Threat Actors: Who Are the Hackers?

Hi. Welcome back to cyber security for everyone. I'm Dr. Charles Harry. In the last several episodes,
we've talked a lot about how the Internet actually works. In this episode, I want to change the subject a
little bit and talk a little bit about who the hackers actually are, and specifically the threats they
potentially represent. Let's talk a little bit more about those cyber security threats. Our society is
increasingly reliant on information technology for all sorts of everyday activities. These include things
like banking and our retail services, but also includes things like transportation, as well as healthcare
systems and many others. The important thing to remember is that each one of these sectors have
several vulnerabilities in the various systems they rely on. Those vulnerabilities can be exploited by
hackers. Let's first, instead of using the word hacker, let's use a much more formal term. I'm going to use
the term threat actor. The reason we want to talk about a threat actor is that a cyber attack is
orchestrated by a person or an organization. That person or organization is motivated by a purpose. It's
really important for us to understand that not all threat actors are focused on the same things. Some are
motivated by financial gain, others maybe by national security interests. We need to understand the
differences between those various threat actors. They execute those operations, utilizing available
resources and they leverage tactics, tools, and processes that vary. This is an important distinction
because not all threat actors have the same level of capability. We need to understand that, if we're to
get to the bottom of the real cyber security challenges that we face.

Play video starting at :2:16 and follow transcript2:16

Let's talk a little bit more about the people and the organizations behind this hacking. As we discussed,
cyber attacks are executed by specific people who act either independently or as part of a broader
collective or group. There are lone actors that may train and execute attacks based on their own internal
motivations or as part in an effort to gain additional reputation. However, groups of actors operating as
an organization might execute attacks for financial, political, or even nationalist purposes. We need to
understand the differences that each one of these threat actors represent. Let's talk a little bit more
about motivation. Threat actors are motivated to conduct cyber attack for a variety of different
purposes. They include things like curiosity, even reputation, there are financial incentives, in some
cases, political activism, terrorist activity and finally, even national security considerations. It's important
to understand these motivations influence different groups to conduct certain types of attacks against
certain organizations. If we want to understand the broad set of threats facing things like critical
infrastructure, we need to understand who the threat actors are and what they're motivated to achieve.
Let's talk a little bit more about resources. Not all threat actors have the same level of resources that
they need in order to execute a specific type of cyber attack. The ability of threat actors to execute
effects is constrained by certain things. First, they're constrained by their own skill level. Are these
threat actors? Have they been practicing for years? Have they been trained by a government
organization, or are they learning their skills simply on YouTube? It matters. Second, the tools that
they're using matter. Are these tools that have been developed by others that people are commonly
using around the world and therefore they're known by defenders, that might limit their effectiveness,
or are the tools custom made? Are they leveraging capabilities and techniques that no one has ever
seen before? The processes and techniques that threat actors use are really important. Are they well
known by defenders or are they novel? Then finally, the financial resources that they can bring to bear
matter. If you're a threat actor and you're interested in attacking a piece of critical infrastructure, let's
call it a natural gas pipeline, there are very specific technologies that are leveraged in those types of
systems. If you're a threat actor and you want to attack those systems, you're likely having to go out and
purchase those systems, gain access to those systems, and then they're not necessarily cheap, they may
run several hundred thousand dollars. If you're living in your parents' basement, chances are you're not
going to have a couple hundred thousand dollars lying around in order for you to actually mess around
and identify the exploitation potential in that particular system.

Play video starting at :5:53 and follow transcript5:53

Here's an example in the banking sector or a handful of examples. First, there were Iranian attacks
against 46 major financial institutions in 2011. We've also seen attacks by a North Korean hacking group
that led to the compromise of a $100 million out of Bangladeshi Central Bank accounts in 2015. But it's
not simply about attacks against the financial sector. We also see attacks in the energy sector. Examples
might include power disruptions in the Ukraine, denial of service attacks against customer service phone
lines in Detroit, Michigan, and even compromise of data residing on electric utility computers in
Vermont. We also see several attacks coming against the retail sector. Examples include access to
specific point of sale systems. These are the systems in which you take your credit card and you hand it
to the cashier and they swipe it for you. Attacks against those particular components happen with a
regular occurrence. These include compromise of credit card numbers at Home Depot, Target, Eddie
Bauer, and several more. Finally, denial of service attacks against retail websites are actually quite
common. Even the transportation sector has seen a whole host of cyber attacks. These include things
like destruction of the cargo management system at Maersk Lines, the largest container ship company in
the world. We've seen attacks against ticketing kiosk for the San Francisco Muni system, and even rail
systems itself compromised in the Ukraine.

