1. COMP.SEC.100
  2. 8. Adversarial Behaviour
  3. 8.1 Attacks and attackers

Attacks and attackers

Before the Internet, many crimes required physical contact between the victim and the attacker. With the advent of the Internet, technology has extended the attacker’s reach by eliminating the need for physical contact. This has enabled new ways of committing crimes and even waging war.

Online attackers can be classified according to their motives. A motive may be based on financial gain, but it may also be political or personal. Other ways to classify attackers include psychological characteristics or social factors. This module presents various types of attacks and attackers, their methods of operation, and their motives.

Common characteristics of cybercrime

Cyber-enabled crime is such where the removal of the need for physical presence increases the criminal’s ability to reach their Victims. Criminals have five main reasons to move their activities online:

  1. It is easy to find potential victims and contact them via the Internet. For example, lists of email addresses are sold on underground marketplaces, and social media search features are used to look for suitable victims.
  2. Using the Internet for criminal purposes is cheap. Sending emails is free, and they can be sent in large volumes with little effort.
  3. The Internet also accelerates criminal activity; for example, phishing messages reach their victims immediately, without having to wait for physical postal delivery.
  4. The Internet facilitates international reach, as victims can be located anywhere. Language differences can be challenging, but machine translation is constantly improving.
  5. When criminals operate via the Internet, the risk of being caught decreases. This is also because cybercrime is international and legislation differs between countries. In addition, cybercrime is underreported, as victims may not know where to report an incident that originated abroad. Moreover, victims often believe that recovering money is unlikely.

Cyber-dependent crime refers to crimes that can be committed only by using computers or technical devices. Although the ultimate goals of this type of crime often resemble those in the physical world (for example extortion, identity theft, or financial fraud), the Internet and technology allow criminals to reshape crimes, for example by making them large-scale and organised. Large scale may mean hundreds of thousands, if not millions, of victims.

What is the key difference between cyber-enabled crimes and cyber-dependent crimes?

Interpersonal offence

Interpersonal offence includes targeted violence and harassment directed either at close relationships (for example family members) or at strangers. These are usually not cases of organised crime. Such crimes have always existed, but the Internet has improved the opportunities of harassers and criminals, as physical contact is no longer necessarily required. These crimes belong to cyber-enabled crimes.

Cyberbullying
Cyberbullying is defined as sending harmful material or other social aggression via the Internet or other digital technology. Although cyberbullying is not always illegal, it exists in a grey area regarding what is considered harmful behaviour or a crime. Especially among young people, bullying has also moved online in addition to occurring in “real” life. The dynamics of bullying have changed, as it previously often occurred at school and during school hours, whereas online bullies can reach their victims continuously. In addition, bullies benefit from the anonymity provided by the Internet. Some platforms also delete messages after a certain time, and evidence of bullying may not remain, which can further encourage the bully.
Doxing
In this form of harassment, a victim’s private information is published online. This is often associated with large-scale harassment, where publishing sensitive information aims to humiliate the victim or escalate harassment. Harassment may also extend into the physical world; for example, information may be disclosed to the victim’s workplace or the victim’s home address may be published. Doxing is a popular way to escalate online debates and can also be used to silence victims. An example of a doxing campaign is GamerGate. Doxing can be used to orchestrate hate campaigns and attacks. It is also a tactic used by some hacktivist groups to keep their targets on edge.
Cyberstalking
The victim is stalked using online means, for example on social media. Stalkers vary: some monitor the victim also offline, while others focus solely on the online environment. Online stalkers can be divided into those who monitor the victim passively and those who attempt interaction, for example by sending messages.
Sextortion
The victim is lured into a sexual act in front of a camera, for example in a chat room; the act is recorded, after which the victim is blackmailed with the material.
Child grooming
Criminals search for child victims in, for example, chat rooms, gaming platforms, and social media. They then befriend the victim, build an emotional bond, and eventually sexual abuse may occur either physically or online. Offenders often pretend to be children or young people themselves to facilitate trust. Solicitation of a child for sexual purposes is a crime under Section 8b of Chapter 20 of the Finnish Criminal Code, punishable by a fine or imprisonment for up to one year. Child grooming may also take the form of indirectly downloading or distributing child sexual abuse material, for example via the Tor network. In such cases, there may be no direct interaction with the victims, but rather consumption of material produced by other abusers.

Cyber-enabled organised crime

Information networks also enhance professional crime. Professional criminals rarely operate alone but rather in groups of varying size, organised to a greater or lesser extent. Examples of cyber-enabled organised crime include advance fee fraud and drug trafficking.

