It's not all about money

When a cybercriminal breaches an organization’s data and financial systems, management automatically begins investigating the culprit’s financial motives. But often hackers are just curious to see if they can invade mainframes. Or they’re bored and want to have some fun. Here’s how to investigate cybercriminals’ minds, understand their nuanced purposes and then prevent more breaches.

Ian Bing, a database administrator for Lianjia, a Chinese real estate brokerage, was frustrated. He’d reported that the company’s security of its financial system was lax, but apparently his bosses had dismissed his concerns. Perhaps he wanted to prove them wrong, so on June 4, 2018, he invaded and destroyed four of Lianjia’s servers and made sure nothing could be recovered. He was sentenced to seven years in prison for his IT devastation.

Bing wasn’t looking to get rich. He wasn’t sabotaging his company because he worked for a competing organization. He was mad and disgruntled, and felt Lianjia had ignored him. Perhaps the company could’ve prevented this disaster if it had just taken Bing’s worries seriously or if his supervisors had taken a bit of time to understand his psychological motivations? (See “IT admin gets 7 years for wiping his company’s servers to prove a point,” by Dave James, PC GAMER, May 16, 2022.)

Cybercrimes, undeniably a significant global risk, require a different mitigation approach. We can’t meet cybercrime challenges just by building higher and stronger digital walls around everything. We need to look inside cybercriminals’ minds to understand the reasons and motivations for their crimes and then devise counter-preventive measures.

The Verizon “2021 Data Breach Investigations Report” (DBI) says that insiders could abuse their positions or hack an organization’s system to steal organizational and customer data for financial gain, espionage, fun, revenge, convenience and ideology. DBI also reported that external cybercriminals could attack organizations for financial or nonfinancial reasons, including espionage, revenge/grudge or fun. Here are some examples of cybercriminals’ motivations.

Financial need or gain

The Verizon 2021 DBI unsurprisingly shows that financial gain remains the key driver for cybercrime. The report points out that cybercrimes for financial gain could be committed internally by insiders in an organization or externally.

On Nov. 8, 2021, Robinhood, the American stock trading platform, disclosed a data breach that exposed personally identifiable information of about 7 million customers. (See “Robinhood Announces Data Security Incident," Nov. 16, 2021.) On December 2 of that year, cyberattackers hit decentralized finance (DeFi) protocol BadgerDAO and stole $120.3 million in cryptocurrency.

Two days later, hackers breached Bitmart, a crypto-trading platform, and walked away with almost $200 million in assets. (See “Timeline of Cyber Incidents Involving Financial Institutions,” Carnegie Endowment for International Peace.)

Espionage

On February 20, the U.K. home secretary warned against Vladimir Putin’s cyberattack on British interests and urged companies and public services to take “preemptive measures” to defend themselves against cyberattacks. (See “Britain warns of Russian cyberattacks as companies urged to take defensive action,” by Edward Malnick, The Telegraph, February 20, 2022.)

In the second half of 2020, CrowdStrike discovered a cyberespionage targeted intrusion against an academic institution that was involved in developing COVID-19 testing capabilities. Once the bad actors, found to be Chinese hackers, were inside the victim environment, they compiled and launched a web shell to perform various malicious activities primarily focused on information gathering and collection.

The Russia-based attacker FANCY BEAR (also known as APT28 and Sofacy) uses phishing messages and spoofed websites that closely resemble legitimate ones to access conventional computers and mobile devices. Since at least 2008, they’ve targeted U.S. political organizations, European military organizations and victims in multiple sectors across the globe. (See “What is Cyber Espionage,” by Kurt Baker, CrowdStrike, June 1, 2022.)

This year, an attack on a satellite broadband service run by the American company Viasat disrupted internet services across Europe, including Ukrainian military communications, at the start of the Russian invasion. The attackers hacked satellite modems belonging to thousands of Europeans to disrupt the company’s service. (See “Significant Cyber Incidents,” Center for Strategic & International Studies.)

Some businesses have committed cybercrimes to gain competitive advantages over their business rivals by stealing trade secrets, intellectual properties or increasing their products’ market shares and sales. In January, a Chinese hacking group breached several German pharma and tech firms. According to the German government, the hackers primarily wanted to steal intellectual property. (See “Significant Cyber Incidents.”)