Play video starting at :7:48 and follow transcript7:48

Finally, even government is affected. Examples of cyber attacks include things like billing and record
management systems disrupted in Baltimore. We've seen court docket systems completely disrupted in
the city of Atlanta. Even US government employee records compromised at the Office of Personnel
Management. Well, the United States suspects hackers in China are responsible for a government data
breach that impacted about four million people's records. It's described as one of the largest thefts of
government data ever seen. The FBI first detected a breach in April at the Office of Personnel
Management, which functions as the federal government's human resource department, managing
background checks, pension payments, and job training. China denies being responsible. What are some
of the takeaways? Well, cyber attacks are conducted by individuals either acting alone or as part of a
larger group. But it's specifically to achieve a goal and that's a really important point to understand. They
leverage tools, techniques, and processes to achieve those end goals. Finally, they're constrained.
They're constrained by the lack of resources, tools, and skill. Now, all of this together is fundamentally
important because some threat actors are more capable than others. As we go through the next few
episodes, we'll talk a lot about the different types of threat actors and the constraints that they face. I
hope to see you next time

Cybersecurity Threats Impacting the

Nation
Pages 2-5 of Cybersecurity Threats Impacting the Nation, Testimony of Gregory C. Wilshusen
Before the Subcommittee on Oversight, Investigations, and Management, Committee on
Homeland Security, House of Representatives, Tuesday, April 24, 2012

B.1 [Link]

Threat Actors: Hobbyists

Hi. Welcome back to Cybersecurity for Everyone. I'm Dr. Charles Harry. In our last episode we
talked about threat actors. Just to review, threat actors exploit vulnerabilities and those threat
actors act either alone or as part of a collective or broader organization. They leverage their skill
and resources to achieve a specific end effect. Finally, they're motivated by different things. Not
all threat actors are the same. In this episode, I want to talk about the first one of those groups,
hobbyists. Let's talk about the first one of these groups, hobbyists. Who are they? They tend to
be low-skilled. If you're acting alone and you don't have a lot of financial resources and/or a lot
of formal training, you're not going to have the top flight skills necessary to pull off the most
complicated cyber operation. They tend to be lightly resourced. Especially if you think of the
typical example that's given by a hacker, may be a brilliant person living in their parents
basement, they live in their parents basement. They probably don't have a lot of money. They
don't have a lot of money, they may not be able to acquire the software or the hardware for
them to reverse engineer and to pull off some of the more complicated cyber operations. They
tend to use off the shelf tools that have usually been developed by other individuals. They're
likely to engage in some activities that demonstrate some capability to increase their reputation.
We oftentimes call these folks script kiddies. Let's talk a little bit about their motives.
Fundamentally, hobbyists are curious about how technology works and where the vulnerabilities
lie. These are individuals who act alone, but they oftentimes cross the line and they violate
confidentiality or the integrity of datasets or they could potentially impact the access to a device
or service itself. Fundamentally, hobbyists are curious about how technology works and
oftentimes, they'll exploit a particular system or service to demonstrate their capability and to
improve their reputation. But these activities can be illegal and it's important to remember that.
Just because you're curious, doesn't mean that you should be doing that activity. You can easily
cross the line. Let's talk a little bit about the tools that hobbyists may use. In penetration testing
in cybersecurity industry, there's a particular build of Linux called Kali. In Kali, there are a variety
of different utilities and other tools that are helpful in doing things like reconnaissance. Now,
we'll talk more about reconnaissance in another episode. But the ability to actually search your
target and identify a variety of pieces of information that help you identify where the weaknesses
are, is fundamentally important. Hobbyists are able to leverage utilities that have been built by
other people to conduct this type of reconnaissance. There are tools for exploitation, the ability
to identify the vulnerability, and to throw a particular piece of code at it in order for you to exploit
that vulnerability. All of these things are found in Kali Linux. There are tools for delivery that
once I've identified what that particular exploit code should be, the ability for me to throw it at a
particular target is a means of delivery. Now, again, we'll talk more about reconnaissance,
exploitation and delivery in future episodes.

