Deciphering the Hacker Underground: First Quantitative Insights
The recent attacks on Estonia’s computer and network infrastructures were an event of such unprecedented magnitude that it sent shockwaves throughout the world. In April, 2007, pro-Russian hackers launched a month-long retaliation campaign for the removal of a World War II statue—a campaign that has become known as the first war in cyberspace. Using a technique known as Distributed Denial-of-Service (DDoS) attacks on a hitherto-unprecedented scale, the attackers managed to effectively shut down vital parts of Estonia’s digital infrastructures. In a coordinated effort, an estimated one million remote-controlled computers from 178 countries were used to bombard with requests the Web sites of the president, the prime minister, Parliament and other government agencies, Estonia’s biggest bank, and several national newspapers (Landler & Markoff, 2007). Members of the Kremlin-backed youth movement ‘Nashe’ later claimed responsibility for the attacks, which they described as an ‘adequate response’ intended to ‘teach the Estonian regime a lesson’ (Clover, 2009). The group of young Russians also emphasized that they acted on their own initiative, not on government orders.
While the description as the first cyber war remains controversial because nobody died or was wounded, the events in Estonia, nevertheless, demonstrate the devastating consequences of Internet-borne attacks. In reference to the events in Estonia, Suleyman Anil, the head of NATO’s incident response center, later warned attendees of the 2008 E-Crime Congress in London that “cyber defense is now mentioned at the highest level along with missile defense and energy security.” According to Anil, “we have seen more of these attacks and we don’t think this problem will disappear soon. Unless globally supported measures are taken, it can become a global problem” (Johnson, 2008, p. 1).
Today, the Internet has developed into a mission-critical entity for almost all parts of modern societies. Although warnings of the societal threat posed by cyber attacks on critical network infrastructures have been heralded since the 1980s, it is only in recent years that the problem has made it onto the radar of governments. Partly due to the experiences of Estonia and later in the conflict between Russia and Georgia, countries around the globe are now reassessing the security situation of their key information systems. They are enacting new security measures to better protect their critical network infrastructures, and they are increasing their readiness to respond to large-scale computer incidents (NCIRC, 2008). In the United States, security experts went as far as to warn against an ‘electronic Pearl Harbor,’ a ‘digital September 11,’ or a ‘cybergeddon’ (Stohl, 2006).
The implementation of effective countermeasures against hacking attacks is facilitated by the vast amount of knowledge already accumulated in numerous computer science research projects (cf. Chirillo, 2001; Curran, Morrisey, Fagan, Murphy, O'Donnell, & Firzpatrick, 2005; Erickson, 2008). Several studies conducted by computer scientists and computer engineers have closely examined the technical details of the various attack methods and have produced a significant body of information that can now be applied to help protect network infrastructures (Casey, 2004). Unfortunately, the guidance provided by these studies is limited to only the technical aspects of hacking attacks and, sharply contrasting from the substantial amount of knowledge already gathered about how the attacks are performed, answers to the questions of who the attackers are and why they engage in malicious hacking activities continue to remain largely speculative. Today, the persons committing the attacks remain mysterious, for the most part, and scientific information about them continues to be only fragmentary.
The present lack of information concerning the socio-demographic characteristics and the motives of cybercrime offenders can be attributed to a number of causes. One of the main reasons can be traced back to the unfortunate circumstance that, until recently, mainstream criminology has underestimated the potentially devastating societal impacts of cybercrimes and has diverted only limited attention to this relatively new type of criminal behavior (Jaishankar, 2007; Jewkes, 2006; Mann & Sutton, 1998). Cyber criminology is only now beginning to evolve as a distinct field of criminological research, and it has yet to overcome many methodological and theoretical problems that other areas of criminological research have already solved (Nhan & Bachmann, 2009; Yar, 2005, 2006).
A particular challenge for researchers in this young field of study arises from the various methodological obstacles entailed in the sampling of cyber criminals. As a result of these difficulties, available data sources are scarce, and quantitative studies are limited to surveys of cybercrime victims. At this point, only a few studies (Holt, 2007; Holt & Kilger, 2008; Mitnick & Simon, 2005; Schell, Dodge, with Moutsatsos, 2002; Taylor, 1999, 2000) and biographies (e.g. Mitnick, Simon, & Wozniak, 2002; Nuwere & Chanoff, 2003) exist that mostly examine individuals or smaller groups of hackers, their motivations, their preferences, and their hacking careers. While such studies are well suited to provide in-depth insights into the lives of a few individuals, many of them are less fit for generating generalizable information about the population of hackers, at large. Yet, just “like in traditional crimes, it’s important to try to understand what motivates these people to get involved in computer crimes in the first place, how they choose their targets and what keeps them in this deviant behavior after the first initial thrill” (Bednarz, 2004, p. 1). This comment, stated by Marcus Rogers, an associate professor at Purdue University and head of the cyber forensics research in the department of computer technology, accurately describes the task cyber criminologists have to accomplish.
The aim of the study presented in this chapter was to undertake this task and to begin filling the remaining gap in the criminological literature on hackers and the hacking community by providing quantifiable insights into the hacking underground. Such insights are needed to create a more profound understanding of the nature of the threat and a more complete assessment of the problem and its solutions. The identification of the reasons and motives for an attack helps to better identify the actors’ behaviors, to develop better countermeasures, and to foster investigative efforts to identify the individuals responsible for the attacks.