Let’s talk about embarrassment, especially embarrassment as a tactic. A tactic, although not necessarily a new one, that seems to be cropping up in the news more frequently.
When we consider an attacker’s motives, we often think about money, opportunity, disruption, and/or power. Last year, Paige Mullen, Product Manager and Criminologist at ACDS, wrote about this in detail for Teiss. I recommend that you read it! Ultimately, cybercriminals' motives have shifted, and the lines of motive are often blurred. To understand a hacker’s motive, we first must get into the hacker's mind. Take, for example, the Paris Olympics.
We’re less than a month away from the Olympics, and the eyes of the world are on Paris. But with so many eyeballs on the city, an opportunity has presented itself to cybercriminals, especially from nation-states, to make officials look like fools. Fools on the world stage, in front of allies, leaders, and the public. And so, an alternative motive presents itself: embarrassment. But why? Why opt for faux pas rather than all-out chaos and disruption?
In March, the French Prime Minister, Gabriel Attal, spoke at the Ministry of General Affairs in the Hague about French government bodies being hit with cyberattacks of “unprecedented intensity” whilst also stating that the government had been able to contain the impact. Additionally, it was confirmed that a “crisis cell” had been activated to “deploy countermeasures” until the attacks stopped. Notably, the government was being targeted by Anonymous Sudan, who confirmed that they were behind distributed denial of service (DDoS) attacks targeting government infrastructure. Perhaps unsurprisingly, despite the name, Anonymous Sudan is a Russian-aligned hacktivist group.
The thing about embarrassment is that it’s rarely a big enough trigger for retaliation. Opting to leave victims red faced in front of the world is a clever motive if you want to cause a scene, even if the attacks were unsuccessful. Without speculating, that may very much have been the aim. With so much investment in the capital ahead of the Olympics (an estimated $9.7bn has been spent by the government on preparing for the games, with the hopes of 15 million visitors between July and September) and sponsors pouring money into the games, looking ‘weak’ cybersecurity-wise, especially after so much investment, is less than optimal.
I await the day when we see ‘embarrassment-as-a-service’ as an offshoot of advanced persistent threat (APT) groups and their accompanying ‘as-a-service’ ecosystems.
But this isn’t an issue that just affects governments and big organisations; cybersecurity is an issue that affects all. Earlier this week, ACDS released a report on ‘Cybersecurity Challenges in 2024: Data Breaches, Open Source Risk and Network Vulnerabilities’ based on research we conducted recently. Our research found that over two-thirds of organisations have experienced three or more data breaches in the past 24 months. Whilst these sorts of attacks are usually less intentionally embarrassment-motivated (and more financially or power-motivated), being hit repeatedly is likely to turn some faces red.
I write often about vulnerability in cyber, but being vulnerable is not about burying your head. It’s about emotional openness and a willingness to collaborate and ask for help. Specifically, we need a new approach to how cybersecurity professionals advise organisations to protect themselves against cyber threats. Businesses must be more open about when they are vulnerable to attack, which often starts with admitting they will be attacked. Being targeted by cybercriminals time and time again is unfortunate, but the risk of a successful attack can be significantly reduced if good tools are proactively implemented before disaster.
Cliche, but cybersecurity isn’t a 100m sprint; it’s more like a marathon.