Play video starting at :4:24 and follow transcript4:24

In this particular Kali Linux build, you can see a variety of open source free tools that hobbyists
can leverage in order to take advantage of weakly defended systems. What kind of attacks do
we actually see coming from hobbyists? We always see a range of different low-level type
attacks. These include things like defacing of a website, which is just simply graffiti on the
website. The ability to execute a denial of service attack. The ability to throw enough packets at
a particular target so that it is unable to respond. You're denying service of that particular
application server. A SQL injection attack where you're just modifying the URL and tricking the
database behind that website to reveal more information than intended. It could involve
guessing passwords, doing what we call brute force attacks. Finally, even "Google hacking". If
you know how to use the lexicon and Google, good enough, you may be able to identify
information that was not intended to be made public. That can be really quite useful when you
want to access a particular system. One good example of a hobbyist attack comes from
Budapest in Hungary in 2017. In 2017, the Budapest Transport Authority had launched a new
online ticketing system. There were many, many security flaws, including an admin account
password that was set up as "adminadmin". An 18-year-old hobbyists was able to manipulate
the website very, very easily to purchase a $36 ticket for 20 cents. Now, that particular
hobbyists was motivated by curiosity, identified a particular vulnerability and then notified the
appropriate authorities. The problem was, he crossed the line and he was arrested and
prosecuted. Even though this particular hobbyists, this particular threat actor, really did not have
malicious intent, really thought that they were doing the right thing by publicly exposing a
vulnerability, they did cross the line, and so therefore they were arrested and prosecuted.

Play video starting at :7:4 and follow transcript7:04

Hobbyists really are opportunistic targeters. They look for where vulnerabilities might lie. They
do broad-based scanning of the Internet, they identify where a particular vulnerability might lie
and then they execute on it. They're opportunistic. In fact, if we take a look at data just over a
couple of years. In this particular case, we're looking at a dataset from 2014-2018, the vast, vast
majority of the attacks that we see being conducted by hobbyists are against professional
services. These include things like Dennis office or accountants. They tend to be weakly
defended networks and so hobbyist take advantage of those weakly defended networks to
execute some effect. What are some of the takeaways from this module? First of all, hobbyists
tend to be low skilled, and lightly resource threat actors. They are motivated primarily by
curiosity and by a desire to build a reputation. They tend to leverage established tools and
tactics. These threat actors are not building their own custom software, they're not reverse
engineering the really complicated systems, they're taking advantage of what is already been
done. In our next episode, we'll talk about criminal actors and the threat they represent. I hope
to see you next time.
Threat Actors: Criminal Organizations
Hi. Welcome back to cybersecurity for everyone. I'm Dr. Charles Harry. We've been talking a lot
about threat actors. Remember, threat actors are using vulnerabilities to exploit and achieve an
end effect against a particular organization and they can act either alone or as part of a broader
collective. They leveraged their skill and resources to achieve a specific end effect and they're
motivated by different things. In our last episode, we talked about hobbyists but in this episode, I
want to turn our attention to criminal organizations. Who are they? They can be low-level. These
criminal organizations could be low-level criminals utilizing very, very basic techniques, or they
could be highly skilled hackers. They can also be highly resourced. This is a big difference
between the hobbyist and the criminal enterprises. Some of these criminal organizations are
incredibly well-financed. They can use both off-the-shelf capabilities, like what we find in Kali
Linux build but they can also develop their own tools. They are likely to engage in activity that
results in them earning some level of return. That is their primary motivation. We'll talk about
that more in a second. They can act alone or as part of a broader criminal organization and they
might actually have connections to government and security organizations. This is a real
differentiator between hobbyists and criminal organizations. Some criminal enterprises act in
somewhat of a gray zone. They have connections back to their home governments or security
organizations and it makes it very challenging to do both the attribution and frankly to bring them
to justice. It's for that reason that the Federal Bureau of Investigation spends a lot of time and
resources trying to identify and apprehend criminal organizations and individuals. Let's talk a
little bit more about their motives. Whilst many of us would guess, criminal organizations are
primarily motivated to conduct cyber attacks for financial gain. They can use a variety of
techniques and tactics to engage in online fraud, extortion, or outright theft. In fact, international
corporate spies or criminal organizations conduct industrial espionage, the stealing of corporate
secrets. What kind of tools do the criminal organizations potentially use to conduct these
attacks? Well, just like with the hobbyists, they use Kali Linux in some cases, a lot of those off-
the-shelf capabilities. Especially for things like conducting reconnaissance, a lot of those off-the-
shelf capabilities are really quite useful. However, they also build their own tools for exploitation.
Yes, they may use things that are fairly standardized, but they would also potentially utilize their
own tools. They also may use their own custom tools and tactics for delivery. In fact, we see a
lot of criminal organizations spending quite a bit of time and effort developing new tradecraft for
achieving these broader end effects. What kind of attacks do we potentially sees criminal
organizations conducting? No. We absolutely see criminal organizations encrypting data and
demanding money. We call this ransomware and we've seen plenty of examples of that
occurring all around the world specifically here in the United States against a lot of different
municipal networks. We also see criminal organizations conducting denial-of-service attacks,
overwhelming web servers, and less money is paid. We absolutely see SQL injection attacks
being orchestrated by criminal organizations. We also see them guessing passwords, doing
those brute force attacks as a way to gain access into a particular organization, and using that
as a way to potentially move further into those organizations. We absolutely see the elicit
access to point of sale systems as a way to covertly steal credit card numbers. These are just a
handful of examples. There are many others, but there are a variety of different techniques and
tactics that are leveraged by criminal organizations to achieve their end goals. One example is
the Target Corporation. Back in 2013, the Target Corporation had a significant data
compromise. Now, in this particular compromise, over 70 million credit card numbers were
actually taken. The threat actor behind this particular compromise was able to gain access to
the Target corporate network through a third-party vendor, actually part of their heating and air
conditioning vendor. They gained access to point-of-sale systems across multiple stores and
once they had access to those point-of-sale systems, covertly stole credit card numbers from
millions of American consumers. They were able to do so because they were able to install a
piece of custom software known as BlackPOS on all of those various devices. Over the course
of many months, they were able to compromise those 70 million credit card numbers. Pretty
impressive. Who are some of these criminal hacking groups? Well, cybercriminals are found all
over the world and this is just a handful of examples, they include really colorful names like Wolf
Spider and Skeleton Spider. One of the things you'll notice in this industry is, and when we talk
about threat actors, we tend to give them colorful names. But the important thing is that
cybercriminal organizations vary in skill, the tools used, the effects that they achieve, and the
relationship with their home government. Not all criminal groups have equal skill.

