Cyber Threat Actors

In June 2020, the Australian prime minister announced that their country was under attack. “Based on advice provided to me by our cyber experts, Australian organisations are currently being targeted by a sophisticated state-based cyber actor,” Mr Morrison said from Parliament House.

These attacks on our neighbouring country had the potential to cause widespread damage to Australia, its stability, and its economy; however, for many businesses, the threat of a nationwide cyber-attack and the consequences of this on individual companies is abstract and not well understood.  At the same time, albeit further afield, the US Department of Justice and the Treasury took action against a group of Nigerian nationals who are believed to have cost American citizens over USD 6,000,000 by perpetrating Business Email Compromise (BEC) fraud schemes and romance schemes.

In light of these varied scenarios, we investigate who the current cybercrime perpetrators (actors) are, what type of schemes they are specialising in and how this impacts businesses today.  While many threat actors exist, many of those currently in the news fit into the following groups:

1. Organised Crime

Organised crime groups are motivated by financial gain. They undertake cybercrime to steal Personally Identifiable Information (PII) that can be sold on the dark web and hijack critical business resources for a ransom.  Various tactics are used to achieve their goals and they are responsible for the significant recent increase in Business Email Compromise and Ransomware attacks. These groups also use Remote Access Trojans seen recently in New Zealand, along with phishing, social media, extortion, cryptominers, exploit kits, and blackmail.  One hacking group, Fin7 are suspected of gleaning USD$50 million in profit each month of operation.

Defending against organised crime schemes involves the basics of good security hygiene, including:

  • Strong password management and Multi-Factor Authentication
  • User Awareness training (Often phishing schemes are the first entry point for an attack)
  • Advanced endpoint protection
  • Timely patching to encourage the attacker to find an easier target
  • An Incident Response Plan to prepare your business to respond to any incident in a timely and coordinated fashion

In the cybercrime landscape, Organised Crime Groups arguably cause the most harm to organisations by perpetrating crimes such as ransomware attacks, business email compromise, online fraud and data theft. They are the cybercrime actors with the capability and expertise to target big businesses, banks, and law firms.

Organised crime groups are motivated by profit. Online gambling is believed to have been the catalyst for organised crime groups developing an interest in cybercrime, which subsequently proved to be very profitable. They follow the “Willie Sutton Rule” by targeting “…where the money is” which in today’s landscape means focusing on online business activity. Researchers recently estimated that organised crime groups and networks globally cause around $445-600 billion US dollars of harm each year.  Verizon’s 2020 Data Breach Investigation Report also indicated organised criminal groups were responsible for 55% of all data breaches in the last year.

Organised cybercrime groups form after connecting online and often consist of a core group of skilled actors who then develop an ancillary network of people to perform additional roles. Their structure often closely resembles a corporate business consisting of partner networks, resellers, associates, and vendors. Sophisticated groups may even have dedicated call centres to handle ransomware victims’ requests. Roles are varied and include:

  • Team Leaders to coordinate and communicate with the broader team
  • Coders who have the expertise to develop hacking tools and vulnerabilities
  • Network Administrators to manage Botnets and DDOS attack packets
  • Intrusion Specialists to carry out an attack
  • Data Analysts to clean and format stolen data for resale
  • Money Specialists and Mules to launder the attack proceeds

Methods Used

Organised crime groups have taken traditional crime online. Illegal gambling groups, drug cartels and prostitution and trafficking rings all sell their services online and launder their profits digitally. However, in addition to these traditional pursuits, they have also branched out into technical cybercrime primarily using malware such as ransomware, business email compromises including phishing and invoice fraud and social engineering attacks to extort organisations for profit.

Ransomware serves multiple purposes for organised crime groups. Firstly, it poses a significant threat to organisations both directly and indirectly, such as when third party service providers and supply chains are impacted. Increasingly it is also being used as a smokescreen for stealing Personally Identifiable Information (PII) and confidential data, which the organised crime groups then threaten to auction off unless payment is made. 2020 has seen a change in tactic away from scatter-gun campaigns to performing targeted ransomware attacks as well as adding new attack layers such as crypto mining.

