Understanding the motivation behind cyber attacks
Each action taken by a threat actor has a motivation behind it, as it requires time, planning, and resources to launch offensive activities against a target.
This motivation can often be financial when it comes to cybercriminal groups. Still, there are scenarios when sponsored state threat actors or industry competitors look to gain a position of power or a competitive advantage over an adversary by spying and stealing information.
There are also groups of cyber-mercenaries who sell their services to the highest bidder and use their resources and skills to perform offensive actions. In this case, the motivation is mainly financial.
The ransomware that was not
In May 2017, the entire world was shocked when news broke that ransomware had disrupted the operations of several major companies in Spain, as well as the British health service. In a single day, more than 140,000 computers had been affected. It was the first time that malware of those features had self-replicated without control across networks:
Figure 1.2 – Ransom note left on an infected system (source: Wikipedia)
This malware exploited a vulnerability known as EternalBlue related to a failure in the implementation of the Server Message Block (SMB) protocol labeled CVE-2017-0144, and particularly affected Microsoft Windows operating systems and could self-replicate without control and without the need for human interaction.
In the following days, this ransomware began to replicate around the world, becoming one of the most important threats of recent years. The most ironic thing is that by the time this ransomware appeared, there was already the patch that prevented the computers from being affected.
The world had not yet recovered from the impact caused by WannaCry when, the following month, a ransomware variant appeared that exploited the same vulnerability, but with different behavior, and with some similar aspects in terms of its code, to ransomware known as Petya, which had appeared just 1 year earlier:
Figure 1.3 – The ID shown in the ransom screen is only plain random data (source: Securelist.com)
A peculiarity of this ransomware discovered by my fellow researchers in Kaspersky's GReAT team, and which they called Petya/ExPetr, was that in the information encryption routines, the creators of the ransomware themselves could not recover the information again, even if the victims paid the ransom.
This is completely unconventional because the reason a threat actor develops ransomware is to get a ransom payment in exchange for handing the key over to the victims to retrieve the information encrypted by the malware, so the motivation behind this campaign was not financial, but was aimed at interrupting business operations of the affected companies.
Another interesting fact about this campaign is that according to the detection telemetries, the most affected victims were companies from Ukraine, Russia, and Eastern Europe:
Figure 1.4 – Petya/ExPetr infections by country (source: Securelist.com)
As you can see in the preceding graph, this information is relevant and especially useful to find the specific targets to which a cyber attack was directed and supplies some elements to understand the possible motivations behind it.
Trick-or-treat
In May 2018, unknown threat actors, later linked to the Lazarus group, attacked a South American financial institution. This attack provoked damage by destroying information on 9,000 computers and 500 servers in several of its branches.
In their initial findings, investigators discovered that malware damaged the Master Boot Record (MBR) on the hard drive, preventing it from booting and showing the following message on the screen: non-System disk or disk error, replace and strike any key when ready.
Trend Micro conducted research on this malware, which was identified as a variant of KillDisk.
In the next hours, the real motive behind the attack would be discovered. Suspicious financial movements began to be detected. The attackers did not seek to disrupt the company's operation or remove information on computers, but to compromise the international transfer system known as SWIFT, which allowed the attackers to make fraudulent transfers of about $10 million to multiple accounts in Hong Kong.
Nothing is what it seems
But what do these cyber attacks have in common? Clearly, the attribution points to different threat actors and both operations were carried out in different contexts and places. The key elements here are distraction and deception.
In the first case, the threat actors used the ransomware as a front to make the affected companies believe that they were being attacked by such malware, when the real reason was to completely remove the information from their computers without the possibility that it could be recovered; that is, what the attackers were looking for was an interruption of the company's service and operations.
In the second case, the goal was the opposite. The threat actors had a purely financial interest, using malware that prevented computers from continuing to function normally while making money transfers from other computers undetected.
What were the threat actors looking for? Masking their attacks long enough to achieve their goals while confusing investigators to take longer to respond to these incidents.
But why is it so important for an incident response professional to try to find the true intent behind a cyber attack? This is quite simple. As we will see later, when an incident occurs, the nature of the attack must be identified according to the context, motivation, and key indicators to ascertain the type of attack, its characteristics, and scope. This can lead to several hypotheses and define the actions to take to contain the offensive actions and minimize the impact of the attack.