Malicious hacker is a term used to describe an individual or group who use an understanding of systems, networking, and programming to illegally access systems, cause damage, or steal information. Understanding the motivation that drives a malicious hacker can help an organization implement the proper security controls to prevent the likelihood of a system breach. Malicious hacker is a broad category of adversarial threats that can be broken out into smaller categories depending on the specific actions or intent of the malicious hacker. Some of the subcategories adapted from NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security, include:
• Attackers. Attackers break into networks for the thrill and challenge or for bragging rights in the attacker community. While remote hacking once required considerable skills or computer knowledge, attackers can now download attack scripts and protocols from the Internet and launch them against victim sites. These attack tools have become both more sophisticated and easier to use. In some cases, attackers do not have the requisite expertise to threaten difficult targets such as critical government networks. Nevertheless, the worldwide population of attackers poses a relatively high threat of isolated or brief disruptions that could cause serious damage to business or infrastructure.
• Bot-Network Operators. Bot-network operators assume control of multiple systems to coordinate attacks and distribute phishing schemes, spam, and malicious code. The services of compromised systems and networks can be found in underground markets online (e.g., purchasing a denial of service attack, using servers to relay spam or phishing attacks).
• Criminal Groups. Criminal groups seek to attack systems for monetary gain. Specifically, organized crime groups use spam, phishing, and spyware/malicious code to commit identity theft and online fraud. International corporate spies and organized crime organizations also pose threats to the Nation based on their ability to conduct industrial espionage, large-scale monetary theft, and the recruitment of new attackers. Some criminal groups may try to extort money from an organization by threatening a cyber-attack or by encrypting and disrupting its systems for ransom. Extortion or ransom attacks have disrupted numerous businesses and cost significant resources and planning to mitigate. Without effective backup plans and restoration procedures, many businesses have resorted to paying costly ransoms to restore their encrypted systems.
• Foreign Intelligence Services. Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. In addition, several nations are aggressively working to develop information warfare doctrines, programs, and capabilities. Such capabilities enable a single entity to have a significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power – impacts that could affect the daily lives of U.S. citizens. In some instances, threats posed by foreign government intelligence services may be present. In addition to possible economic espionage, foreign intelligence services may target unclassified systems to further their intelligence missions. Some unclassified information that may be of interest includes travel plans of senior officials, civil defense and emergency preparedness, manufacturing technologies, satellite data, personnel and payroll data, and law enforcement, investigative, and security files.
• Phishers. Phishers are individuals or small groups that execute phishing schemes to steal identities or information for monetary gain. Phishers may also use spam and spyware/malicious code to accomplish their objectives.
• Spammers. Spammers are individuals or organizations that distribute unsolicited e-mail with hidden or false information to sell products, conduct phishing schemes, distribute spyware/malicious code, or attack organizations (e.g., DoS).
• Spyware/Malicious Code Authors. Individuals or organizations who maliciously carry out attacks against users by producing and distributing spyware and malicious code. Destructive computer viruses and worms that have harmed files and hard drives include the Melissa Macro Virus, the Explore.Zip worm, the CIH (Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster.
• Terrorists. Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malicious code to generate funds or gather sensitive information. They may also attack one target to divert attention or resources from other targets.
• Industrial Spies. Industrial espionage seeks to acquire intellectual property and knowhow using clandestine methods.