Play video starting at :7:5 and follow transcript7:05

Bottom line is, criminal organizations are looking to make a profit. When we take a look at what
cyber events are achieved by criminal organizations, they really do vary across a number of
different sectors. Yes, we still see significant attacks going against professional services, those
dentist office, and the accountants. But we also see significant attacks in the retail sector, a
hotel and hospitality. The goal there is to gain access to data that they can later sell and make a
profit, or in the case where we see ransomware attacks encrypting that data and demanding a
payment before it's released.

Play video starting at :7:51 and follow transcript7:51

What can we take away from this particular episode? Well, first of all, criminal organizations
tend to be higher skilled than hobbyists. They are primarily motivated by financial gain. They
oftentimes use custom tools, which makes them very different than what we see with hobbyists.
They focus on a variety of fraud, theft, and extortion tactics in order to make money. They're
found all over the world with some being tied closely with their home governments. In our next
episode, we're going to walk through a case study. We're going to talk about a particular
extortion event that occurred in San Francisco. I hope to see you next time.

Fire Eye, “APT28 Cybergroup Activity”

B.2 SCS14–[Link]

Cyber Crime Case Study: The San Francisco

Muni Attack
[MUSIC] Hi, welcome back to cybersecurity for everyone. I'm Dr. Charles Harry. In our last
episode we talked about the threat actor type criminal organizations. And in this episode, I want
to actually walk through a particular case study of a cyber attack conducted by a criminal. So
this particular case study involves an organization called the municipal transportation Agency of
San Francisco. SFMTA, sometimes referred to as MUNI. So city, it's a city government
organization in San Francisco. That operates buses, light rail and the historic cable cars of San
Francisco. The bus and light rail systems run 24 hours a day, 365 days a year. Roughly weekly
ridership approach is about 700,000. Operates 75 transit lines and roughly 151 light rail cars. So
fairly significant sized transportation organization for a major city. >> The San Francisco
municipal transportation agency has contained a cyber attack that disrupted its ticketing
systems over the thanksgiving weekend. The cyber intrusion forced the agency, known as
MUNI, to offer free services over the weekend. According to an agency spokesman, they
decided to disable fare gates to spare their customers any troubles with traveling. The hack had
no other effect on the transit services operations. MUNI announced in an update on their site
that the situation has been contained. Now they are prioritizing restoration of their internal
computer systems. >> So starting in November 25th 2016, riders encountered a variety of signs,
including out of service, free entry. And in fact, several of the computer terminals, including
ticketing kiosks at a variety of different stations throughout the immune system had, you are
hacked sprawled across their screens. So the initial assessment of this particular cyber event,
with that over 2100 computers might have been directly or indirectly impacted by this event.
That all ticketing kiosks across 120 light rail stations had to be taken offline. All gates to the rail
platforms were left open. And free admission was provided to passengers. Bus schedules that
were normally done on a computer had to be developed and delivered by hand. Payroll systems
in some administrative functions completely disrupted. Their email system taken offline. It is
estimated that they lost over half a million dollars a day because of this particular event. So the
investigation of this particular cyber event, indicated that they had been penetrated by
ransomware spread throughout a large segment of its operational network. The initial access
factor was likely a year old vulnerability in one specific internet connected device. The piece of
ransomware that was used to shut down and disrupt portions of community network was a
common ransomware variant. A large number of machines, well, over 900 suggests that this
particular attack use network infrastructure to move that piece of malware throughout most of its
network. The payment that was demanded $73,000, was typical of other recent ransomware
attacks in the United States. So how did MUNI recover from this particular attack? Well, first of
all, the organization decided that they were not going to pay the ransom. They had also done
something really smart. Which was to create not only backup files, they containerized their
system so that they could recover very quickly over three days. 75% of the computers that were
affected, are restored within a single day. The remaining 25% were down for more than 24
hours. Some taking as long as three days to fully recover. But the important thing was that
buses, light rails and the cable cars are actually able to operate normally during this time period.
Even if they're not collecting revenue from the tickets. We've seen similar attacks in the years
since against other municipal governments. These include Atlanta, Baltimore, New Orleans, and
over 23 local governments in the state of Texas. So what can we take away from this particular
case study? Well, first of all, possibly a single thread actor. But we don't know for certain it could
have been part of a broader criminal organization. Leveraged a vulnerability in a single internet
connected system. They leverage that vulnerability to push a variant of ransomware across an
entire operational network at the MUNI system. Most of the ticketing chaos and many of the
administrative functions, including their apparel system and their email was taken offline. The
threat actor in this case demanded roughly $73,000 in ransom to unlock those systems. But
MUNI refused to pay and they were able to recover most of their systems in a relatively short
