There's an old quote mis-attributed to the famous bank robber Willie Sutton that claims when asked "Why do you rob banks?" he replied "Because that is where the money is!" When we ask "Why do hackers hack?" there is a temptation in this age of organised crime-driven malware to give the same answer. However this truly only accounts for a small percentage of what the term hacking encompasses.
In many ways, the term Hacker is burdened: The hacker community—a community that started as early as 1878 in the telephone switchboards of New York and became popularized in 1950s and 1960s by some Universities like MIT – tends to be populated by technophiles who love to take software apart to see what they can make it do.
Some write tools and applications such as ad blockers, vulnerability scanners, and anonymity tools, and make them freely available on the Internet to improve the online experience of the average user. Others, however, devote long hours to uncovering flaws in software, creating more advanced malware and engaging in any number of online practices designed to seize other people’s money.
While "big malware" has definitely gone in that direction, there are still hundreds of thousands of websites defaced each week that have no relation at all to money-making. Many of these cyber-attacks are youthful offenders who fall into three main camps – glory hounds, political/world-view hacktivism, or anarchists. The same tradecraft developed by these mass website defacers often leads to data breaches, sometimes including user IDs and passwords, sometimes containing credit card information, and sometimes containing sensitive healthcare information or intellectual property.
At some point, even the most "cause-oriented" hackers tend to go astray and admit, they hack because of the feeling of power and prestige that it gives them to take control of an adversary – one they may never meet or know. Many of these have a mix of impulse control, anger management, and Aspergers in their make-up that means they can be unpredictable and very dangerous. While Nation State Actors are a serious concern on the hacking landscape, their psychology and motives could fill another article, so it won’t be covered here at this stage.
For those who don't get caught, often their hacking acts continue to escalate until law enforcement has no choice but to intervene. For many, the success of small hacking activities and the lack of punishment for each, serves as an incentive to move on to bigger and bolder things. In this way, hacking is like an addiction and people under the spell can display some of the same traits and manipulative tendencies that addicts are known for.
Another tactic in the hackers’ arsenal is "social engineering" — posing as a trusted figure to con someone out of important information. The intellectual challenge, whether it’s beating the coders who designed a program or convincing a company insider to hand over sensitive information, can drive people far more than the money to be gained as a result. Additional high profile examples of hackers who have taken this to the extreme include:
- "Trick", a hacker with Team Poison, allowed his hacking exploits to escalate until he was hacking the Prime Minister’s email. He fled to join ISIS, many believe, in part to avoid the punishment after being outed as the hacker of many high profile email accounts. Junaid Hussain was ultimately killed by a Hellfire missile in a drone strike after leading many successful high profile hacks against DoD computers.
- Mir Islam's hacking of public officials and celebrities led to cyber stalking, and eventually shutting down a University with bomb threats and engaging in SWATting, causing SWAT teams to respond to the homes of high profile figures like Congressmen and US Attorney Prosecutors. His escalation reached a level where he could no longer be ignored.
- The JP Morgan Chase hackers started off hacking while fraternity brothers at Florida State. The rumor is that "no one in their fraternity had to pay tuition" because their online scams were generating enough income to cover their members. Again, no punishment, no disincentive, leading to a feeling of invincibility even after there was a warrant out for their arrest. Especially when Mr. Aaron moved to Russia, believing that this made him immune from extradition. But, eventually, Russian authorities arrested Mr. Aaron and it is believed that he may be "traded" for one or more Russian hackers in US custody.
There is, of course, one other End Game for hackers. They can keep their head down, try and not fall victim to escalating ambitions, and quietly make money for the rest of their careers. These "Silent but Deadly" hackers are the ones who succeed in satisfying a personal financial goal and quietly retiring before drawing too much fire on themselves. How many are there? We may never know.
Gary Warner, Chief Threat Scientist, PhishMe