Most people probably don’t know any hackers. But they probably have an idea about what one looks like. The image of someone sitting alone at a computer, with their face obscured by a hoodie, staring intently at lines of code, has become widely associated with hackers. You can confirm this by simply doing an image search for “hackers” and seeing what you get back.
But after decades of researching hackers, I’ve decided that this picture is distorting how people need to see today’s threats. It makes some very misleading implications about the adversaries that people, businesses, and especially cyber security companies need to focus on. I wrote in a 2014 threat report that we have no hope of defending ourselves if we don’t know who the attackers are. Today I would go even further, and say it’s a huge mistake to take “hacker-in-a-hoodie” stereotypes and apply them to the cyber-crime and advanced persistent threats we face today.
When I see the hacker-in-a hoodie, I feel like I’m being lead to believe that hackers work in isolation. And that hacking is a hobby one indulges in when they’re not working or studying. My takeaway from this image is that hackers are portrayed as pursuing a casual interest rather than working to achieve goals. But the idea that such unprofessional adversaries are responsible for things like Stuxnet or ransomware infections is incredibly naïve. Why don’t we see pictures of hackers wearing a suit and tie? Or a cardigan?
Hacking is now a marketable skill that’s commodified in products and services, and sold to criminals, companies, and even governments. Hackers now have their own networks, both technical and social, that they use to buy, sell, and trade hacking services and malicious software. They pool resources and coordinate efforts, giving threats far greater capabilities than any individual hacker could develop on their own. After all, there wouldn’t be an exploit industry enabling cyber attacks if it weren’t for the networks connecting hackers, companies, governments, and other organizations.
Don’t get me wrong – many hackers probably choose to wear hoodies and spend 12 hours a day sitting in front of a computer in a dark room. My point is that this picture doesn’t represent the threats we need talk about. It’s become a smokescreen that benefits real threats by directing our attention away from the gangs extorting millions from their victims, and away from the investments being made in weapons for cyber warfare. If I could offer a new image to associate with cyber threats – one designed to communicate what modern cyber defenses are actually up against – I would base it on the case of Rove Digital.
Rove Digital was an Estonian IT company found to be distributing malware through spam campaigns. Or, more precisely, the company was a front used to launder money made from cyber crime. They were taken down by the FBI in 2011/2012. According to a statement, six individuals were convicted of conspiracy to commit wire fraud and conspiracy to commit computer intrusion. Conspiracy is an important point to emphasize here – it was a cooperative effort made by several individuals. It wasn’t someone acting alone or even a group of individuals working independently toward an identical goal. They were a single group trying to achieve a business objective, and like most businesses, that objective was making money. And over the course of 5 years, they were able to infect over four million computers in more than 100 countries with malware, and made over 14 million dollars.
Operations like these show how cyber-crime has basically industrialized hacking. It’s created structures for hackers to operate within, and objectives (often financial) to achieve. And while Rove Digital was taken down about 5 years ago, cyber-crime has scaled up and moved on. According to a report from the Cyber Threat Alliance, Cryptowall, a prominent ransomware family, has inflicted 325 million dollars in damages. And now, with nation-states becoming increasingly active participants in the threat landscape, we’re only going to see more growth and business opportunities in hacking.
In the past year I’ve been speaking about the potential existence of Cyber Crime Unicorns – cyber-crime ventures that could be valued at over one billion dollars. I can admit the comparison is problematic because a criminal enterprise could never be valued in the same way as a legitimate business. But comparing today’s hackers with the stereotypes implied by the hacker-in-a-hoodie is even more problematic. The hacker-in-a-hoodie is a great picture of hobbyist hackers from the past, and it’s still relevant today when discussing hacktivist groups like Anonymous. But the Cyber Crime Unicorn represents the relatively unimpeded growth of cyber-crime, which is a far greater threat. Continuing to perpetuate the hacker-in-a-hoodie stereotype allows the hobbyist hacker threats of history to distract us from the cyber threats of today. Ignoring such misdirection will only enable cyber criminals and other threats to spread in the future.
Cyber Crime Unicorn image courtesy of Erlend Oftedal.