Recognizing Motivation and Predictive Factors

of Cyberattacker Behavior

Thomas J. Holt Professor

School of Criminal Justice Michigan State University

holtt@msu.edu 517-353-9563

@spartandevilshn; @IIRCC1

Computer Hackers Hacking is a skill that has multiple applications

Theft

Terror

Espionage

Fraud

Hacking

Hacker Skills• Hackers vary significantly in terms of knowledge,

skill, and technical ability • How do we explain participation in hacking?

Skilled hackers

Semi-skilled attacker/hacker

Unskilled attacker/hacker

Innovator and game changer

Applied skillsFeeds off the top tiers to learn and attack

Motivations• There are several recognized motives within the

hacker community • Money • Entertainment • Ego • Cause • Entrance to a social group • Status

• These motives are mutable, regionally influenced and impacted by macro and micro social trends

The Hacker Subculture• The hacker subculture is driven by three key norms which

structure behavior • Structures both malicious and ethical hacker activities

• Technology

• Knowledge

• Secrecy

Self Control and Cybercrime• The General Theory of Crime is well supported in research

on real world and cybercrimes • Online harassment, digital piracy, and economic crimes • Those with low self control are impulsive and gain

gratification through these activities

• This theory is complex when accounting for computer hacking • Low self control accounts for simple hacking • Complex hacks require a social learning process to

successfully complete

Personality and Hacking• There is some evidence of personality characteristics that are

associated with computer hacking and forms of cyberattack • Exploitative manipulative amoral dishonesty • Interpersonal antagonism • Disinhibition • Low internal moral values • Low extraversion • Low agreeableness • Some substance abuse • Unclear ties to ASD

Motivations: Cause

Ideological CyberattacksM. As-Salim, 39 Ways to Serve and Participate in Jihad, 2003

Principle 34 (Electronic Jihad) on media operations and cyber attacks

Hacking “... is truly deserving of the term „electronic Jihad‟ since the term carries the meaning of force; to strike and to attack. So whoever is given knowledge in this field, then he should not be stingy with it in regards to using it to serve the Jihad. He should concentrate his efforts on destroying any American websites, as well as any sites that are Anti-Jihad and Mujahidin, Jewish websites, modernist and secular websites.”

Ideological Cyberattacks

• To the owners of "The twisted pine fur and leather company" you have no excuse to sale the flesh, skin and fur of another creature. Your website lacks security. To the customers, you have no right to buy the flesh, skin or fur of another creature. You deserve this. You're lucky this is the only data we dumped. Exploiters, you've been warned. Expect us.

• | custFirst | custLast | custCity | custState | custZip | | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | MIKE | WALLUP | peyton | CO | 80831 | | chris | mccave | peyton | CO | 80831 || Kent | Smith | peyton | CO | 80831 |

• These were just some of the vulnerable columns in the "customers" table of the "twistedp_db" database: "custFirst" "custLast""custAdd1" "custAdd2" "custCity" "custState" "custZip" "custCountry""custEMail" "custPhone""cardType" "cardName" "cardExp" "cardCVS" "cardNumber"

• Can you really put that much faith into the security of a company that sales the fur, skin and flesh of dead animals to make a profit?

• We are Anonymous. We are Legion. We do not forgive. We do not forget. We are antisec. We are operation liberate. Expect us.

Far Left Oriented Cyber and Physical Attacks

Attack Method Year Data Breach Defacement DOS DOX Total Physical Attack 2000 0 0 0 0 0 18 2001 0 0 0 0 0 22 2002 0 0 0 0 0 9 2003 0 0 0 0 0 27 2004 0 0 0 0 0 17 2005 0 0 0 0 0 18 2006 0 0 0 0 0 4 2007 1 1 0 0 2 10 2008 0 0 0 0 0 18 2009 0 0 2 0 2 3 2010 0 1 0 0 1 10 2011 3 1 1 1 6 2 2012 4 1 0 2 7 2 2013 3 1 0 1 5 0 2014 2 2 1 2 7 0 2015 3 3 2 1 9 1 Totals 16 10 6 7 39 161

Attacks in Action- Defacements

Hacked by Animal Liberation Front

Stop Animal Testing

You carry centuries torturing, maiming,

killing animals for the good of, what?

From science? Of humanity? No.

You do it to fatten your pockets.

The money is who has corrupted and has made you sadists murderers.

And think… You managed to improve the conditions of people or animals?

Answer is NO!

You have not achieved anything.

Getting scholarships and leaving your names in scientific journals.

But all this is going to end soon.

We will not let you continue your crimes unpunished.

Do not let it.

Vivisection is a scientific fraud and moral !!!

We are approaching !!

Attacks In Action- Breach and DefacementThere is a section of the website with a number of pdf files for visitors to download. We replaced all of this big pharma funded propaganda with pdfs from the Physicians Committee for Responsible Medicine (PCRM) explaining the scientific flaws with animal testing. These have now been on the website for quite some time. Until UAR fix the several security holes we found in their website you can see the replacement pdfs by visiting http://www.animalrightsextremism.info/resources/documents and clicking any of the links. We did a few other even less obvious things to the site besides replacing the pdfs but it will be amusing to let UAR try to find everything for themselves without being told what to look for. The login details to the sites mysql database are included here. database: animalextremism username: animalextremism password: f1ght4rights Thanks to codegent of london england for their fantastic work coding insecure web sites for the vivisection lobbyists.

Attacks in Action- DDoS • DDoS is one of the least “noisy” attack methods from an

ideological perspective

• Unless the attackers directly call you out as a target prior to the incident it may not be clear why it is occurring

• The lack of broadcasting makes DDoS a potentially hidden form of attack from an ideological standpoint

Conclusions• Scan your organization for potential ideological threats

• What is your industry sector, environmental impact, public positions, contracting space?

• Scan the Internet, esp. social media for potential threats

• We need to better understand the motives and actions of the ideological actor • Is the ideological attacker a hacker first, believer second, or the other way

around

• What can account for differences in jihadi, far left, and far right attacks and targeting preferences? • The far left corresponds to what we can find about physical action, but more

data is needed to understand other beliefs

Discussion• Though many hacks appear to be economically motivated, we cannot

underestimate the ideological offender • Appear tied to changes in ideological activity offline • Any organization or sector could be targeted • Target selection does not appear to be driven by convenience

• They may differ from the economic in terms of how they attack and what they do • When breaching, they release data online rather than sell • Unclear what the economic impact is for victims • Defacements appear coupled with breaches for maximum impact

• The attackers criticize security as well as highlight ideological beliefs

Questions?

• Thank you for having me! If you have any questions: • Please feel free to call: 517-353-9563

• Email: holtt@msu.edu

• Follow us on Twitter: @IIRCC1