These cyber attackers are larval hackers who don’t know all the ins and outs of cybersecurity but can operate some tools. Their motivations are often driven by curiosity, but it is not unlikely for them to resort to petty vandalism for fun or to steal data if the opportunity presents itself.

Mixed Attacker Motivations

Cybercriminals have different motivations for their actions. However, a closer examination of the individuals involved reveals that many of them share similar reasons. These motivations can be broadly grouped into several categories: financial, damage to a company’s reputation or seeking revenge, setting up more significant attacks, disrupting operations, and simply causing mischief (known as “Lulz”).

The financial motivations are self-explanatory. Cybercriminals seek to make money through various means, such as theft, fraud, and ransom. On the other hand, those who aim to damage a company’s reputation or seek revenge may have personal grudges or issues with the targeted organization. 

Some cybercriminals target organizations to set up more significant attacks, using the information obtained for future malicious activities. Additionally, some seek to disrupt operations, causing harm to businesses and critical infrastructure. Finally, some individuals carry out cyberattacks simply for the thrill of it, known as “Lulz.”

Crime Amplified

When cybercriminals figure out they have similar goals, they team up to share information and create more efficient attack strategies. At the end of the day, all the different threats are cybercriminals. They all gather at similar places to share knowledge and resources. Chatrooms and forums where they can brag and learn from each other and dark web marketplaces to sell collected data, credentials, services, and ill-gotten gains.

Telegram chat where threat actors sell services and stolen data.

Gathering Resources

There is an entire underground economy that drives cybercrime. Dark web marketplaces provide various tools and resources, allowing cybercriminals to become more significant threats.

Ransomware is one of the most dangerous tools to be bought and sold here. Attackers can purchase code to generate their own or pay for high quality ransomware as a service (RaaS), where the whole kit is ready to use, allowing less skilled attackers to run the operations. With RaaS, the buyer drives the attack and ransom collection while the seller pulls 20-30% of the money off the top while still controlling encryption keys, allowing them to maintain control.

Source: Microsoft Threat Intelligence Center (MSTIC).

Underground resources go beyond tools. They also allow similar minds to find each other and team up, such as hacktivists finding each other to attack the exact cause. They communicate via messaging apps, groups on telegram, and other anonymous chat services where data can be traded with little risk of being caught. Even using common social media accounts such as Facebook, Discord, Reddit, and Twitter, they can share information freely and broker sales in plain sight.

Cybercriminal’s R&D

When criminals gather together, they can grow in their “craft” to refine attacks, seeing what worked for some but failed for others. Significant learning occurs in these forums, comparing notes on what techniques have been effective to bypass access controls in the past and what have not. Information shared ranges from how to hack and deface websites to where to buy phishing kits, allowing cybercriminals to constantly improve their game. Their continual improvement forces cyber defenses to continually evolve to keep pace.

Learning tutorials on a notorious darknet forum.

Like Minds Work Together

Cybercrime is a complex issue in a web of interconnected relationships between criminals and their targets. It is not just a solitary act carried out by a single individual. Instead, it is a collective effort that often involves multiple parties working together to achieve a common goal. By pooling their resources and knowledge by collaborating with others, allowing them to carry out much larger and more devastating attacks. 

Tied by Motivations

Cybercriminals work together when they want to achieve similar goals, even if they are not exactly aligned. When damaging a company’s reputation is a motivation for both hacktivists and insiders, they will work together to achieve the common goal.  

Even if there is not perfect alignment, if it leads toward another’s goal, they still team up. Organized crime has financial motivators, and hacktivists want to damage the company. The company takes a big black eye in the process by helping lead to a data breach that gives organized crime funding. 

Combining Skills

Much like different threat actors have varying motivations, they also come with different skills and knowledge. As threats team up, they grow the type of attacks they can execute and the potential impact.

Threat actor group on Telegram looking to recruit new members.

Crime is business, when attackers team up, they all have a role to play and go about the job in an organized fashion. Only those who can contribute something (skills, resources, etc) remain on the job, others get booted to reduce risk. Different skill sets compliment each other allowing the team to go further than they could individually.

Insiders are a wild card. Those with knowledge of operations and access can accelerate attacks and amplify damage. Handing it off to a 3rd party helps keep their hands clean but achieves the same ends.

PreCrime Landscape Report Promo Blog AdHandling Evolved Threats

Don’t tackle evolved cyber threats alone. Bfore.Ai gives organizations the power to safeguard their brand by leveraging threat intelligence that prevents fraudulent activity. Bfore.ai vigilantly monitors your organization for any indication of impersonation attacks and gathers intelligence from the dark web. As soon as threats are detected, Bfore.AI swiftly implements countermeasures to minimize the attack’s impact and initiates takedown processes on your behalf.

Take control of your brand’s reputation and schedule a demo with Bfore.ai today and see how we can help your company put a stop to brand attacks.