Understanding the Threat Actor’s Motive to Better Detect the Breach

Corporate SecurityInformation Protection

According to Carbon Black’s Global Threat Report, 88% of global businesses reported suffering a data breach in the past 12 months. Among these businesses, 81% believe that these attacks have grown more sophisticated. With the increased complexity in cyberattacks and the various motivations that exist across different industries, security teams need to take a more comprehensive approach rather than relying on a one size fits all strategy. In order to detect a breach and uncover where the data is being exposed or sold online more efficiently, security teams need to better understand the threat actor’s motivation behind the attack.

Understanding the Motive

In 2018, 71% of data breaches were financially motivated and 25% were motivated by espionage. Although this gives security teams a high-level overview of what to expect, it is important to be aware of the variety of motives that typically exist across different verticals. The motivation of the hacker is often dependent on the industry as hackers can exploit different vulnerabilities, gather unique data, and sell or expose the information across different mediums.

Figure 1: Threat actor motives by industry according to Verizon’s 2019 Data Breach Investigations Report

Financial Motivation

While it is a common misconception that financially motivated attacks exist primarily within the financial and insurance industry, this type of motivation is not exclusive to this vertical. In fact, 100% of breaches in the accommodation and food services industry and 97% in the retail industry were financially motivated, compared to 88% within the financial and insurance sectors.

When a data breach is financially motivated, the hacker is generally after the PII of customers and employees, with the main focus being financial information. Once this data is accessed, the hacker will use stolen credit cards to make purchases, sell the data online, or demand a ransom be paid from the company. Regardless of their strategy, hackers that are financially motivated are after one thing and one thing only – money.

In order to detect breaches that are financially motivated, security teams should have the tools in place to safely and anonymously search the Dark Web. Dark Web marketplaces are often where stolen information, such as credit card numbers end up for sale. With additional safeguards in place, security teams will be able to search these marketplaces without the associated risks of being on the Dark Web.

Cyber Espionage

Cyber espionage, also known as cyber spying, involves the theft of classified, sensitive, or intellectual property to gain a competitive advantage. While many espionage cases are concerned with government entities and political motivations, espionage attacks also exist in the corporate world.

According to Figure 1, espionage was found most prominently in the manufacturing sector, with 27% of data breaches being motivated by espionage. Espionage attacks date as far back as when commerce was first created and still exist in today’s threat landscape.

One of the most notable corporate espionage cases involved the popular razor company, Gillette. In 1997, Gillette insider Steven Louis Davis faxed the drawings of a new design to Gillette’s competitors Warner-Lambert, Bic, and American Safety Razor. Although Davis admitted he was maliciously motivated and was convicted and sentenced to 27 months in prison, there were still irreversible damages done. Not only would Gillette lose their competitive advantage over the release of their new design, they would also suffer monetary losses and damage to their brand reputation as their competitors could use their new design and try to convert consumers to their brand’s product.


On the other end of the spectrum, there are some hackers who perform data breaches simply for their own entertainment. While these threat actors might still benefit from financial gain and a competitive advantage through espionage, their main motivation is the satisfaction of successfully hacking into the system.

Incorporating a more enhanced threat intelligence strategy into your security framework will better help your security team detect hackers who are performing breaches for fun. These hackers will often seek out support and praise from their online communities, making forums and social media platforms the best place to locate the information you need.

An example of this is the Capital One data breach that occurred on March 22-23, affecting more than 100 million people in the U.S. and 6 million people in Canada. Paige Thompson, using the online alias “erratic” hacked into the system and later posted about the breach on Meetup, an online app to connect people for activities and events. As shown in Figure 2, Thompson had successfully accessed the system and was looking to get rid of the data, stating “I just don’t want it around.” This implies that her primary goal was to hack into the system, rather than to benefit from financial gain or espionage.

Figure 2: Capital One hacker, Paige Thompson (erratic), posting about breach on Meetup, online app to connect people for activities and events.

The security team was then able to investigate Paige Thompson further to make connections between her online alias. The investigators were able to discover Thompson’s Twitter account under the same alias that was used on Meetup. This allowed the security team to paint a more clear picture of Thompson and understand her motivations further. Figure 3 displays one of Thompson’s tweets stating that she was, “going to check into the mental hospital for an indefinite amount of time” once this was over. This helped to create a more enhanced psychographic profile to aid in the investigation and provide further evidence to prove Thomspon was behind the hack.

Figure 3: Tweet from Capital One hacker allowing security team to paint a more accurate picture.

Better Threat Intelligence with Media Sonar

Media Sonar allows security teams to safely search the Surface, Deep, and Dark Web to better detect threats from internal, external, and partner threat actors. With safe and anonymous coverage of the Dark Web, security teams can search Dark Web marketplaces where intentions of attacks are shared and stolen data is exposed or sold.
Media Sonar also offers extensive coverage of discussion sites that facilitate conversations between hackers and their online communities as well as social networking sites where threat actors will go to share their actions and intentions.

See Media Sonar in Action

Harness the unique insights only available from Web Intelligence & Investigation to better protect your corporate brand and assets.
Previous Post
Impact of Brand Impersonation Attacks on Your Brand
Next Post
Bad Actors on Discord

Become a Media Sonar Insider

Become a Media Sonar Insider

Please fill in a few details & we'll add you to our communications list.

Looking For More Content?