In addition to conducting cybercrime attacks themselves, organised crime groups will also provide services to facilitate cybercrime (crime as a service) such as providing data and identity documents, made to order malware, botnet services and training on how to use vulnerabilities and exploits. Products sold by these groups on the deep web include: Zero-day exploits for between US$30,000 and $250,000, and malware exploit kits for around US$200-$600 per exploit.

One way organised crime groups benefit from ransomware attacks, while limiting their risk or need for a specialised resource, is to only conduct the network intrusion themselves (using multiple attack vectors and malware to gain entry). They then sell this access to different actors to perform privilege escalation, lateral movement and ransomware deployment. Emotet malware is currently omnipresent and is setting the benchmark for modern malware with over 200,000 unique versions seen in the wild. Emotet deployed by organised crime groups can provide Access-as-a-Service (AaaS) functionality to other cybercriminals who then monetise the opportunity by deploying a second attack.

Organised crime groups rapidly change their tactics and techniques to evade security controls and recent developments in the sophistication of malware is an example of this in action. The Europol Internet Organised Crime Threat Assessment 2020 describes how these groups have recently converted some traditional banking trojans into more advanced, highly adaptive, modular malware with a broader set of capabilities that are increasingly difficult to combat. Each known malware strand can have a code that is distributed and operated differently in different areas of the world and the more frequent use of polymorphic and fileless malware is also limiting the effectiveness of traditional signature-based antivirus products. The malware used by organised crime groups typically includes remote access tools (RATS) and trojans to gain control over infected computers.

Business Email Compromise also continues to increase as a threat. This growth is driven by organised crime groups who have sufficient resources to investigate an organisation thoroughly and target companies using knowledge of their internal business processes and system vulnerabilities. More sophisticated measures are being used by these groups to conduct complex man-in-the-middle attacks or even using Artificial Intelligence (AI) to mimic the voice of a CEO. Social engineering and phishing remain the primary methods of initial ingress into an employee’s email account, highlighting the constant need for user awareness training. Often a compromise of Office 365 is also possible due to a lack of security measures such as multi factor authentication.

Fighting Back

Prevention and awareness, as well as being prepared to manage an incident, are vital to combatting attacks from organised crime groups. Steps an organisation can take are:

Intelligence Sharing:

Organisations can help the global effort to thwart organised crime groups by reporting and sharing their knowledge and experiences. Incident reporting to national bodies such as CERTNZ or the NCSC allows a better picture of organised crime groups activity to be available to authorities. Additionally, sharing information with industry partners may assist in higher levels of awareness and preparedness to face emerging threats.

Deploying Advanced Endpoint Protection:

Traditional endpoint security tools such as firewalls and signature-based antivirus solutions depend on known threat information to detect possible attacks. In contrast, advanced solutions now use machine learning and behavioural analytics to protect endpoints from contemporary threats such as fileless and zero-day exploits.

Using Multi-Factor Authentication (MFA/2FA) and Strong Password Management Systems

All accounts should use application or hardware-based multi-factor authentication.

Conducting Regular User Awareness Training

Phishing schemes and social engineering attacks are still primary entry points for attacks leading to business email compromise, invoice fraud, ransomware and data exfiltration. Regularly reminding users of the possible risks and what to be mindful of will promote vigilance.

Timely Patching

Unpatched vulnerabilities are open doors for organised crime groups. Applying all security patches in a timely fashion will discourage any attackers looking for the low hanging fruit.

Developing Incident Response Capabilities

Develop a tested Incident Response Plan that contains specific playbooks for typical threats to your industry, such as Ransomware and Business Email Compromise. This will help ensure that your organisation has the resources, knowledge and tools to quickly respond, contain, mitigate and recover from a cyber-attack.

2. Insider Threat

The insider threat refers to anyone operating inside your business such as employees, contractors, trusted vendors or third parties. Insider threats are challenging to detect as an insider may have valid credentials, inhouse knowledge of systems and security and operate in a trusted position.

Typically, the insider threat comes from two different areas. Firstly, many are disgruntled or ex-employees who may wish revenge or financial gain (a second revenue stream). These insiders have malicious intent. The second category, however, can do just as much damage, and that is insiders who are negligent or commit unintentional errors.

