Information and Cyber Security Threat Actors
Within the information and cyber security world, a threat actor is defined as an individual or group involved in malicious activity and can be categorised as state and non-state, hostile, intentional, non-hostile or unintentional.
Malicious insiders are those who have privileged access to information, technology or assets, and who deliberately exploit their access in ways that compromise commercial or national interests. The Managing the insider threat to your business handbook defines the malicious trusted insider threat “… as the threat posed by unauthorised access, use or disclosure of privileged information, techniques, technology, assets or premises by an individual with legitimate or indirect access, which may cause harm.” Reputational damage is also a serious risk regarding unlawful distribution of sensitive and private information to unauthorised parties.
The motivations of a malicious trusted insider vary, as the Deputy Director-General of ASIO explained at a conference in 2015, “…when we talk about malicious insiders, we are talking about individuals who, with a range of motivations, betray the trust of their employer. Research has shown that motivations for such betrayal vary widely. But they are fundamentally personal - such as disgruntlement, revenge, ego, a sense of the misguided greater good or loyalties, or financial gain.”
Insiders can also pose an unintentional threat, such as assisting someone to access physical facilities or information systems without realising that what they are passing on may hold significant value and may be used for malicious purposes. This often happens when employees lack security awareness or fail to follow correct security protocols.
Trusted insiders present a threat whether acting independently with a specific agenda and intent or act by assisting external parties; they are not necessarily predisposed to undertakings that go against the policies of an organisation. Opportunism, compounded by circumstance, may turn an otherwise trustworthy person into someone who seeks to deliberately steal or harm an organisation and/or its assets.
Cyber and Organised Crime
Cyber criminals (mostly related to organised crime – both offshore and domestic) are groups of people, who undertake criminal activity professionally. In cyberspace, this includes activities such as fraud, use of ransomware (such as Cryptolocker) and delivering malicious tools and infrastructure. Cybercrime describes crimes that are directed at computers or other information communications technologies, such as hacking or unauthorised access to data.
Australia’s relative wealth and high use of technology such as social media, online banking and government services make it an attractive target for serious and organised criminal syndicates. Lucrative financial gains by serious and organised crime syndicates ensure the persistence of the cybercrime threat.
The Cyber Security Review, led by the Department of the Prime Minister and Cabinet, found that cybercrime is costing the Australian economy up to $1 billion annually in direct costs alone. Principal threat actors to Australia from cybercrime are based offshore. Cybercriminals who are impacting Australian victims collaborate together even though they may live in different countries or even continents. This makes cybercrime activities inherently fluid and flexible.
The essential components of an organised crime group are defined by the Australian Institute of Criminology as “a structured group of three or more persons, existing for a period of time, acting in concert with the aim of committing serious criminal offences in order to obtain some financial or material benefit. As such, organised crime requires three or more persons to come together for the execution of their common purpose.” It is estimated that organised crime costs Australia around $36 billion dollars each year.
Organised crime related illegal activities include: kidnap for ransom; extortion; armed robbery; drugs trafficking/sale; firearms trafficking; fraud; money laundering and financial crime; and cybercrime. Organised criminals typically operate in multiple sectors across the illicit, grey, and black markets, in both formal and shadow economies. Further, the Australian Criminal Intelligence Commission (ACIC) warns that “… the threat of organised crime groups in Australia poses a high threat to the Australian way of life. They can range from high profile Outlaw Motor Cycle Gangs, to transnational syndicates based offshore.
Cyber and information crime is also a key aspect of organised crime within Australia. Violence was once considered a key influencer of serious and organised crime methods but, with the increasing prevalence of the cyber domain as a vector and target for organised criminal acts and major frauds, that is not always the case today.
The modus operandi of cybercriminals can be as diverse as their motivations. Perpetrator profiles include rogue employees, the environmental lobby groups and politically-motivated groups and other malicious attackers. The reach and subsequent impact of successful cyberattacks has increased dramatically worldwide over the past five years.