period of time. But we're starting to see in the years since this attack, increasing numbers of
ransomware attacks against municipal governments. Including in places like Atlanta, in
Baltimore and in 23 specific municipalities in the state of Texas. So this problem is not going
away. In this case study did a nice job of framing some of the issues that municipal
governments are facing from criminal organizations. In our next episode, we're going to talk
about a different threat actor, activists. I hope to see you next time.

Threat Actors: Hacktivists

Hi. Welcome back to Cybersecurity for Everyone. I'm Dr. Charles Harry. In our last episode, we
talked about criminal organizations. In this episode, I want to switch our conversation to a
different type of threat actor, the hacktivists. As a reminder, cybersecurity concerns around a
variety different threat actors. Threat actors leverage vulnerabilities and they're exploited by
those hackers either acting alone or as part of a broader collective organization. They absolute
leverage their skill and resources to achieve a specific end effect and they're motivated by
different things. Who are the hacktivists? You might be curious about the term hacktivists. Well,
they're really hacktivists who use hacking to achieve a particular set of objectives. There are
often focused on a set of political, economic, or even social concerns. Their skill level really
does vary. For the most part hacktivists tend to use low-level capabilities like website
defacement and denial-of-service attacks. They tend to act either independently or as part of a
broader collective. They use an awful lot of off-the-shelf capability and then targets may include
not just governments, but also corporations and even specific individuals. This is really
important. They're not aligned with anyone's specific ideology or even government. We see
hacktivists that are hacking on behalf of a specific government acting in more of a nationalist's
point of view, as well as hacktivists that are more focused on a specific idea, concepts of
ecological conservation, for instance, would be one example. Let's talk specifically about their
motives. In some cases, hacktivists will engage in hacking activity out of social justice concerns.
Maybe there's a particular issue that's affecting a particular community and they're upset by it.
They'll engage in hacking activity, defacements, denial-of-service attacks, to emphasize their
displeasure at that particular issue. They may also take action concerning political actions taken
by specific governments, ones that are specifically counter to the hacktivist agenda. One
example might be something along the lines of governments who are engaging in free trade
agreements. There might be a hacktivist organization who thinks that that's a terrible idea as it
leads to exploitation of labor. Therefore, they engage in a hacking campaign to voice their
displeasure. But it could also include things like environmental concerns. If there are concerns
that specific corporations are not taking the issue of climate change seriously and are
concerned about their carbon footprint. You might actually see hacktivists engaging in hacking
activity. This is a different set of motives than what we've seen with criminal actors and
hobbyists. Let's talk a little bit about their tools. Just like with hobbyists, hacktivists tend to use a
lot of the standard tool set that we find in the Kali Linux built. They use a lot of standard tools for
reconnaissance as well as for exploitation of those devices. Even further, basic tactics and tools
for delivery. They're using standard capabilities. That's an important differentiator from criminal
organizations or even nation-states. What attacks do we normally see with hacktivists? Well, we
oftentimes see available information disclosed and oftentimes that information is actually
publicly available. They'll do research, for instance, on particular individuals and publish things
like their address, or their phone number, or maybe pictures that are found on their social media
account. Nothing that's really terribly sophisticated. Sometimes they will gain access to specific
accounts and also publish information that is not publicly available. We oftentimes see
hacktivists engaged in defacements, graffiti on a website and we also see denial-of-service
attacks. These three broad level of effects are typically what we see with hacktivists' campaigns,
exposure of information, defacement of websites, and denial-of-service attacks. Let's take one
example of a hacktivist collective, Anonymous. Anonymous is a hacktivist collective, basically
comprising of individual hackers that are loosely aligned around a particular worldview.
Remember, these are not individuals that work for a government or a criminal organization.
They are individuals who believe very strongly in a particular set of issues, it could be a social
justice issue, it could be economic issue or environmental issue. They focused their hacking
activity by loosely surrounding it around something like a campaign. They focus on a particular
issue like countering the terrorist narrative. They organize their activity around campaigns. An
example might be a hacktivist organization that wants to counter a terrorist narrative. They
would organize themselves and their activities around countering that narrative. They primarily
focus on things like identity exposure, website defacements, and denial-of-service attacks. If
anonymous, for instance, had concerns around, let's say, a terrorist organization like ISIS, they
may focus on trying to identify ISIS members and publicizing their identities. That would be an
example of an effect that anonymous would have. It is so very specific examples of these
campaigns would be things like operation KKK, which was focused around exposing members
of the Ku Klux Klan. They also focus their aims in some occasions against specific
governments. In this particular case, OP Saudi was a set of operations specifically targeting the
Saudi government and engaged in website defacements and in denial-of-service attacks.

