Reporting on intrusions or attacks often dwells on the method that the attackers used to breach the defenses of a particular organization. However, the goals of the attacker are the most relevant to how an organization can protect itself. The goals of attackers reflect the perceived value of the critical assets an organization has to the attackers, which is independent from the value these assets have to the organization.

The table below shows a carefully chosen sample of well-documented attacks on what attackers consider to be high-value or critical assets. It is worth noting the following attacks were performed by a mixture of nation states, mercenaries, nation state proxies, cyber criminals and hacktivists, showing a complex ecosystem. We do not aim to provide definitive attribution here, merely state which are the most likely candidates based on assessments from law enforcement or the wider community.

High Value Asset Sector Threat Actor Impact on Target Examples
Corporate IT infrastructure All Cyber criminals, nation-state process, nation states Availability Ransomware attacks like WannaCry or the Sony Pictures Entertainment attack deny access to IT resources in order to extort money from the victims and/or cause embarrassment
All Nation states Confidentiality Russian-affiliated threat groups broke into a Voting software company in order to use their IT infrastructure to send phishing emails to subsequent targets
Customer (WiFi) Networks Hospitality Nation states Confidentiality The Darkhotel APT group used hotel networks to target individuals of interest and deploy malware to customer machines through malicious software updates
Cryptographic material Technology Cyber criminals, nation states Confidentiality DigiNotar’s cryptographic keys were stolen in order to forge certificates for eavesdropping on Internet users in Iran
Database All Cyber criminals Confidentiality, Integrity, Availability The RansomWeb attack encrypted the victim’s database covertly and when the database and backups were fully encrypted, the encryption keys were removed, the database was inaccessible and ransom demands were made to the victim
Financial transaction systems Finance Cyber criminals, nation states Confidentiality, Integrity Attackers breached various banks worldwide to send money to mule accounts via the SWIFT network infrastructure
Finance Nation states Confidentiality Alleged Equation Group leaks detail the compromise of the SWIFT Service Bureau Eastnets to extract transaction information from their database
Industrial process design and development Manufacturing, Aerospace, Defence Freelancers Confidentiality Su-Bin stole component design blueprints and flight test data for sale to competing companies
Network infrastructure Broadcasting Nation states Availability TV5Monde’s routers and switches were corrupted by malicious firmware updates which caused the TV station to cease broadcasting
Non-public information All Nation states Confidentiality Hackers allegedly from PLA Unit 61398 stole “thousands of e-mails and related attachments that provided detailed information about SolarWorld’s financial position, production capabilities, cost structure, and business strategy”
Finance, Legal Cyber criminals Confidentiality Hackers stole non-public press releases about upcoming announcements by public companies concerning earnings, gross margins, revenues, etc. and used this information to conduct trades
Source code Technology Freelancers, nation states Confidentiality Attackers compromised Yahoo in order to find the source code so they could forge cookies to gain persistent, unauthorized access to user accounts
Payment card information Retail Cyber criminals Confidentiality Attackers stole 40 million records of payment card information from Target’s Point of Sale (PoS) systems via breaking into a supplier who had access to the Target network
PHI/PII Healthcare Cyber criminals Confidentiality 80 million customer records were stolen from Anthem, this data may be used for espionage and/or financial crime such as filing fraudulent tax returns and issuing of pre-paid debit cards
SCADA systems Energy Nation states Availability A cyber-attack was performed against a Ukrainian power company’s circuit breakers causing the loss of power to approximately 225,000 customers
Social Media accounts All Cyber criminals Availability Wired reporter Mat Honan had his various cloud service accounts breached and his devices remotely wiped in order to takeover his social media account
All Nation state proxy Integrity The Syrian Electronic Army hijacked the social media accounts of various global companies in order to spread propaganda

A common theme running through the above table is how attackers take the path of least resistance to their goals and in the cases where critical assets were not reachable, used a creative approach to monetize the access that they did have.

Some common themes concerning attacker goals emerge:

  • Attacks are a multi-stage process, each stage helps the attackers get closer to their goal. An organization may be compromised for its own assets or because its assets help an attacker reach its target. Financially-motived cyber criminal actors seek out not only directly monetizable assets like payment card information but also assets which can be sold such as PHI/PII or non-public information.
  • Sectors such as finance and defense are well-known targets for attackers, but following on from the multi-stage theme above, other organizations may find themselves as targets as they are on the “flight path” from the attacker to the intended target, for example, in the case of supply chain compromise.
  • While theft is very common (confidentiality violations), attacks on availability, such as extortion via ransomware, and attacks on integrity, such as source code manipulation, do also occur. Attackers have a diverse set of actions in their portfolio and may use any of them against a particular target.

By understanding the goals of the attackers, defenders can understand which of their assets need to be safeguarded. Any breach investigation or incident response should attempt, where possible, to understand the goals of the attackers in order to gain insight on how attackers are targeting an organization’s assets.

Recent attacks like the Nyetna outbreak highlight the difficulty of certainty around attacker goals as there may be deliberate attempts by the attacker to obscure their true goals, in such cases the different plausible attacker goals must be considered.

We recently wrote a blog on five ways security engineering can help to protect these assets.

 

Photon logo small