Insider threats appear to be on the rise, and some studies believe they play a role in 50% of security breaches. The insider threat is one that is difficult to manage and we believe is an overlooked area that businesses should focus on as thoroughly as their external threat strategies.

High profile cases where insiders have caused damage include Edward Snowden, who disclosed two million confidential files in 2013 and a South Korean employee who sold 27 million company data files for profit. However, most insider threat cases do not make the news as are considered Human Resource matters for internal resolution.

A business needs to have visibility across their network for tracking user behaviour and identifying anomalous behaviour to protect against the insider threat. This visibility has been made more challenging of late as many businesses have moved to the cloud, where access monitoring and granular log detail creation may not be as rigorous. Other actions companies can consider for protection against insider threat include:

  • Employing the concept of ‘least privilege” when granting system and file access
  • Ensuring all devices on the network (including BYOD) are protected via a firewall, media control and protected against Bluetooth and other peripherals
  • Instigating Employee Wellness programmes to uncover disgruntled or employees under stress or duress early
  • Conducting cybersecurity training frequently to minimise unintentional errors.

While various cyberthreats are highlighted in the media every day, understanding how and whether these threats may apply to your business can be challenging. Defending your business against a known threat may be easier and more effective than defending against the unknown.

Therefore, we recommend staying aware of the key activity happening in the cybercrime world via threat alerts and becoming familiar with the main perpetrators and their motives to ensure your defence strategies are appropriate. As mentioned by Sun Tzu in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles”.

It is a reality that many crimes are perpetrated by someone known to the victim.  Homicide detectives have stated that “Familiarity breeds contempt.” Looking at recent studies, it appears that when talking about cybercrime and data theft in 2020, the same may apply.

The 2020 Cost of the Insider Threats Global Report released by the Ponemon Institute reveals that the number of insider threats has increased by 47% in two years. The cost of these incidents has also soared from $8.76 million in 2018 to $11.45 million US dollars in 2020. The threat report also finds that 68% of organisations feel vulnerable to insider attacks. This comes as no surprise considering recent news such as the Twitter leak where it appears that employees were manipulated into helping an attacker gain access to accounts,  the case of the Yahoo veteran who narrowly escaped jail time after hacking into private accounts, and the misconfiguration of AWS S3 buckets that led to the exposure of victim information.

The events outlined above highlight both the serious and the varied threat that insiders pose. The name “insider threat” is also a misnomer as it refers to many different crimes, issues, situations, tactics, targets, industries and motivations which cannot all be handled under a one-size-fits-all policy or solution.

What is the Insider Threat?

Generally, the insider threat can be categorised in three main types:

Malicious insiders

Malicious insiders are often employees, contractors or trusted partners who have legitimate access to the network but abuse this access for profit, revenge, or fun. Frequently they steal data and trade secrets either for profit or to leak to a competitor, another country or the media.

Recent predictions suggest the tough economic environment being experienced globally as a result of COVID-19 will drive an increase in this type of threat as employees suffer pay cuts and employment uncertainty.  A report into the impact of an economic recession on New Zealand policing in the next 6 to 12 months states that middle-class workers and small to medium-size business owners are now vulnerable. There are concerns that many who are unaccustomed to financial hardship may turn to crime or be exploited by criminal gangs. Large redundancies, such as those seen at a number of New Zealand companies, could provide an opportunity for organised crime groups to exploit vulnerable employees who have inside knowledge of an industry. The report predicts that online fraud may increase by as much as 30-100% and highlights businesses that “reprioritise their resource” and cut back on cybersecurity as being of concern.

Unwilling participants
Unwilling participants are pawns who fall for a phishing scheme or execute a malicious macro or script. They may make a mistake such as losing a laptop or mistakenly sending an email to the wrong recipient that results in data loss, theft or financial and reputational harm to the business.

Recent research from one security firm revealed that 43% of employees admitted making mistakes that led to cybersecurity incidents and 52% of employees said stress was the leading cause for these mistakes.  Around 58% of employees have sent a work email to the wrong person. Distraction was cited as the primary reason for falling for a phishing scam.