Malicious insiders in companies steal even more frequently. Organizations will plant employee moles inside competing companies who secretly gather intelligence. Alternatively, companies will pay (or blackmail) competitors’ employees for trade secrets and other valuable information. According to cybersecurity software vendor Ekran, in November 2018, Tesla filed a lawsuit against Martin Tripp, whom Tesla said stole confidential photos and videos of the company’s manufacturing systems. Later, Tripp tweeted photos of batteries he claimed were produced at Tesla’s Gigafactory in Nevada that were damaged but still intended for use. An internal Tesla investigation found Tripp responsible for the leak of data to the publication Business Insider that besmirched Tesla. (See “How to Detect and Prevent Industrial Espionage,” Ekran, Data Breaches, June 1, 2022 and “Internal documents reveal Tesla is blowing through an insane amount of raw material and cash to make Model 3s, and production is still a nightmare,” by Linette Lopez, Business Insider, June 4, 2018.)

Fun, curiosity or the desire to beat the system

In the massive cyberattack against HBO in 2017, the hackers’ motive might have been fun more than financial gain. (See “HBO Cyberattack Driven By Mysterious Motives,” by Peter Suciu, TechNewsWorld, Cybersecurity, Aug. 3, 2017.)

The creator of the 1999 Melissa computer virus said he’d constructed the virus out of curiosity to evade antivirus software and to infect computers that used the Windows 95, Windows 98 and Windows NT operating systems, and Microsoft Word 97 and Word 2000 word-processing programs. (See “How the Melissa Virus changed the internet,” by Rebecca Gibian, InsideHook, March 26, 2019.)

Stealing academic research or changing academic results

In 2012, a university student in Dublin was caught hacking academic records to change his grade. (See “How do students use tech to cheat?,” by Charlie Osborne, ZDNet, Feb. 17, 2012.) A U.S. student similarly was arrested for hacking university systems to change his marks. (See “Jail time for university hacker who changed his grades to straight As,” by John Hawes, naked security by SOPHOS, Feb. 28, 2014.)

Destroying legal evidence

Some cybercriminals destroy legal evidence within information systems usually for various civil, criminal and administrative cases before or during search and seizure by law-enforcement agencies. (See “A Review of Motivations of Illegal Cyber Activities,” by Xingan Li, Kriminologija & Socijalna Integracija, 25(1):110-126, in ResearchGate, February 2017.)

Assassination, anger, hate crimes, terrorism and revenge

Cyberattackers, seeking revenge or expressing anger, may be spurned lovers or spouses or ex-spouses, disgruntled or fired employees, dissatisfied customers, feuding neighbors or students angry about a bad grade. Even a losing online gamer might launch a cyberattack.

Dissidents, hacktivists, anarchists and terrorists launch attacks against countries’ critical infrastructures and other targets. In 2005, the Chinese Ministry of Public Security investigated 1,000 assassination cases; the potential illegal attackers found many of their intended potential victims through the internet. (See “A Review of Motivations of Illegal Cyber Activities.”)

In 2020, the northeastern state of Assam in India had the highest number of cybercrimes in the country, 654, motivated by perpetrators’ personal revenge intent. Overall, India recorded approximately 1,470 cases of various cybercrimes with revenge as a motive that year. Recent research shows that revenge increases the likelihood of insider cyber-sabotage. (See “An Analysis of Motive and Observable Behavioral Indicators Associated with Insider Cyber-Sabotage and Other Attacks,” by Michele Maasber, Xiao Zhang, Myung S. Ko, Stewart Miller and Nicole Beebe, IEEE Engineering Management Review in Semantic Scholar, June 1, 2020.)

Helping poor and needy

Other cybercriminals engage as “cyber Robin Hoods” who say they hack to help the poor or disadvantaged. A hacker in China initially wanted to test the security level of mobile communications networks. After he found he could make money by selling credit cards with revised passwords, he opened a bank account, separate from his personal account, to deposit the money. He said he didn’t hack for himself but for the well-being of others. He donated 200 Renminbi Yuan (about 20 euros) to a patient. (See “ A Review of Motivations of Illegal Cyber Activities.”)

In 2020, a hacking group claimed to have extorted millions of dollars via ransomware attacks from large, profitable companies to donate to charity to “make the world a better place.” The gang posted receipts on the darknet for $10,000 in bitcoin donations to two charities. One of them, Children International, says it won’t be keeping the money. “We think that it’s fair that some of the money the companies have paid will go to charity,” gang members said. (See “Mysterious ‘Robin Hood’ hackers donating stolen money,” Joe Tidy, BBC News, Oct. 20, 2020.)

