Cybercrime is all about money… except when it isn’t.
Outside a small subset of criminal espionage and hacktivism cases, there are two main examples of non-financially motivated cybercrime.
This article is the sixth in a series summarizing the findings of our new report:
Today, we’re examining the two most common forms of non-financially motivated cybercrime: DDoS and state-sponsored cyber activity.
What’s the Purpose of DDoS?
There’s a lot of talk about DDoS extortion attacks. These are similar in principle to ransomware. Criminal groups launch volumetric attacks at an organization and say: “pay up, or we’ll keep disrupting your services.” Targets tend to be those that stand to suffer financially from downtime (e.g., ecommerce and financial organizations), and attacks often coincide with peak business periods like Black Friday.
These attacks make a lot of sense when you consider the typical cybercriminal group’s motivations. DDoS attacks are cheap and easy to conduct (often even more than ransomware), and the strategy has a built-in monetization strategy.
However, research by Cloudflare finds that over the last five quarters, extortion-style attacks account for only 9-19% of DDoS incidents. Since there’s no other obvious way to monetize a DDoS attack, it’s safe to conclude, then the vast majority of DDoS attacks aren’t financially motivated.
So, what’s the point? And why—when all other cyberattack vectors are overwhelmingly designed to deliver a profit—do cybercriminals bother with DDoS if not to make money?
Common wisdom has it that there are at least four non-financial motivations for DDoS attacks:
- Ideology — hacktivism and revenge
- Political — cyber warfare, disruption/sabotage, etc.
- Obscuration — cover for other cyber activities
- Personal — enjoyment, intellectual challenge, “because they can”
The trouble is, unless a group goes out of its way to explain why an attack took place (as hacktivist groups often do) it’s not always easy to determine the motive behind a DDoS attack. This leaves security teams scratching their heads over the real motive behind almost a third of all cybersecurity incidents.*
* Based on figures from the 2022 Data Breach Investigations Report (DDoS accounts for 40% of incidents) and Cloudflare (up to 19% of DDoS attacks are financially motivated).
We can, however, draw some conclusions based on observable factors. For instance:
- DDoS is the attack vector most prone to personal/ideological attacks (i.e., doing it simply because they can) because the infrastructure and tools are readily available at low or zero cost.
- Obscuration attacks are most likely to come from higher-level criminal and state-sponsored groups, and many of the resulting attacks likely go undiscovered/reported.
- Unlike other vectors, ideological DDoS attacks are still common due to their effectiveness at disrupting operations. For example, the current Russian-Ukrainian conflict has inspired a huge spike in patriotic hacktivism on both sides, often using DDoS.
Ultimately, the tendency of DDoS attacks to be non-financially motivated are likely a factor of the vector itself. It’s called Distributed Denial of Service for a reason. These attacks are effective at causing disruption but are (for various reasons) less suitable for extortion compared to ransomware.
State Sponsored Attacks: When Cybercrime ISN’T Cybercrime
Another cyberattack vector that runs counter to financial motivation is destructive malware. This malware family employs a range of tactics (most often “wiping,” or deleting critical system files) to render affected systems inoperable. Since it’s hard to imagine a financial incentive for pure destruction—at least, outside of movies—it’s reasonable to conclude that destructive malware is primarily the domain of groups that specialize in disruption.
While destructive malware and DDoS attacks are close in their desired effect, the similarities end there. To maximize impact, groups using destructive malware are typically slow and methodical in their approach, often dwelling inside a target network for some time before launching their attack. This places destructive malware far outside the abilities of most hacktivist and hobbyist groups and firmly in the domain of state-sponsored actors.
Almost everything we’ve said so far ceases to be true for state-sponsored hackers. These groups will go to any lengths necessary to achieve their objectives, often combining cyber and physical vectors—not to mention supply chain attacks and the use of proprietary tools and techniques—to compromise a target network. Unlike cybercriminals, there’s usually no financial calculation involved, and the most advanced groups sometimes spend years working to achieve their objectives with no hope of a monetary return.
While there is minimal data to conclusively prove the why behind state-sponsored attacks, some of the most common motives include:
- Espionage — often targeting government entities and research-heavy industries such as pharmaceuticals and technology.
- Disruption — this is particularly common between long-term enemies (e.g., Israel and Iran).
- Warfare — nations at war frequently accompany physical operations with cyber activity.
Interestingly, even state-sponsored attacks can be financially motivated. Chinese state-sponsored hacking groups have been documented conducting economic cyber espionage since at least 2006 and probably much longer. These operations support China’s economic objectives, particularly by helping Chinese organizations gain an economic advantage in key areas such as the South China Sea.
While accounting for a small portion of malicious cyber activity, state-sponsored attacks are a growing concern. Given the sophistication of tactics and tools, these attacks are heavily underreported, and it’s practically certain that organizations worldwide have already been infiltrated by state actors—and simply don’t know it.
Get the Full Cybercrime Story
A cybercrime report could be anything from one page to a hundred pages long. As simple as saying, “Cybercriminals go where the money is,” or as complicated as digital forensics and malware analysis.
In our new report, we’ve striven for a happy medium that gives insight into current, past, and possible future cybercrime trends without getting bogged down in unnecessary details. We’ve also included the most important steps to protect against cybercrime over the next decade.
Download the report to learn:
- Why cybercriminals have moved away from payment card data and towards credentials and PII.
- The four most common attack vectors and what they reveal about threat actors’ motivations.
- Why statistics don’t tell the whole story regarding internal vs. external attacks—and why that matters when designing a risk-based cybersecurity program.
- Where cybercrime will definitely go over the next few years—plus longer-term predictions from industry veterans Dr. Zero Trust (Chase Cunningham) and Dan Schaupner.
June 6, 2023