Once upon a time, the most notorious hackers out there were individual actors, and if you didn’t know their true name, at least you had some clever handle that made it easy to identify them when they wanted to take credit for something. A hacker calling themselves Solo or the Iceman is an adversary your can really visualize. Even when hackers teamed up in the past they would give their group a cool nickname: Lizard Squad, TeslaTeam, or the Cult of the Dead Cow.
These days, most of the really dangerous threats do their best to stay under the radar. They don’t want to give you a handle to work with and they sure hope you never learn their real name. And few of them work alone— teams of cybercriminals now connect remotely through darknet backchannels, and sometimes even file into unmarked office buildings in the suburbs as if hacking were a 9 to 5 job.
These groups still leave fingerprints on their work but their interactions are less personal. We haven’t seen the sort of intense rivalries of the sort between Cliff Stoll and Markus Hess, or between Kevin Mitnick and Tsutomu Shimomura in decades. Instead, shadowy traces of common tools, coding habits, and targeting information lead security researchers to label the most sophisticated attackers with a common moniker that is more accurate in it’s description than it is clever: advanced persistent threats, or APTs.
They are identified slowly and hesitantly, but APTs are the next frontier for dangerous cybersecurity adversaries. It could be argued that the most dangerous ones are those we have yet to identify.
Here are the top 5 most dangerous cybersecurity adversaries, from yesterday and today… at least the most dangerous that we know of.
Levin’s story is shrouded in mystery despite having occurred more than two decades ago. In one of the first major financial cybercrimes, the St. Petersburg resident cracked the accounts of several major corporate customers at Citibank through their dial-up wire transfer service. Cutting edge for its day, the service had a number of flaws, a number of which remain undisclosed even 20 years later.
Levin was able to take advantage of those flaws to obtain account credentials for a number of customer accounts, and because the bank did not make use of multi-factor authentication for wire transfers, he could then simply dial into the system and send money to anywhere he wanted. That included accounts in Finland, the Netherlands, Germany, and Israel.
To recover the cash from the accounts, Levin used accomplices in Tel Aviv, Rotterdam, and San Francisco, and this is where he was tripped up—Citibank had spotted the bogus transfers and monitored the destination accounts. His accomplices were arrested when they attempted to withdraw the money.
Because Russia refused to extradite him, Levin appeared to escape punishment initially. Then he made the mistake of taking an intercontinental flight that had a stopover in London. Under existing agreements, officers from Scotland Yard apprehended him and extradited him to the United States for trial. He plead guilty and was sentenced to three years in jail and had to pay around $240,000 in restitution. Citibank recovered all but $400,000 of the money.
The twist to Levin’s case came almost a decade later, when an anonymous poster on a Russian website claimed that he was the original hacker, and Levin had simply bought credentials off him and made the transfers.
Was Levin really one of the most dangerous hackers of all time, then? Or just a lucky thief with skilled friends? He has never been willing to say. Cybersecurity professionals are still debating the incident.
McKinnon’s place on the list is secured through less nefarious deeds than most of the others. Although there’s no question that the Scottish programmer and system administrator is a gifted and accomplished hacker, his motivations don’t immediately strike anyone as very threatening: most of his exploits were launched in a vain effort to obtain evidence of UFO activity and alien technologies he believed were being hidden by the American government.
But his activities in pursuit of those alleged truths were sobering: McKinnon was able to penetrate security systems in 97 different U.S. military and NASA computers in a 13-month period, deleting critical files in one case that completely shut down the Army’s Washington D.C. network for 24 hours. In the wake of the September 11 attacks, he broke into and deleted weapons logs at the Earle Naval Weapons station, throwing the Navy’s Atlantic Fleet into confusion even as it was mobilizing defenses.
For all that, McKinnon proved relatively easy to track down. U.K. authorities interviewed him and confiscated his computers on behalf of their U.S. counterparts in March 2002.
But a spat over jurisdiction and punishment led the prime minister to squash a request for McKinnon’s extradition to face charges in the United States and he remains free today… and a threat cybersecurity professionals have to account for.
Tailored Access Operations
The National Security Agency’s Office of Tailored Access Operations (TAO) is unique among advanced persistent threats since it more or less openly acknowledges itself as such. The head of the group has even given public presentations. And as an American agency, most American cybersecurity professionals might not rate the group as much of a threat.
But government interests don’t always align with corporate or private interests, and multinational corporations that happen to be based in America have no guarantees that the shadowy team behind such successful operations as Stuxnet won’t come for their foreign holdings with equally icy precision and effectiveness.
TAO is particularly feared globally because of the significant computing and analytical resources available through the NSA. Since most cybersecurity is rooted in encryption, having the most formidable codebreakers in the world on their team makes the TAO an unusually dangerous threat.
PLA Unit 61389
PLA 61389 might look like a random bit of technical gibberish, but in fact it’s a military unit cover designator for a team of hackers thought to be run by China’s People’s Liberation Army (PLA).
PLA 61389 was the group that launched the entire APT labeling scheme, being designated APT-1 long before cybersecurity researchers had identified it with anything more specific than the fact that it is located somewhere in China. But a series of attacks from 2006 on against American computer manufacturers, defense contractors, and military targets made the geo-strategic nature of the group clear.
There is further evidence that the group may have been operating as early as 2002, seeding targets with malware that reports back to Beijing. The unit is suspected of being behind Operation Shady RAT, a five-year espionage campaign that resulted in successful compromises of American defense contractors, the United Nations, and government agencies in Taiwan and Vietnam. The penchant for using remote access tools (RAT) gave the operation its name and served as a key identifier of the group behind it.
If there is a name that is synonymous with “hacker” it is certainly Kevin Mitnick. It seemed like the Van Nuys native was born into the role, getting an early start by hacking the Los Angeles bus system to ride for free at the age of thirteen through a combinations of social engineering and dumpster diving. By the age of 16, he was into DEC’s proprietary development computers and the Pacific Bell system, all before the Internet had really even got off the ground.
He got caught and sentenced to a year in prison, one of the first major computer hacking prosecutions. But shortly after his release, he was at it again, and when further warrants were issued, he became a fugitive. Hacking cell phone networks and major computer makers on the road, he escaped justice until FBI agents tracked him down in North Carolina in 1995, after which he served another five years in prison. Eight months of that was spent in solitary confinement because prosecutors convinced the judge that he could potentially start a nuclear war by whistling certain codes into a telephone.
Such super-powers were not within his or anyone’s repertoire, but the thing about Mitnick was that he just never really gave up. His technical skills were adequate at best, but his social engineering was second to none. He claims that all of his compromises were the result of exploiting weak passwords or gaining codes through deception.
Unlike most of the names on this list, Mitnick’s story has a happy ending. Many in today’s cybersecurity community feel that he was punished excessively for no other reason other than to make an example out of him. His career after prison has been on the white hat side of the cybersecurity fence, consulting with the FBI and Fortune 500 firms to harden their cybersecurity defenses.