Public Disclosures: What happens when we shine a light on hackers?

RapidVPN/ February 28, 2020/ Blog/

A widely known truth is that cyber-threat activity has become the increasingly common topic of discussion in social media, and generally in society. It is mainly because of public disclosures, which highly help to shine a light on the world of malware and hacking on the internet. But the real question is: what is the impact of the disclosures on the attackers themselves?

Public disclosures come from different sources, it could be from government agencies to threat intelligence teams to researchers from various human rights groups, or it could be even from the individuals who prefer to rather remain anonymous.

When the question of why do all of these people want to disclose arises, the answer could be: from a range of motivations. It is true that some researchers or companies even want to publicly attribute an attack to a particular country or to just reveal more information about the attackers so that their company’s reputation could be boosted.

Sometimes the literal aim of publicly revealing details about some group is done primarily to name and shame them, or they may want to “dox” individuals involved in attacks.

There are also quite good reasons of why the hackers should be publicly disclosed, some of them being: releasing a security advisory to users, for example, for the users to take notice and action to update their software; to contribute educational material to the security community; to prevent future vulnerabilities to enter the next generation of software; to give public recognition to the hacker.

Researchers have explained numerous times how exactly can a hacker attack somebody’s computer, and it is done in simple terms.

Usually, hackers send emails to people convincing them to do one of 3 possible things:

  • Open the attachment that contains a virus, and it could be any kind of document or even an Adobe file.
  • Click on a link that would look like a legitimate web page that would convince somebody to log in. The user would click on a link and put in her/his credentials without even knowing that he/she has just been tricked.
  • Click on a link that would bring you to a website that would infect your computer mainly through a vulnerability in your web browser. Any Javascript on the site would make a computer do a thing that it is not supposed to: downloading or installing malicious code.

Then we come to a question, how do attackers respond? What everybody should remember is that no two attackers are the same. All of the attackers have their distinct motivations, no matter being them state-sponsored operatives, hacktivists, private investigators, etc. It is true that sometimes hackers even monitor what is being reported about them. The responses of the hackers fall into three basic categories: they may “go quiet”, “change-up” to alter aspects of their operations”, or they may “get angry”. Finally, some of them may also continue their operations unchanged.

The most natural response for them would be to cease activities. Knowing that governments and researchers are onto them, they wouldn’t want to continue being tracked or to risk attribution to their agency. However, what the public should know is that going quiet doesn’t mean it is the last we would hear from those hackers. It simply may mean that they will re-emerge under a different guise and changed tactics. For example, this happened with an East Asian state-backed threat group, which after being revealed, the group shifted to new techniques, and using a new custom tool called RedLeaves. Its campaigns became based on tools, targets, and IT structure, in order to make sure it is difficult to map out its operation.

Indeed, one may never know how attackers are going to react. There may be some extremely serious consequences of public disclosure and some of them is replication. If the moment tools and techniques are known publicly other threat groups could use them for their attacks. Hackers may also use copied tools to plant false flags in their operations so that researchers would be misled.

It should be noted that there is nothing new or advanced in today’s security standards in the techniques or methods that are used to attack. Hackers also do not use their computers to attack, they would actually “jump” from one computer to another to hide their origination. It makes it harder to track the hacker. Also, the signatures in the code used for the attacking should not mean anything as numerous malicious codes on the internet are available for free on the black market and an author can forge those signatures pretending to be, for example, Russian.

The main point in revealing the hackers is actually for the people to be informed of how they should behave in order to protect themselves virtually. User’s information security policies and awareness is a crucial component is sometimes more important than antivirus or a firewall.