Do some firms “deserve” to get hacked?

COVID-19 has had a significant impact on a great many of that which we hold dear. The fractious nature of events during 2020 has also significantly raised the prospect of organizations doing wrong by us in some way shape or form. We may be an employee who has been unfairly laid off or a customer who has not received the service (or refund) that we feel we deserve. Maybe we’re simply a general observer who feels an organization has behaved incorrectly towards society in some way.

This potential for having people who feel scorned by us in some way is important, as researchers have shown that we respond differently when we feel we’ve been wronged in some way. A study from a few years ago explored what the researchers refer to as the “immutable law of the ex.” The research, which was conducted in a sporting context, found that players would often reserve their best performances for when they played former teams.

The analysis of several hundred football matches from the English Premier League found that players were especially motivated to perform well against former teams when they were angry at a perceived slight against them.

When the players were determined to punish their former team, their performance levels rose significantly.

The researchers highlight how in a commercial setting, such revenge could take many forms, from bad-mouthing your former employer to revealing trade secrets. So what might this have to do with cybersecurity, you ask? New research from the University of Kent shows that when people are unhappy with an organization, they tend to legitimize cyberattacks against that organization.

Justifying attacks

The research highlights how people were likely to experience anger when an organization ignored the pursuit of justice on their behalf. Indeed, anger would also rise if people felt that their demands were being ignored. While these people would not actively participate in cybercrime against this organization themselves, they would nonetheless justify the attacks as a manifestation of their anger towards that organization.

The researchers argue that their findings are crucial given the heightened risk of cyberattacks on organizations throughout the COVID-19 crisis. Especially so given the increased potential for organizations to do wrong by people during such an uncertain time and unpredictable time.

Participants in the research were given a number of fictional scenarios, each of which contained some form of unfair treatment from authorities whereby complaints were either pursued or dismissed. They were then told that hackers had broken into the websites of each offending organization and defaced them. Last, but not least, the participants were asked to say how much they supported the actions of the hackers.

The results reveal that people overwhelmingly supported the hackers’ actions when they were regarded as a way to get back at organizations and systems that people felt were not responsive to their own demands or concerns.

Suffice to say, the “hacking” in question was something as relatively harmless as the defacement of an organization’s website, so there are perhaps different levels of “redemption” that people are happy for organizations to suffer or not suffer as a result of their supposedly poor behavior. It’s not clear, for instance, whether people would be happy for organizations who have slighted them in some way to suffer from a ransomware attack.

“When individuals perceive a system as unjust, they are motivated to participate in political protest and collective action to promote social change,” the researchers nonetheless explain. “However, if they believe they will not have a voice, they will legitimize groups and individuals who disrupt the system on their behalf.”

Revenge hacks

The potential for such “revenge attacks” was emphasized all too clearly earlier this year when hackers broke into the servers of a cybersecurity firm and stole data from over 8,000 databases. The attack was made against the data leak monitoring firm DataViper, with the attacker believed to have spent a few months inside the company’s servers pilfering data.

As the saga unfolded, it was suggested that the alleged attack on Night Lion Security, who runs DataViper, was a revenge attack on Vinny Troia, the noted cybersecurity researcher who runs the company.

Troia alleged that the attack was timed to undermine his reputation prior to a talk he gave at the SecureWorld conference, where he outlined not only the activities of the attackers but also their supposed real-world identities.

"When people think they are above the law, they get sloppy,” Troia said. “So much so they forget to look at their own historical mistakes. I literally detailed an entire scenario in my book where I allowed them to gain access to my web server in order to get their IPs.”

While this alleged attack has more than an element of soap opera about it, the potential not only for COVID-19 to produce a large number of “slighted” individuals willing to do our organizations harm, but also a public that may be less willing to sympathize with those attacked should be cause for concern for cybersecurity staff the world over.