System misconfigurations
System misconfigurations or negligence are IT mistakes that lead to incidents such as leaving a web server unpatched. The COVID-19 pandemic has led to the rapid adoption of cloud collaboration tools for many businesses and increased the risk of configuration mistakes such as not setting appropriate access control on cloud storage or environments such as Slack. In 2018 researchers found that up to 80% of all AWS S3 buckets they inspected contained readable files.

Detection and Prevention

Defending against insider threats can be challenging as insiders often require an elevated level of trust and access to do their jobs, and may have the capabilities, privileges, knowledge and motivation required for a successful attack. Detecting an insider attack is also challenging, with many insider attacks remaining undetected for an average of 207 days in 2019. One security analyst recently reported forum references to “Twitter plugs” or “Twitter reps” – the terms used to describe cooperative Twitter employees appearing for several years before their recent hack. This highlights that the insider threat risk to Twitter was evident but undetected some time ago. Several techniques, however, can help including:

Conducting Threat Assessments

A threat assessment can help you determine which type of insider threat is most applicable to your business environment and therefore, where to target your efforts. For example, combatting malicious insider threats require the implementation of strict security controls whereas the threats faced by unwilling participants may be mitigated with awareness campaigns and wellbeing programmes. This stage may also include establishing clear visibility of privileged users and accounts for easier monitoring.

Instituting Cyber Security Governance

Ensuring cybersecurity is governed from a clear vision and consistently managed throughout all levels of an organisation reduces the cyber risk in a business and helps builds a strong cybersecurity culture.

Monitoring Data, Activity and Network Traffic

Monitoring email, files and activity including using data protection systems to detect the exfiltration of sensitive data may assist in identifying and mitigating data loss.

Common signs of possible insider threat activity may include:

  • The downloading or obtaining of large amounts of business or sensitive data
  • Accessing data outside of job function or searching for sensitive data
  • Requests or attempts to access resources outside of normal job function
  • Using unauthorised devices such as unapproved laptops or USB storage
  • Copying sensitive files
  • Emailing sensitive data outside of the business
  • Increased file activity in privileged folders
  • Attempts to alter logs or delete large amounts of data
  • Security analytics can also alert on unusual behaviours such as those listed above.

Creating Least Privilege Policies

Limiting the access to sensitive resources and information such as Personally Identifiable Information, trade secrets, financial data, or intellectual property and allow people access to only what they need. Local administration rights can be locked down and application whitelisting and blacklisting policies can help to block malicious software.

Implementing User Training, Awareness and Support

Ensuring all users (including IT) have appropriate training to undertake their roles and recognise security threats is key to avoiding unwilling participants and misconfiguration threats. Additionally, wellness programs and employee mental health support may help prevent workplace stress rising to levels where risk is increased.

Response and Recovery

Following an Incident Response Plan

Following a tailored Incident Response Plan that covers playbooks for specific insider threat scenarios will assist in a faster and more efficient response. Ensuring you have a communications plan in place to handle an event such as a data breach where you may be required to update customers, organisations such as the privacy commission and the media, is also vital.

Conducting an Investigation

If a breach is suspected, conducting a formal forensic investigation can determine the possible cause, breadth and impact of the incident. The use of advanced forensic tools can identify potential evidence relating to any incident for legal or employment proceedings. The potential recovery of sensitive data and evidence such as deleted social media posts can also be achieved with careful investigation. Contact us for further information about investigating insider incidents where protecting the assets, reputation and brand of your business is vital.

Insider threats are an increasing risk for businesses in 2020. They are difficult to prevent and detect and often cause significant financial and reputational harm. Responding to these threats in a timely and efficient manner is therefore critical to protect your business.  Planning for the insider threat by ensuring your business understands its risk profile and has good cyber governance and incident response policies and procedures defined and tested are the most effective ways to increase resilience to insider threats.

3. State-Sponsored or Nation-State Actors

It is estimated that at least 30 nations are actively waging cyber warfare on other countries targeting their economic, military, political or commercial infrastructure. Groups that are nation-state sponsored have unparalleled technical, financial and material resources to create sophisticated attacks and are known for playing a “long-game”.

These groups often conduct cyber-espionage to find competitive information, resources, or users to advance their political or military agendas. While mainly focusing on activities that benefit the interests of one nation over another; businesses may negatively feel the impact of this cybercrime.