Advance-fee fraud

The victim is promised a reward (for example money), but in order to receive it must first pay a small advance-fee to the scammer. After payment, the victim usually hears nothing further from the scammer, unless the fraud is part of a series in which the victim repeatedly pays advance-fees without ever receiving the promised reward. The archetype of these scams are the so-called Nigerian letters (though originally from elsewhere). There are many variants. Annually, they generate enormous sums of money for scammers, as emails are distributed so widely that someone always falls for them. Various romance scams also belong to advance fee fraud. In these, the victim expects to meet their romantic interest, but there is always some well-explained obstacle preventing the meeting. The victim nonetheless pays various arrangement fees so that their “beloved” might one day meet them.

Advance fee fraud is characterised by the construction of a narrative that lures the victim into paying. This often involves impersonation; for example, romance scammers typically claim to be soldiers on foreign deployment. The story lends credibility to why the scammer never meets the victim and helps to establish an emotional connection, which is often necessary to persuade the victim to pay. On the other hand, it has been suggested that scammers often try to make the first mass-distributed message as absurd as possible. This ensures that only those most likely to be scammed respond, and those most likely to stay engaged until the end. This saves effort for the scammer: although mass sending of initial messages is cheap, building an emotional bond and preparing a victim to pay requires much more work.

Drug trafficking
The Tor network and cryptocurrencies have enabled online marketplaces where customers can purchase drugs and have them delivered, for example to their homes. Studies show that although authorities frequently shut down marketplaces, they re-emerge after some time with equal success. Online drug markets have created an interesting market phenomenon, as they remove the buyer’s need to interact physically with criminals in potentially dangerous environments. This has not, however, affected the global drug trade ecosystem; production and shipment remain in the hands of the same major actors. The change is visible only in how local dealers and their customers conduct transactions.

Cyber-dependent organised crime

In cyber-dependent organised crime, criminals use complex technical systems to achieve their goals, for example botnets. This has led criminals to specialise and cooperate. A complex cybercriminal operation may involve multiple specialisations; for example, some actors may handle malware distribution, while others launder the proceeds.

Spam

Spam is a component of many forms of cybercrime, for example the sale of stolen goods or stolen and/or counterfeit medicines. Email is easy to send and can reach a mass audience, some of whom are potential victims. A successful spam campaign requires 1) collecting addresses, 2) writing a message, 3) mass distribution, 4) handling orders, and 5) responding to law enforcement actions, such as server seizures. Spam distribution today takes place through criminal ecosystems. Spammers may, for example, rent botnets from criminals specialising in malware distribution, buy mailing lists on underground markets, and participate in affiliate programmes where they purchase advertising, payment, and distribution services from other criminals.

Various spam filters have reduced the amount of spam users see. Nevertheless, spam continues to be sent and remains profitable. An investigation (link with figures) showed in 2009 that around 83 million spam messages sent by the Storm botnet resulted in 10 500 clicks (0.003 %), and 28 recipients ended up “purchasing” (0.000008 %). Such a return of one in a million is sufficient, as distribution has been cheap and has reached new customers. The key to success lies in customers who, once they have purchased, return to purchase again.

Phishing
Some spam is related to phishing. Phishing emails typically lure users into disclosing their usernames and passwords with a convincing message that imitates a legitimate service the user actually uses. To this end, criminals need convincing fake websites. Specialised cybercriminals produce and sell phishing kits, which buyers can use to deploy convincing phishing websites. These kits typically also include functionality that facilitates collecting and tracking submitted credentials. Phishing websites are often hosted on compromised servers of other services, so that criminals do not have to pay for hosting. Credentials harvested from phishing sites are either sold on underground markets or exploited immediately by criminals themselves, for example to empty bank accounts.

Costs of online fraud

Despite public awareness campaigns and citizen education, the annual costs caused by online fraud are enormous and continue to grow. In 2025, Finns lost to fraudsters 72.5 million euros, and banks managed to prevent or recover another 75.5 million euros. Most money was on the move through phishing, over a third of the total. (a diagram in Finnish). These figures cover only fraud known to banks. Victims do not always report being defrauded, so the true costs are likely even higher. Reasons for not reporting include shame or the belief that money cannot be recovered.

