Week 9 - Hacktivism, targeted attacks, data leaks Flashcards
(10 cards)
What is hacktivism and how does it differ from other forms of cybercrime? (6 marks)
Hacktivism involves politically or socially motivated cyberattacks. Some common tactics involves DDoS, website defacement, data leaks. The motivation is usually ideological and not financial (e.g., Anonymous targeting oppressive regimes). It differs from profit-driven cybercrime (e.g., ransomware). This may overlap with cyberwarfare such as the one that happened in Estonia, 2007. Sometimes lack of clear attribution or legal status is what differs it from other forms of cybercrime.
Explain how a targeted cyberattack differs from a traditional cybercrime attack (7 marks).
Targeted is usually specific victim selected and customised tools/social engineering is used. Traditional cyberattack is more like mass campaigns, economies of scale (e.g., exploit kits).
Targeted attacks may use 0-days, lateral movements and stealth. The motivations are usually espionage, sabotage, and surveillance. This is often a state-sponsored or advanced persistent threat (APTs).
The resources used are virtually unlimited for targeted attacks. It is usually harder to detect due to specificity and sophistication.
What is an Advanced Persistent Threat (APT) and what are its key characteristics? (6 marks)
An APT is a long-term, stealthy cyberattack aimed at specific targets. The attacker gains and maintains access, often undetected. They use lateral movement to escalate privileges.
APTs gathers intelligence or awaits trigger conditions. Some examples would be Regin (GCHQ), Operation Aurora (China). This is often linked to state actors and it is not easily mitigated.
Describe the methodology and goals behind spearphishing in targeted attacks (6 marks)
- Emails are tailored to individual targets to trick them into clicking malicious links or attachments.
- Often written in native language, referencing familiar topics/events.
- This may spoof known contacts (or compromise their accounts).
- The first step in most APTs and NGO-targeted attacks would be to spearphish (this was seen in the Uyghur group case).
- The goal is to deliver malware and gain system access. This is effective due to social trust and customisation
Discuss at least two mitigation strategies for targeted cyberattacks and their limitations. (6 marks)
Behavioural modelling for email accounts – detects anomalies in tone/phrasing. Limitations: high false positives, user fatigue.
Air-gapping sensitive systems – physical disconnection from networks. Limitations: doesn’t prevent USB-based attacks (e.g., Stuxnet).
These methods help but require layered defences for best results.
Compare and contrast cybercriminals, hacktivists, and state-sponsored actors. (6 marks)
Cybercriminals: Motivated by profit (e.g., ransomware, carding).
Hacktivists: Ideologically or politically motivated; seek social change (e.g., Anonymous).
State-sponsored actors: Work for national interest; focus on espionage, sabotage (e.g., APT28).
Differences lie in motivation, targets, resources, and legal/political ramifications.
What were the key features and consequences of the Sony Pictures hack in 2014? (6 marks)
Attributed to North Korea (APT38) in retaliation for The Interview film.
Attackers used wiper malware (Destover) to destroy data.
Leaked emails, unreleased films, and employee information.
Caused major financial and reputational damage.
Prompted industry-wide reviews of incident response to nation-state threats.
What are the main phases of an APT operation? (7 marks)
1) Reconnaissance – Identify target vulnerabilities.
2) Initial intrusion – Exploit entry (e.g., spearphishing).
3) Establish foothold – Install malware/backdoors.
4) Privilege escalation – Gain admin rights.
5) Lateral movement – Spread across systems.
6) Data exfiltration or sabotage.
7) Maintain presence – For future exploitation.
What are the implications of data leaks from targeted attacks for individuals and organisations? [6 marks]
Individuals: Identity theft, blackmail, loss of privacy. Implications - Can facilitate further cyberattacks using reused credentials.
Organisations: Intellectual property theft, financial loss, brand damage.
Implications - Possible regulatory fines under laws like GDPR; Long-term reputational harm and customer distrust; Can facilitate further cyberattacks using reused credentials.
How did the Stuxnet worm change the perception of cyberwarfare and industrial sabotage? (7 marks)
Targeted Iranian nuclear centrifuges via air-gapped SCADA systems.
Used four zero-days and a payload for Siemens PLCs.
Believed to be developed by the US and Israel.
First cyberattack to cause real-world physical damage.
Proved cyberweapons can rival traditional warfare.
Sparked global focus on critical infrastructure and industrial control system (ICS) security.