Cyberweapons such as Stuxnet and NotPetya severely impacted not only their designated targets but businesses throughout the globe, causing billions of dollars’ worth of damage. A nation-state may also want your company’s Intellectual Property for its use.

Defending against state-sponsored actors may seem imposing for an individual business; however actions can be taken, including:

Considering which of your business assets may be attractive to a nation-state.

Organisations are increasingly at risk of state-sponsored cyber-attacks. Whether the goal is espionage, theft, disruption or sabotage, there is growing evidence that attackers supported and funded by countries are targeting a wide range of enterprises.

Who are they?

State-sponsored cybercriminals usually work for or on behalf of a government to compromise organisations, other nations governments, or individuals, to steal information or cause disruption and harm. They are well-funded, can operate without fear of retribution from their home country, and usually have a high level of technical expertise. They are the group most associated with or described as Advanced Persistent Threats (APT’s).

A critical difference between state-sponsored cybercrime and other actors such as insiders or organised crime gangs is their determination and persistence to succeed. This determination is often motivated by nationalism, and they will go to great lengths to cover their tracks. Unlike other cybercriminal actors, such as hacktivists, state-sponsored cybercriminals will never own their actions.

Recent research suggests that state-sponsored hackers and cybercriminal gangs are also increasingly impersonating each other to hide their tracks. State-sponsored actors from different nations have also started to work together; for example, Russia and Iran and China and North Korea are believed to collaborate in attacks. Another technique used by foreign entities is to engage cybercriminal groups to increase their capabilities and launch attacks.

What is the risk?

The traditional targets of state-sponsored cyber-attacks have been military, government and critical infrastructure organisations. Increasingly, however, businesses across a diverse spectrum such as healthcare, education, finance and entertainment are being targeted. Economic gain is a motivator and companies with valuable intellectual property are at risk. For example, laptops stolen from a wave power company Pelamis are believed by some to be directly linked to remarkably similar products appearing in China soon after the theft. Other motivating factors are gaining political leverage and espionage, or having the possibility to disrupt critical infrastructure.

The trend for state-sponsored actors to target businesses also seems to be growing. Last year Microsoft warned 10,000 of their customers (84% enterprises) that they were targeted or compromised by a state-sponsored attack, and Google issued 40,000 notifications of nation-state hacking attacks. Verizon’s Data Breach Investigations Report indicated that the number of data breaches caused by nation-states had risen from just 12% in 2018 to 23% in 2019.

Methods Used

The methods used by state-sponsored actors vary and include crypto-jacking, ransomware, Denial-of-Service (DDOS) and malware. Traditional methods, such as phishing attacks are also still highly effective. A recent analysis of nation-state sponsored phishing attacks by Google’s threat analysis group indicates that impersonating journalists is popular and highlights the lengths nation-state actors will go to for success.

The attackers start by setting up accounts purporting to belong to a reporter and use these to spread disinformation through false stories that eventually get used by mainstream news outlets. They then use a fake journalist account to build email and social media relationships with other legitimate journalists. This groundwork can occur over several years until sufficient trust has been built so that when they drop a malicious link or attachment into correspondence, it will likely be opened. The UK National Cyber Security Centre (NCSC) issued an advisory this year, noting that “advanced persistent threat” actors (APTs) were also exploiting the COVID-19 pandemic in this way to launch campaigns.

Along with traditional methods, state-sponsored actors have the resources to undertake more technically advanced attacks. APT actors are increasingly utilising “fileless attacks” which leverage applications already on the victim’s network. Once inside the organisation, data can then be exfiltrated using cloud-based storage technologies.

Additionally, more zero-day (i.e. yet to be discovered or protected against) vulnerabilities are also being used. The US and Israeli state-sponsored attack on the Iranian Natanz nuclear plant in 2010 (Stuxnet), utilised four zero-days which was unprecedented at the time. Recently, however, a single state-sponsored actor was found to be hoarding five zero-days.