Trap marketing

Some antivirus software companies illegally plant viruses and other destructive programs through email links or fake software to force users to purchase upgraded versions the companies compile or sell. And some websites infect users’ computers with harmful embedded codes and instruct users to visit their websites to pay for cleaning their computers. Website owners also frequently use legal trap marketing via cookies. (See “A Review of Motivations of Illegal Cyber Activities.”)

How can understanding cybercriminals’ motives help?

To mitigate risk, we must, of course, understand cybercriminals’ motives to narrow their profiles and potentially make cases against them. In criminal law, the motive is an essential consideration in any case because it can prove plausibility in favor of the accused of the intent to commit a crime. Besides, motive precedes opportunity as insiders perpetrate crimes because their desires supersede their efficacies. (See “Spy the Lie: Detecting Malicious Insiders,” by CF Noonan, Pacific Northwest National Laboratory, March 2018.)

Insiders and outsiders can commit cybercrimes, but insider cybersaboteurs predominantly devastate organizations because they’re the enemies within who have access privilege — as we see in the opening case.

While organizations may have less control over outsiders, they can help prevent insiders from committing cybercrimes by reducing emotional arousal or excuses that could motivate them. For example:

• Organizations should have fair pay and financial compensation systems to discourage financially motivated insiders.
• Treating employees with fairness and respect and instituting an open-door policy to support employees emotionally and financially could also reduce the risk of insiders’ revenge-motivated cybercrimes.
• Education and awareness are crucial in reducing the risks of motive and rationalization to commit cybercrimes. Some employees may not know that data breaches and hacking are crimes for insiders who have access privileges. Education could also help those for whom fun and curiosity could be motivations by challenging their thinking and consciences. The message should focus on the consequences of committing cybercrimes and that satisfying their curiosity or having some fun isn’t worth risking their reputations and freedom.
• Organizations need to identify their trade secrets and other valuable data and ascertain those who may want it. Once you identify possible threats and potential attackers, you can detect vulnerabilities in your defenses. (See “How to Prevent Industrial Espionage: Definition & Best Practices,” Ekran.)

Fight external cybercriminals by increasing the cost of committing their crimes versus the benefits (their motives) they seek, which could make the crime worthless to them. For example, financially motivated cybercriminals will seek to sell stolen data or assets. Therefore, make it difficult for criminals to monetize their stolen assets by:

• Authorities shutting down black markets where stolen goods are sold. (See “2 Leading Online Black Markets Are Shut Down by Authorities,” by Nathaniel Popper and Rebecca R. Ruiz, The New York Times, July 20, 2017.)
• Authorities imposing financial penalties on cybercriminals and those who purchase illegal goods.
• Taking down botnets through collaboration between law enforcement and businesses such as cybersecurity firms and banks. Botnets are networks of “individual computers, each running software that allows communication among those computers and allows centralized or decentralized communication with other computers providing control instructions. The individual computers in a botnet often belong to individual users who have unknowingly downloaded or been infected by malware, assimilating computers into the botnet.” [See “Microsoft Corp. v. John Does 1-8 Controlling a Computer Botnet Thereby Injuring Microsoft and its Customers,” No. A 13-CV-1014 (W.D. Tx. 2013) as quoted in “Economic Espionage: Deterring Financially Motivated Cybercrime,” by Zachary K. Goldman and Damon McCoy, Journal of National Security Law & Policy, Vol. 8:595, 2016.]
• Working with banks to ensure that merchants provide services that don’t process illegal transactions or undertake illegal activities. If merchants that sell fraudulent goods through cybercrime lack access to banking services, they’ll be unable to realize a profit through criminal activity and will be less likely to engage in it. (See “Economic Espionage: Deterring Financially Motivated Cybercrime.”)

Understand cybercriminals’ motives

We can’t address cybercrime with technical solutions alone — no matter how stringent our security measures. We need to seriously consider the human factors that are precursors to cybercrime. Understanding the motives of cybercriminals could help in disrupting cybercriminals’ activities. It’s time to proactively fight cybercrimes.

Rasha Kassem, Ph.D., CFE, is a senior lecturer in accounting and financial management at The Open University, School of Business and Law in the U.K. Contact her at Rasha.Kassem@open.ac.uk.