Play video starting at :7:5 and follow transcript7:05

Some examples of infamous hacktivist groups would include, of course, Anonymous, Chaos
Computer Club, Legion of Doom, Masters of Deception, and Lizard Squad. They really liked
these names and hacking organizations, tend to like their creative names.

Play video starting at :7:30 and follow transcript7:30

When we take a look at the broad set of facts that hacktivists are having. They're primarily
looking to make a statement. We see attacks going against primarily things like government
websites and organizations, but it also includes professional and scientific organizations and
even the finance and insurance community. Hacktivists are primarily interested in a broad set of
social issues that include things like social justice, but also include issues like the environment
or economics. It's difficult to group all hacktivists into the same set of individuals.

Play video starting at :8:19 and follow transcript8:19

What are the takeaways? Hacktivists have a range of skills, but they primarily focus on these
low-level capabilities; website defacements, denial-of-service attacks, and exposure of
identities. They are motivated by political, social, and environmental issues. They tend to focus
on relatively easy things to execute. They primarily focus on exposing information, defacing
websites, and a denial-of-service attack. They're really not bound by any single ideology. In our
next episode, we're going to talk about advanced persistent threats and the real challenge that
they present to broader society. I hope to see you next time.

Threat Actors: Advanced Persistent Threats

[MUSIC] Hi, welcome back to cyber security for everyone. I'm Dr. Charles Harry. In our last
episode we talked about activists. And in this episode, I want to talk about a different type of
threat actor. The advanced persistent threat. Now recall that threat actors take advantage of
specific vulnerability in systems.

Play video starting at ::31 and follow transcript0:31

They leveraged their skill and resources to achieve very specific end effects and they are
motivated by different things.

Play video starting at ::40 and follow transcript0:40

So who are the advanced persistent threats? And specifically we may want to ask ourselves,
why do we call it an advanced persistent threat? On a very high level they are advanced. These
are the pros these are the big leagues of hacking. They're persistent in the sense that they
persistently engaged with their targets. They're relentless. If there is an objective to be had,
they're going to persistently engage against that target and of course they remain a threat.

Play video starting at :1:13 and follow transcript1:13

These are highly skilled hacking organizations. These are not running the mill basement
hackers. These are folks with deep training and resources.

Play video starting at :1:25 and follow transcript1:25

They mostly are tied to nation states or aligned with their geopolitical goals. So these are folks
who are aligned with specific governments and who have their training and backing.

Play video starting at :1:38 and follow transcript1:38

They leverage highly customized tools, tradecraft and infrastructure.

Play video starting at :1:46 and follow transcript1:46

So let's talk a little bit about their motives. Well, as you might imagine, there are a variety. Their
first motive maybe espionage. They may want to engage in stealing trade secrets or classified
information or even highly relevant policy information ahead of in the lead up to a very large
international conference.
Play video starting at :2:9 and follow transcript2:09

They may engage in industrial espionage. There might be a real interest in stealing very specific
corporations, trade secrets. Things like a secret formula for producing steel.