Financially motivated malware
Ransomware is discussed later. A more traditional way of pursuing financial gain programmatically is to spy on a victim’s credentials, for example for banks or other suitable services. Stolen credentials are sent to criminals’ servers and used as they see fit. Malware designed for this purpose is sold on underground markets, as are more sophisticated botnet-as-a-service offerings, where a criminal can rent a botnet from another criminal, use it to distribute malware, and share profits with the botnet owner.
Click fraud
Online advertising is a common way for websites to generate revenue. A site operator displays advertiser content on their site, and whenever visitors click an advertisement, the site receives a small payment. Online advertisements are an easy target for click fraud. Criminals may host advertisements on their own sites and then generate fake clicks, for example using bots. Advertisers must pay even for bot-generated clicks.
Unauthorised cryptomining
Unauthorised cryptomining can be carried out, for example, using botnets, where infected machines are harnessed for mining. Another method is browser-based mining, referred to as cryptojacking. Instead of injecting malware, criminals use scripts on their websites that cause visitors’ browsers to mine cryptocurrency. The activity is not necessarily illegal, as a website operator may choose to add a miner to their site much like online advertisements. Criminals add miners, for example, to websites they have compromised.
Ransomware

Ransomware has long been a growing trend. Criminals infect a victim’s machine or system with malware that encrypts the victim’s files and sends the key to the criminals. The criminals demand a ransom for the key, with payment made using cryptocurrency. However, the victim has no guarantee that the criminals will provide the key after payment.

Ransomware is a goldmine for cybercriminals, as it avoids many traditional problems. There is no need to sell anything to the victim, nor even necessarily to deceive them, if the ransomware can be injected into their system in the first place. Ransomware victims include private individuals, companies, and public sector organisations. In production systems or healthcare systems, ransomware can be devastating and cause enormous losses. If you wish, you can read how LockerGoga encrypted Norsk Hydro’s computers in 2019.

Denial-of-service attacks
An attacker can prevent the use of a system, for example, by generating so large amounts of network traffic to a server that it can no longer respond to requests. Such a denial-of-service (DoS) can also happen unintentionally, as a side effect of errors or other attacks. On the other hand, a distributed denial-of-service attack (DDoS) originates from multiple sources, such as computers or IoT devices. Cybercriminals sell DDoS attacks as a service. Buyers include actors who wish to harm a business partner’s operations or, for example, online gamers who want to knock opponents offline to win a game. DDoS services may advertise themselves as “stress testers” that web administrators can use to test how their web applications perform under load. In reality, these services do not verify whether the customer purchasing a DDoS attack actually owns the targeted website. (See more on DoS later)

Online scam

You have probably at some point received a phishing message by email or text message claiming to be from Posti, MyKanta, an operator, or a bank. Typically these messages contain an urgent call to log in via an included link, often obscured with a link shortener (like bit.ly). You likely know to ignore such messages, but may have wondered what lies behind the link and how the process of emptying your account would actually unfold.

For example, after clicking a scam link purporting to be from Kela, the victim is redirected to a fake authentication page that may look entirely genuine and list all familiar Finnish banks. If the victim enters their banking credentials on the attack site, the scammer must still bypass two-factor authentication. It is therefore essential to note that phishing attacks typically do not exploit technical security vulnerabilities, but rather user error.

After obtaining the victim’s banking credentials, the scammer logs in to the victim’s bank account. This initiates the usual two-factor authentication process, now most often carried out via the bank’s mobile app. The victim must approve the login, usually by entering a PIN in the mobile app. At this point, the scammer has access to the victim’s bank account, while the victim is kept occupied on the scam site with some pretext, such as a fabricated error message instructing them to log in again.

The scammer still needs the victim to approve outgoing transfers. The most advantageous option for the criminal would be to register a new authentication app for their own device on the victim’s account. Registration can be initiated from online banking, and a code is again sent to the victim’s phone. If the victim is persuaded to enter this registration code on the scam site, the scammer gains full control, enabling them to empty the account and even max out credit lines.

A questionable practice from a security perspective has taken hold in Finland: using bank credentials to log in to all services requiring strong authentication. This enables phishing attempts impersonating entities other than banks. It would be better if bank credentials were used only for banking, and other services relied on alternatives such as mobile certificates. Scam sites can often be identified by the absence of mobile certificate login options, as these offer no financial benefit to the scammer.

Cybercrime is produced and sold on underground markets as various services. What factor facilitates this criminal activity?