Recently, the head of the Australian Cyber Security Centre Alastair MacGibbon, when quizzed about unauthorised criminal access to health information replied that "… their[criminals] preferred target is cash itself. If you can't get the cash, then you go for things that can be converted to cash. And personal data is one of those things.”
Hackers and Hacktivists
Hackers are individuals or groups who attempt to gain unauthorised access to a computer system. Hackers break into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites. Thus, while attack tools have become more sophisticated, they have also become easier to use.
Hackers are generally grouped in to three distinct categories:
Black Hats. Black hat hackers usually have extensive knowledge about breaking into computer networks and bypassing security protocols. They are also responsible for writing malware, which is a method used to gain access to these systems. Not only do black hat hackers seek to steal data, they also seek to modify or destroy data as well.
White Hats. Also known as “ethical hackers,” white hat hackers can sometimes be paid employees or contractors working for companies as security specialists that attempt to find security holes via hacking. White hat hackers employ the same methods of hacking as black hats, with one exception- they do it with permission from the owner of the system first, which makes the process completely legal.
Grey Hats. Grey hat hackers are a blend of both black hat and white hat activities. Often, grey hat hackers will look for vulnerabilities in a system without the owner’s permission or knowledge. If issues are found, they will report them to the owner, sometimes requesting a small fee to fix the issue. If the owner does not respond or comply, then sometimes the hackers will post the newly found exploit online for the world to see.
Hacktivists are individuals or groups of people who perform cyber-attacks in support of a particular cause or ideal ie Anonymous and WikiLeaks. Attacks are sometimes attributed to particular groups or can also be anonymous in nature. This includes issue motivated groups (IMG).
Generally, IMG-based cyber-based attacks or campaigns in Australia are fluid, reactionary and opportunistic, and can include direct action such as website defacement, disruption to online business practices through activities such as denial-of-service attack (DoS) and targeted social media activity - all planned and carried out to gain maximum publicity.
A script kiddie is often, but not always, a juvenile hacker who uses scripts or programs developed by more sophisticated hackers or crackers to breach systems, access information or deface websites etc. This may be in the form of malicious software (malware) password attacks or direct unauthorised access to ICT systems (including the cloud) websites, or social media pages.
Foreign Intelligence Services
Any privileged information not usually found in the public domain can be of interest to foreign intelligence services. Aggregating information on a state’s economic position and decision making is a core task of foreign intelligence services; foreign powers have an interest and desire to coerce and manipulate Australian business and individual decision-making to benefit their political, economic and commercial interests.
Cyberattacks and associated commercial espionage is a present and evolving threat and considered a key operational enabler for FIS agencies. The Australian Cyber Security Centre’s (ACSC) 2017 Threat Report indicates that ‘Australia continues to be a target of persistent and sophisticated cyber espionage directed by foreign intelligence services – and will remain so for the foreseeable future.’
Cyber espionage represents an attractive and potent means of advancing a state’s national interests. It is cost effective, potentially deniable and allows data to be amassed and stolen on an unprecedented scale. This activity is likely to continue to increase in both frequency and sophistication. Such operations may be supported and facilitated in part by human sources operating within a given target’s ICT environment.
Major state-sponsored cyber operations such as Operation Olympic Games (also known as known as Stuxnet) Saudi Aramco, and attacks against Estonian critical infrastructure highlight the threats and risks associated with state-sponsored/FIS-based offensive cyber capabilities.
In April this year, then Australian Defence Minister detailed that approximately 400 Australian businesses may have been targeted by suspected state-sponsored cyberattacks. These attacks were part of a widespread cyber campaign that affected millions of machines worldwide. Further, recent media reporting also suggests a significant cyber campaign by FIS against Australian government and commercial entities - known as Operation Cloud Hopper - by a group identified as Advanced Persistent Threat 10 (APT10).