A further risk posed by Nation-State cyber activity was highlighted at the 2020  RSA Security conference by a former hacker for the NSA. He demonstrated how sophisticated attacks developed by government-sponsored actors are being reused and repurposed by hackers previously limited in the skills and resources needed to create such advanced threats. Examples of repurposing exist already with several state-sponsored attack tools such as EternalBlue, Vault7, and ShadowBrokers having been released into the wild and weaponised by cybercrime gangs. The risk here lies in the fact that the attackers may not have the intelligence to use or tailor these tools appropriately, which could lead to more attacks that have unintended consequences, such as the Wannacry attack where Operational networks were impacted severely by malware never intended for them.


Defending against sophisticated APT’s designed by highly skilled and resourced nation-state actors must be a joint effort between the government and the private sector; however, individual businesses can implement effective mitigation strategies.

Recommended techniques

  • For commercial businesses, this may be intellectual property, research outputs, political influence, individuals with a high profile, or critical infrastructure services.
  • We recommend that businesses assume that they have already been compromised and focus on the data they hold. Are you aware of where sensitive information resides in your network? Who has access to this data? What is in place to limit data exfiltration? Do you have tested response and recovery procedures? Is it encrypted?
  • As many of these attacks still use traditional methods such as Phishing as a primary attack vector, educating employees on recognising social engineering attempts is vital.
  • Advanced endpoint detection allows greater visibility of your network and works to defend against a broader range of malware.
  • The National Institute of Standards and Technology’s (NIST), Special Publication 800-53 Revision 4, includes a security control to restrict purchases from specific suppliers or countries.
  • Where possible use demilitarised zones (DMZ) that isolate the internal network (or at least sensitive part of it) from the Internet.
  • Aim for a process that allows critical security updates to be applied immediately.

Although many businesses may believe that state-sponsored actors only target critical infrastructure or companies with significant intellectual property, it is apparent that the growing threat from these attacks is potentially harmful to all businesses. Organizations may suffer as a result of collateral damage from a newly developed malware strain, or by not yet recognising the value their business assets may present to another nation-state and preparing accordingly.

4. Hacktivists

Hacktivist groups are motivated by a political, social, or religious agenda. They target government entities and corporations to expose what they believe are unjust or unethical business practices. Unlike organised crime groups, they tend to be loosely affiliated individual hackers or smaller groups who band together to highlight a cause or expose a perceived injustice.

Common tactics employed by these groups include the defacing of corporate websites, the hijacking of social media accounts and DDoS attacks on websites. Well-known hacktivist groups Anonymous and LulzSec have previously targeted various high profile victims, including the US presidential campaign, the Islamic State (IS) and certain corporates. Since 2016 however attacks attributed to hacktivist groups have reduced.

Defending against an attack from hacktivists starts with:

  • Considering whether your business could be a target
  • Understanding the causes that these groups are acting in support of (e.g., environmentalism)
  • Being aware of how your brand is perceived concerning these issues
  • Creating a sound and secure social media management strategy and stay up-to-date with trends.

The Merriam-Webster dictionary defines hacktivism as “computer hacking done to further the goals of political or social activism”. Hacktivists are those engaging in hacktivism and historically have been decentralised groups of individuals acting together out of a sense of common purpose.

Hacktivists differ from other cybercriminal groups in that they are driven and united by an ideology, principle or cause. These can be political, religious, or regional issues.

Hacktivist groups came to the attention of the general public and the security community around ten years ago when they launched high-profile campaigns against targets such as the Church of Scientology, Visa, Mastercard, and Amazon. They also became heavily affiliated in political struggles such as the “Arab Spring” at that time. Some of the more well-known groups include Anonymous, Lulzsec, and the Syrian Electronic Army.

Methods Used

Hacktivists have traditionally used Distributed Denial of Service attacks (DDoS), website defacement and customer data theft as their primary methods of attack. 

In the last two years, hacktivist activity has primarily focussed on the defence of civil rights and operations against child abuse, terrorism, and hate crimes. Whilst these causes seem worthy, the techniques used to achieve hacktivists’ goals are often criminal and can cause significant harm to businesses and individuals. Business disruption as a result of large-scale DDoS attacks and data leaks can lead to substantial financial loss. Even short-term website defacement can cause reputational damage to a business.