Play video starting at :2:23 and follow transcript2:23

They may also be interested in sabotaging competitors operations.

Play video starting at :2:30 and follow transcript2:30

Additionally, they may be a general interest in engaging in sabotage. The ability for one country
to engage in a low intensity conflict against another. All designed to be a set of operations to
achieve a broader set of national objectives.

Play video starting at :2:48 and follow transcript2:48

And finally, there may be general support to military operations. So advanced, persistent threats
may help amplify kinetic military operations. So in addition to flying those bombers and dropping
munitions, we may also engage in hacking activity to do things like take down an electrical grid.

Play video starting at :3:10 and follow transcript3:10

We can also see APTs utilizing their capabilities to become what we call an asymmetric form of
attack in a response to a stronger power. And so if one country has a more dominant military,
another country who may want to respond in a kinetic way may not be very successful.
However, in cyberspace, they may be more effective. So they do what's called an asymmetric
attack.

Play video starting at :3:41 and follow transcript3:41

So let's talk a little more about the tools that APTs use.

Play video starting at :3:46 and follow transcript3:46

So we see a lot of custom tools. So unlike the hobbyists who are primarily using Cali Lennox or
even the activists who use a lot of Cali Lennox utilities. Custom tools are the name of the game
here in Apts.

Play video starting at :4:1 and follow transcript4:01

Standard and custom tools for reconnaissance are used. Standard and custom exploitation
techniques. This is important. When we see a lot of custom techniques used, it's not like APTs
have forgotten a lot of the standard capabilities and in some cases standard capabilities may
work just fine.

Play video starting at :4:22 and follow transcript4:22

But we also see a lot of custom tactics for delivery, to additionally supplement standard
techniques. So the idea here is that APTs will use everything at their disposal. Not simply the
standard tools that everyone else is using, but they will develop their own and they develop their
own tradecraft.

Play video starting at :4:46 and follow transcript4:46

So what kind of attacks would do we expect to see from an APT. Well we see deep penetrations
into sensitive government and corporate networks and even their phone systems.

Play video starting at :5:1 and follow transcript5:01

We see large scale disruptive campaigns to cripple critical infrastructure to do things like take
down a power grid. In fact in the case of the Ukraine we've seen to power events where an APT
Operation took down power on two separate occasions. That's a pretty significant end effect.

Play video starting at :5:26 and follow transcript5:26

Finally we may see acquired information being used as part of a broader disinformation
campaign. A lot of the concerns surrounding the 2016 election in the United States. Centered
around the use of information that was acquired from the Democratic National Committee
systems. It was seated with information that was false and then eventually distributed in a
disinformation campaign.

Play video starting at :5:54 and follow transcript5:54

So who are some of these groups? So Fancy Bear, Energetic Bear, Rocket Kitten, Comic Crew,
Lazarus Group are all examples of APT organizations that are aligned with different nation
states. In the case of Fancy and Energetic bear, they tend to be aligned with the Russian
federation. Rocket kitten is associated with the Iranian. Comic Crew is a chinese organization
and Lazarus Group is affiliated with the north Koreans.

Play video starting at :6:30 and follow transcript6:30

So one example, APT 29. Goes by several different Aliases, Cozy Bear, The Duke's Grizzly
Steppe and several more. The attributed country of origin here is Russia. The Russian
federation. And it mostly conducts espionage on behalf of that Russian federation.

Play video starting at :6:53 and follow transcript6:53

The targets mostly include Western governments and related NGO organizations, non
government organizations. And they tend to focus initially on kind of a smash and grab, get
initial access into the organization and still as much information as possible. However, if this, if
the organization is sensitive enough or important enough, they have the ability to switch over
and become very stealthy and maintain persistent access in that organization for quite some
time.

Play video starting at :7:29 and follow transcript7:29

So some of the national goals that we see APTs achieving are primarily focused around a
couple of key industries. Certainly public administration. We see a lot of APTs attacks against
governments. It makes sense. There's sensitive government information that those APT may
want to obtain. However, in this case, we also see APTs interested in other types of targets.
Telecommunications, Utilities are all really, really important targets for Apts, especially if they're
interested in fighting some sort of asymmetric war.

Play video starting at :8:10 and follow transcript8:10

So what are some of the take aways? Well, first of all, APTs are highly skilled threat actors.
These are the pros. These are the best of the best.

Play video starting at :8:21 and follow transcript8:21

They are motivated by geopolitical concerns. They are tightly aligned with nation states and
their agendas.

