When it comes to cybercrime, the stories are often told in numbers. By 2025, it is expected to cost $10.5 trillion globally. If it were a country, its economy would rank it third globally, behind only the US and Chinese economies. Money raised through online fraud — from phishing to fake websites — has totaled about $1.03 trillion. With the rise of ransomware and financial attacks on large organizations, one might think that cybercrime is only about money.
Nothing could be further from the truth. The motivations for these crimes go beyond the economic component, although this has a significant weight. Some studies put the percentage of attacks on governments motivated mainly by financial reasons at 95% of all security breaches, while others speak of 55% of groups acting in search of income. The fact that the motivation is not financial does not mean that the effect is not equally damaging, although in terms of reputational cost, strategy, or damage to critical infrastructures. Patricia Alonso García, manager of Incibe-CERT, points out that “it is increasingly common to find other types of motivations that seek to cause the greatest possible media impact.” She cites ideological or political reasons in the first place, “aimed at destabilizing an institution, government or company.” In the current international context, their impact is being felt: According to the latest World Economic Forum report on cybersecurity, nearly 60% of organizations say that geopolitical tensions have affected their strategy, while one in three CEOs cite loss of sensitive information and cyberespionage as their top concern.
Incibe. En la imagen, Patricia Alonso García.
“We are very redundant when talking about cybercrime, because we always associate it with economic motivations,” says Hervé Lambert, global consumer operations manager at Panda Security. “But they are not the only reasons out there.” Lambert also refers to political and military cyber espionage, “states or actors linked to different governments” that seek to infiltrate to obtain strategic information. It also includes cyberwarfare, “attacks designed to do damage, disable, render important systems useless. There is no lucrative purpose, but to enhance or win a war or facilitate sabotage.”
Since the Stuxnex worm attacked Iran’s nuclear infrastructure in 2010, cyberattack for strategic or political reasons has frequently been employed as a destabilization tool, as evidenced most recently by cyberattacks launched since the beginning of Russia’s invasion of Ukraine on Ukrainian targets by Russian agents. According to the latest threat report from the European agency ENISA, state-linked actors are generally well-funded and well-resourced and not only target the agencies of power of other nations, but can also direct their threats at other organizations to extract sensitive information or obtain funding for their countries. This could also include disinformation campaigns which, according to Juan José Nombela, director of the Master’s Degree in Cybersecurity at UNIE Universidad, are focused on “demoralizing and demotivating the population or the army.”
Panda. En la imagen, Hervé Lambert, gerente global de operaciones de consumo de Panda Security.
Linked to ideological motivation is hacktivism, “cybercriminals who do not seek an economic end, but rather pursue a cause”, as Nombela explains. This type of actor can attack companies, organizations or even governments for political, social or ethical reasons.
In the early 1970s, an experimental program was developed that spread automatically by copying a message to computers on the existing network, then the ARPANET. The program, Creeper, was the first computer worm and its creators, Bob Thomas and Ray Tomlinson, had no malicious intent, but were simply experimenting in those years when computer science was a nascent discipline. The entire cybercrime industry comes from this idea and, even today, there is a type of hacker who could be considered to inherit this tradition: they do not seek economic ends, nor ideological ones or to do harm. It is what Lambert calls “psychological motivations related to personal challenges” and Nombela attributes to “younger people or those starting out in the world of cybersecurity” who are looking to “gain points or prestige within their community”. Nombela clarifies: “Generally, these are directed against SMEs, because they are the most vulnerable and also serve as a way for them to learn”.
Alonso García distinguishes these motivations, which seek reputation or notoriety through the recognition of a personal achievement, from others that “arise as personal revenge from a disgruntled employee or customer”. Nombela gives examples of internal or external incidents: from undermining the CISO or changing a supplier to taking revenge on a company for disloyal personnel or those who have just been fired. In the education sector, where he works, he adds the theft of information or hacking of systems by students, which, although it does not involve direct economic damage, can lead to serious reputational problems. Also within revenge or personal harm, Lambert alludes to individual cases linked to an emotional and personal relationship, of the cyberbullying type.
“These very different motivations are not mutually exclusive, as they seek different objectives,” adds Alonso García. “We can find them as the sole motivation or they complement each other, making cyberattacks more elaborate and complex to analyze.” In other words, a person or group may have political interests but ask for a ransom to cover up their actions or seek funding; or in a context of turmoil between countries, take advantage to launch attacks that seek to profit.
Cyber defense implications
At the business level, knowing the main motivations that can lead to a cyberattack is interesting for establishing a better defense and incident response strategy. Or, as Alonso García puts it, “to anticipate risks and respond proactively to the incident”.
UNIE. En la imagen, Juan José Nombela, director del Máster en Ciberseguridad en la Universidad.
“In cyberspace, the damage is rarely just the bank account. Solutions have to take all of this into account,” adds Lambert. “It absolutely changes all the paradigms and the whole response and prevention system.” He gives an example: if the strategy focuses only on the technological part, everything related to cyberbullying or hacktivism can be left out. Nombela agrees that knowing the motivations can imply different defense modalities. “It’s very different, from my point of view. We come back to the issue of risk analysis: What are the risks to my organization? Apart from the fact that there is always the possibility of a financial attack — which will generally come by way of ransomware, so user awareness will have to be reinforced — there are more or less common risks, such as the possibility of having disloyal staff.”
But the strategy to be followed will have to be reoriented or reinforced if, for example, we are working in a critical sector from a geopolitical point of view, in which, among other things, disinformation will have to be taken into account. Or if it is a highly competitive environment, where the possibility of corporate sabotage must be taken into account. Here it may be necessary to favor threat intelligence tools or information leakage prevention systems. In essence, it is a matter of “anticipating based on what is going on around you and anticipating. Don’t be reactive, but proactive,” summarizes Nombela.
No Responses