Hacktivists are known to directly attack businesses whom they believe are engaging in morally corrupt activities, such as Visa refusing to process donations made for Julian Assange or the Ashley Madison website promoting extramarital affairs. In the case of Ashley Madison, the impacts of the 2015 data breach and release of thousands of customers confidential data are still being felt today with victims still being subject to bribery attempts and the attack costing Ashley Madison over $30 million in fines and recovery costs.

During the current Covid-19 crisis some cybercriminals eased off on targeting healthcare facilities, however hacktivist groups were very vocal about maintaining their campaigns against large pharmaceutical companies whom they believe are profiting from the pandemic. This is of concern to some as it has the potential to delay the development of a vaccine.

Whilst it is generally thought that businesses who are closely linked to a nation (such as a national bank) are more likely to be targeted by hacktivists, companies from a diverse range of industries have been attacked. Sometimes for seemingly innocuous business dealings such as heavy machinery maker Caterpillar Inc. who has suffered multiple attacks related to the sale of bulldozers to Israel. Businesses can also suffer collateral damage from hacktivism due to general disruptions (like nationwide internet service outages) or supply chain disruptions.

Learning from hacktivist attacks

Verizon’s Data Breach Investigation Reports (DBIR) show that in previous years, hacktivists have been responsible for leaking more personal data records than cyber-criminals. With the NZ Privacy Act 2020 strengthening the obligations New Zealand businesses have around protecting sensitive data, it is an appropriate time to review what lessons can be gleaned from previous hacktivist breaches and how companies should mitigate against this threat in 2020.

Remain Wary

Large scale hacktivist attacks are not random. The Ashley Madison website was targeted because it was seen as immoral or profiting “off the pain of others”.  If you suspect your business may be at risk from hacktivism, it is a good idea to add this scenario to your Incident Response plan and playbooks. Ensure you also include a thorough Public Relations and communications plan.  However, you do not have to be in an “obviously” controversial industry (such as oil) to be wary, as any organisation has the potential of being a target, by someone willing to try to embarrass or damage your reputation.  As such, if your organisation would suffer from the release of personal customer information, you should remain vigilant.

Monitor not only the threat landscape, but the social climate

Despite hacktivism dropping from the major headlines for several years, Crowdstrike intelligence has recently seen an overall increase in hacktivism and groups, who had previously been quiet, once again beginning active operations. Anonymous claimed responsibility recently for convincing Korean pop music fans to hijack white supremacist Twitter hashtags in support of Black Lives Matter. Shortly after the assassination of Iran’s Major General Qasem Soleimani in early 2020, Digital Shadows also identified an increase in activity from pro-Iran hacktivists, the first such activity since campaigns in 2015 and 2016.

Accenture’s 2019 Cyber Threatscape Report predicts that events with global reach such as the Olympics may become a setting for hacktivist cyber threat activity. Threat actors have previously carried out hacktivism campaigns against the World Doping Agency (WDA), and the 2018 PyeongChang Winter Olympics.

Continuously improve your Cybersecurity Maturity

Despite Ashley Madison encrypting most of their stored passwords, a subset (15 million) was able to be compromised using a brute force attack. Inconsistently applied security measures can occur as networks evolve and it is a reminder that reviewing, upgrading and working to improve your cybersecurity posture continuously is vital. While you can never be entirely secure, constant improvement can help ensure you are continuing to meet obligations in regards to securing data as technology changes.

Ensure Robust Management of the Full Data Lifecycle – Including Deleting

In the Ashley Madison example, the hacktivists exposed a large amount of data which supposedly had been previously deleted. Ensure you have a robust method for the permanent and irretrievable deletion of all copies of data that are no longer required to be held by your business. This requires that you are aware of where all possible copies of data are held, including any mailboxes, third party cloud-based storage, or related applications.

Have Sufficient DDoS Mitigation

As many hacktivists use DDoS attacks, you should understand your DDoS mitigation service-level agreements to ensure you are protected in the event of a widespread attack. Your response plan and procedures should reflect your current protections and your team should be fully aware of how to engage and use these services if required.

Validate that Your Data is Secure Finally, consider hiring an external company to test your security measures via Penetration Testing and Vulnerability Assessments.