New research appears to raise questions over the conventional wisdom that pure nation-state cyberspies rarely, if ever, dabble in traditional financial cybercrime. – “Cybercriminal By Day, Cyber Spy By Night?” in Dark Reading on 1 March 2012
Dark Reading (@darkreading) wrote from the RSA 2012 conference of an intriguing analytic correlation made by the Dell SecureWorks Counter Threat Unit between the RSA attackers and cyber financial crimes.
The article is interesting in two ways. First, it showcases some good analytic tradecraft correlating seemingly independent activities through adversary personas and infrastructure (in this case domain name registration). Second, it asks the question: can a hacker be both a spy and cyber criminal?
The fact that an adversary will be using their skills for two purposes supposedly challenges “conventional wisdom.” Normally, intrusion analysts work towards identifying the motivation of the hacker/attacker to gauge the best response (hopefully) and potentially offer clues to attribution. There are many “conventional” terms we use to describe “hacker motivations”: script kiddies, espionage, hacktivism, black/white hat, etc. (see McAfee’s 7 Types of Hacker Motivations).
However, we often look too much towards our technical understanding and fail to acknowledge basic human motivations: safety, physiological needs (water, shelter, food, etc), love, esteem, and self-actualization [see “A Theory of Human Motivation” by Abraham Maslow or a summary of Motivations on Wikipedia].
Hackers, as all humans, are not above the basic motivations which include greed. This would be a very simple hypothesis of why a cyber espionage actor would turn to cyber crime – for financial gain. Maybe they were not being paid enough in their espionage job and “honeymoon” as cyber criminals, or they were simply contractors to multiple customers (a state vs. a criminal organization). Money is a highly motivating factor.
I use the case of the “Wiley Hacker” by Cliff Stoll (on the Reading List) while teaching to highlight that a hacker working day-in-and-day-out needs to eat, live, and provide for the most basic human motivations. Therefore, it is perfectly reasonable to ask: if they are hacking all day/every day, how are they providing for these motivations? Is somebody paying them to hack? Are they living in their parents’ basement? Do they have a trust fund? All of these are perfectly reasonable hypotheses with varying degrees of likelihood. But they all lead to other questions of attribution and higher motivation.
If, in fact, “conventional wisdom” is that espionage actors are not motivated by money to use their skills in other endeavors, an even more fundamental understanding of human motivation contradicts that wisdom. “Conventional wisdom” is simply another term for analytic assumption and this again highlights that analytic assumptions easily cloud judgement.