Hacktivism

Politically motivated harmful activity is referred to as hacktivism. Hacktivism seeks to draw attention and to influence the functioning of society and may also be a positive form of expressing opinions, for example in support of freedom of speech or human rights. Often, however, hacktivism crosses the boundaries of acceptability and at its worst can adversely affect completely unrelated parties. Hacktivists aim to express their views through changes they cause in information systems, by disclosing confidential information or preventing the use of services. Some of this activity meets the criteria of a crime, and it has been debated whether hacktivism constitutes political activism and civil disobedience or should be considered cyberterrorism. Hacktivists use methods such as denial-of-service attacks to draw attention to their causes, or break into systems to search for information to disclose. One of the best-known hacktivist groups is Anonymous, whose methods include launching DoS attacks against organisations they deem to act wrongly. WikiLeaks, in turn, focuses on information leaks relating, for example, to government surveillance of citizens. Hacktivist methods also include web defacement, where the front page of a target website is altered with politically charged or otherwise provocative messages. From spring 2022 hacktivists also actively participated in information warfare on both sides of the Russian war on Ukraine.

State actors

In recent years, attacks carried out by state actors have been observed to increase. In general, attacks by state actors differ from those by cybercriminals for two reasons:

  • Cybercriminals must reach as many victims as possible to maximise their profits. As a result, their attacks must either be generic or sufficiently flexible to cover a wide range of devices. A state actor’s attack does not need to generate revenue (though there are exceptions; see a BBC article on North Korean hackers), and the victim is usually well defined, for example a specific organisation or individual. The attack can therefore be tailored to the victim, increasing the likelihood of success, as time can be invested in planning. Such targeted attacks are unique and unlikely to be detected by existing security software.
  • Because of the need to generate income, traditional cybercriminals conduct their attacks quickly. This does not apply to state actors. Attacks may take extensive time, as the end result is often more important than how long it takes to achieve.

Broadly speaking, attacks by state actors fall into three categories according to their purpose: sabotage, espionage, and information influence.

Sabotage

Modern critical infrastructure, such as electricity production, water supply, healthcare, logistics, and critical manufacturing facilities, can be disrupted by digital means. Many facilities, such as power plants, have some form of network connection between computers controlling plant equipment and computers connected to the Internet. This is risky, and when the attacker is a state actor, security arrangements protecting the boundary between the two networks may be insufficient, as attacks can be so sophisticated and tailored that off-the-shelf solutions cannot detect them. Once malware gains access to the control network, it can cause malfunctions and potentially destroy equipment. Even when the control network and the Internet are physically separated, attacks remain possible, as state actors possess near-unlimited resources for tailoring and executing attacks. It is also worth noting that the threat of sabotage is not limited to state actors; disgruntled employees acting as insider threats may also be involved.

A well-known example of a state-sponsored attack on critical infrastructure is the Stuxnet worm, which constituted a sophisticated attack on the Natanz nuclear enrichment facility in Iran in 2010. It is claimed that the worm was introduced by first infecting the laptop of a person involved in maintaining the facility’s machines. Once in the correct environment, the worm identified the devices it targeted. It sabotaged enrichment experiments by running centrifuges at varying speeds thereby breaking them. Stuxnet is a textbook example of how far state attackers are willing to go to achieve their objectives and how specialised such attacks can be. The intelligence and preparation required for Stuxnet was reportedly very lengthy and expensive.

Espionage
State actors also engage in espionage. Studies have shown that state actors feature prominently in targeted phishing attacks, in which victims (for example activists or companies) are lured into installing malware later used for spying. State actors also infect sensitive systems, such as servers of large companies, with the goal of stealing confidential information. These long-term, sophisticated attacks are known as advanced persistent threats (APT).
Information influence
Information influence seeks to affect people’s thoughts, attitudes, decision-making, and behaviour. In modern societies, it takes many forms, such as election interference and fake news. Over the past few years, evidence has emerged that state actors have been involved in spreading disinformation on social media. This has been done through troll accounts aiming to polarise online discussions. Although social media platforms such as Twitter, now X, have released information on accounts linked to state-sponsored information influence, conclusive evidence of how such influence is conducted remains limited. For example, it is unclear to what extent accounts involved in information influence are operated by humans rather than bots.

The text discusses, among others, the following attack types:

  • AT-1 Interpersonal cybercrime
  • AT-2 Organised crime
  • AT-3 Hacktivism
  • AT-4 State actors
Below, some features have been associated with each attack type AT-1,…,AT-4. Select the combinations that are not mentioned in the text, even if expressed in other words.
Below are additional combinations. Select those that the text allows you to infer as possible, even if they are not even indirectly suggested.
Posting submission...