Play video starting at :8:30 and follow transcript8:30

They're able to conduct complex cyber attacks that can persist for a long period of time.

Play video starting at :8:39 and follow transcript8:39

They focus on stealing information from governments as well as Corporations. But can also
engage in sabotage and support to military operations.

Play video starting at :8:51 and follow transcript8:51

And we find APT hacking groups all over the world.

Play video starting at :8:56 and follow transcript8:56

In our next module, we're going to explore the process of hacking. We're going to disentangle
this term that is oftentimes thrown around in popular media. I hope to see you next time.

Lillian Ablon, Martin C. Libicki, Andrea A.

Golay, Markets for cybercrime tools and
stolen data, RAND Corporation
Criminal activities in cyberspace are increasingly facilitated by burgeoning black
markets for both tools (e.g., exploit kits) and take (e.g., credit card information). This
report, part of a multiphase study on the future security environment, describes the
fundamental characteristics of these markets and how they have grown into their
current state to explain how their existence can harm the information security
environment. Understanding the current and predicted landscape for these markets lays
the groundwork for follow-on exploration of options to minimize the potentially harmful
influence these markets impart. Experts agree that the coming years will bring more
 activity in darknets, more use of crypto-currencies, greater anonymity capabilities in
malware, and more attention to encrypting and protecting communications and
transactions; that the ability to stage cyberattacks will likely outpace the ability to defend
against them; that crime will increasingly have a networked or cyber component,
creating a wider range of opportunities for black markets; and that there will be more
hacking for hire, as-a-service offerings, and brokers. Experts disagree, however, on who
will be most affected by the growth of the black market (e.g., small or large businesses,
individuals), what products will be on the rise (e.g., fungible goods, such as data records
and credit card information; non-fungible goods, such as intellectual property), or which
types of attacks will be most prevalent (e.g., persistent, targeted attacks; opportunistic,
mass "smash-and-grab" attacks).

Key Findings
The Hacking Community and Cyber Black Markets Are Growing and
Maturing

 The cyber black market has evolved from a varied landscape of discrete, ad hoc individuals into
a network of highly organized groups, often connected with traditional crime groups (e.g., drug
cartels, mafias, terrorist cells) and nation-states.
 The cyber black market does not differ much from a traditional market or other typical criminal
enterprises; participants communicate through various channels, place their orders, and get
products.
 Its evolution mirrors the normal evolution of markets with both innovation and growth.
 For many, the cyber black market can be more profitable than the illegal drug trade.

These Cyber Black Markets Respond to Outside Forces

 As suspicion and "paranoia" spike because of an increase in recent takedowns, more

transactions move to darknets; stronger vetting takes place; and greater encryption,
obfuscation, and anonymization techniques are employed, restricting access to the most
sophisticated parts of the black market.
 The proliferation of as-a-service and point-and-click interfaces lowers the cost to enter the
market.
 Law enforcement efforts are improving as more individuals are technologically savvy; suspects
are going after bigger targets, and thus are attracting more attention; and more crimes involve a
digital component, giving law enforcement more opportunities to encounter crime in cyberspace.
 Still, the cyber black market remains resilient and is growing at an accelerated pace, continually
getting more creative and innovative as defenses get stronger, law enforcement gets more
sophisticated, and new exploitable technologies and connections appear in the world.
 Products can be highly customized, and players tend to be extremely specialized.

Recommendations

 Explore how computer security and defense companies could shift their approaches to thwarting
attackers and attacks.
 Explore how bug bounty programs or better pay and incentives from legitimate companies might
shift transactions and talent off the illicit markets into legitimate business operations.
 Explore the costs and benefits of establishing fake credit card shops, fake forums, and sites to
increase the number and quality of arrests, and otherwise tarnish the reputation of black
markets.
 Explore the ramifications of hacking back, or including an offensive component within law
enforcement that denies, degrades, or disrupts black-market business operations.
 Explore the options for banks or merchants to buy back their customers' stolen data.
 Explore the effects of implementing mandates for encryption on point-of-sale terminals, safer
and stronger storage of passwords and user credentials, worldwide implementation of chips and
PINs, and regular checks of websites to prevent common vulnerabilities put a dent in the black
market, or enforce significant changes to how the market operates.
 Explore how to apply lessons learned from the black market for drugs or arms merchants to the
black market for cybercrime.
 Determine whether it is more effective for law enforcement to go after the small number of top-
tier operators or the lower- or open-tier participants.
 Examine whether governments and law enforcement worldwide could work together to
prosecute and extradite when appropriate, and coordinate for physical arrests and indictments.