Know your enemy: Inside the hacker’s mind

Companies rely on technology and outsourcing for critical activities, including storing sensitive client data and intellectual property, communicating and conducting transactions. This leaves them vulnerable to cyberattacks. Whether from company insiders or outside hackers, these attacks can interrupt business operations, result in the theft of proprietary information, or cause the loss of customers’ data — with devastating effects on a company’s reputation and bottom line. The threat of litigation and increased regulatory scrutiny have broadened this risk and escalated potential losses.

The above and below charts created from the Willis Towers Watson Reported Claims Index highlight that organizations need to remain vigilant against threats to their network and information assets. While many organizations experience daily attacks on their networks, events causing significant damage appear to be uncommon.

However, the results from our data suggests that when an attack does succeed, it impacts a disproportionately larger amount of personally identifiable information (PII), which has a greater overall financial impact than other claim categories. While hacking incidents accounted for only 17.28% of the incidents within the Reported Claims Index, they represented 71.9% of the total records compromised. Therefore, as organizations consider how best to protect themselves with technology, tools and procedures, those efforts may be less effective if organizations do not understand who is behind cyberattacks, how the attackers operate and what motivates them.

Who are the hackers? What drives them?

While reports of data breaches at the largest retailers, banks, health care companies and Internet service providers often appear in the news, the hackers behind these cyberattacks are not as well known. Experience teaches that there are at least four broad categories of attackers: financially motivated cybercriminals, “hacktivists,” nation-state-supported actors, and malicious insiders. We often see overlapping motivations among the attackers.

Financially motivated cybercriminals

The driving force behind financially motivated attackers is clear: to steal and monetize information or hold systems hostage to extort ransom payments. This threat is illustrated by a case that was brought by United States federal authorities against an international cybersyndicate based in Russia and Estonia that targeted U.S. financial institutions. Members of the criminal organization had specialized, interlocking skills and tasks that combined to ensure the success of the conspiracy. One set of conspirators broke into an ATM processing network and stole online banking credentials for hundreds of thousands of bank customers. Another set recruited and directed “mules,” accomplices who in turn encoded blank plastic cards with the stolen information and used them to withdraw millions of dollars in cash from ATMs all over the world. Still other conspirators laundered the proceeds, including by converting it into WebMoney, a digital currency popular in the former Soviet bloc that is easily transmitted online and as anonymous as cash. Two conspirators arrested in New York City, both Ukrainian nationals living in the U.S. illegally, were alone found to have fraudulently withdrawn over $2 million from ATMs in just a matter of weeks using stolen account information that they had received from a co-conspirator in Russia.


LulzSec’s hacks resulted in the theft and disclosure of PII of over one million victims

So-called “hacktivists” are cybercriminals who purport to commit cyberattacks in support of an ideology. A well-known example of hacktivism is the sprawling, loosely organized online group known as “Anonymous.” Although many who identify with Anonymous don’t commit crimes to advance their agenda, there are others who do. One such sub-group of criminal hacktivists was known as “LulzSec.” Its members used encrypted, invitation-only online chatrooms to plan attacks and an eponymous website and Twitter account to spread propaganda, seek monetary support in the form of Bitcoin donations, taunt victims and dump stolen information online. United States federal prosecutors charged the core leadership of LulzSec, which comprised individuals living in the United States, the United Kingdom and Ireland and who ranged in age from their late teens to mid-twenties, with a variety of hacking offenses. LulzSec’s leaders and their co-conspirators broke into computer systems used by several media companies and government entities, among hundreds of other victims in the education, financial services, travel and entertainment, technology, media, health care and consumer products sectors. These hacks resulted in the theft and disclosure of PII of over one million victims, not to mention the remediation costs suffered by the organizations whose computer networks were compromised.

Nation state actors

Nation state actors can be classed as foreign government agents or cybercriminals working on their behalf and whose agenda can range from stealing economic information to launching disruptive or destructive attacks. In the case of the United States v. Wang Dong, et al., federal authorities charged five members of the Chinese military with hacking into computer systems owned by six American victims in the U.S. nuclear power, metals and solar products industries with the purpose of stealing information useful to competitors in China, including state-owned enterprises. In the United States v. Amad Fathi et al., seven hackers who were sponsored by the Iranian government were charged with disabling the websites of 46 major companies in the United States, primarily in the financial sector, which cost the victim organizations tens of millions of dollars in remediation costs.

Rogue employees

A scheme involving a trader at a large bank illustrates a rogue employee attack

Malicious insiders, often disgruntled employees, seek to take advantage of their privileged access to steal valuable information or disrupt or destroy computer systems. A scheme involving a trader at a large bank illustrates this type of attacker. Recruited by a competitor to build a high-frequency securities trading platform, the employee, who was unable to do the work on his own, stole the necessary computer code worth millions of dollars from his employer. Indeed, rather than use any sophisticated means of attack, the employee took advantage of his insider status simply to print out the computer code on hundreds of sheets of paper, which he took home and analyzed. Charged with economic espionage, the employee was found guilty in federal court following a two-week trial.

How do hackers infiltrate victim computer networks?

The means by which outside attackers gain unauthorized access to computer systems varies widely, from the low-tech to the most sophisticated manipulations. Simple attacks, like phishing emails which carry a malware payload, are often surprisingly effective and can permit a hacker deep access to a target network. On the other end of the scale are hacks which rely on the exploitation of known, but unpatched vulnerabilities in computer systems, or even so-called “zero days,” undetected flaws that are known only to the attacker. A basic rule of thumb is that no matter the means, a determined hacker will eventually be successful. Time is on the attacker’s side, whereas a computer network administrator needs to prevent attacks 100% of the time.

How can clients lower the likelihood of a hack?

Engagement by senior management coupled with regular training may help defend against low-tech attacks and promote cyberdefense

There is no one-size-fits-all approach to cybersecurity — every organization is different. There are, however, some basic elements that companies may wish to consider as a means of reducing their cyberrisk. A starting point is the development and implementation of a comprehensive information security plan. Once applied, such a plan should be reviewed and updated regularly in light of the often dynamic nature of computer networks and the threat environment. A comprehensive information security plan may include, among other things, a cyberrisk assessment, involving external penetration testing (sometimes called ethical hacking, in which external cyberdefenses are tested), as well as an internal evaluation. For example, are software patches applied in a timely fashion? Is the network adequately segmented? Are network logs appropriately detailed and maintained?

The two questions above are commonly asked by insurers on applications for cyberinsurance. The latter question may be especially relevant to investigating a hack. Logs may provide valuable forensic data, potentially permitting an investigator to look back and determine how a hack occurred, whether a system is still compromised, and what data, if any, was exfiltrated. In addition, a comprehensive information security plan may also include an incident response blueprint. Speed is often important in dealing with a cyberattack, and a “break glass” incidence response plan may increase the efficiency of a response and help with the preservation of data important to a forensic assessment. Finally, organizations may wish to consider their culture of security. Engagement by senior management coupled with regular training, which raises awareness among employees, may help defend against low-tech attacks like phishing emails and promote an overall emphasis on cyberdefense.

Taking these steps will help prevent or reduce the frequency of hacking claims and the associated financial loss and reputation damage.

Click here to learn more about comprehensive cybersecurity from Willis Towers Watson.


Emily Lowe joined Willis Towers Watson in 2014 and is a specialist within Willis Towers Watson’s FINEX team. She provides risk management solutions in the privacy/network security, professional liability, media, and technology disciplines.

This post was co-written with Tom Brown. Tom is the Global Leader of Cyber Security and Investigations for the Berkeley Research Group, LLC.

Categories: Cyber Risk, Financial Services | Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *