An increasing number of sophisticated cyber-attacks are not being launched by governments - or their intelligence services - but rather by opportunistic mercenaries who sell whatever they can steal to the highest bidder, according to a new report. While their customers might include governments, they might just as well include a victim's business competitor.

See Also: Mobile Banking Success Criteria: Scalability, Outsourced & In-The-Cloud

The report from information security consultancy Taia Global examines the growth of "espionage-as-a-service" being offered by for-hire hacking groups. "These mercenary hacker groups range from small groups with little funding to specialty shops run by ex-government [employees], to highly financed criminal groups who use similar, if not identical, tactics to nation state actors," the report says. "That they are rarely discovered is due in part to their skill level and in part to being misidentified as a state actor instead of a non-state actor if they are discovered."

The practice of attribution - identifying the who, what, where, when, and why of an online attack - has made headlines in recent weeks, as a result of the FBI and National Security Agency both publicly stating that North Korea was behind the hack of Sony Pictures Entertainment, which involved devastating wiper malware being unleashed against the business on Nov. 24, 2014. Based on the scant evidence that has been published by the FBI, however, many information security experts continue to question that attribution.

Mercenary Backers: Sometimes Oligarchs

Attacks targeting financial data have often been ascribed to criminal groups, while attacks that target intellectual property have typically been classified as APT attacks and ascribed to a government, Jeffrey Carr, CEO of Taia Global, tells Information Security Media Group. But the time has come to acknowledge the rise in mercenary attacks, he says. "Their existence should force us to re-examine how we place the blame on a government, or how we place the blame on a hacker group, and if we can't, then we really need to question what we think we know, and how much of that is valid."

Carr says the likely backers - or at least clients - for mercenary groups may include Russian and Ukrainian oligarchs, Chinese millionaires - and billionaires - as well as Mexican cartels engaged in counter-espionage activity.

From a political standpoint, getting attack attribution right - or wrong - can have profound geopolitical implications. "What we're saying is that these hackers-for-hire have probably been misread and identified as government activities, versus mercenary activities," Carr says. "How much of what we have blamed on China, Russia, Israel or whoever, on their governments, is actually wrong? Who are we missing? Who are we misidentifying, amongst these groups, which in turn is driving really horrible government policy?"

Evidence Cited

The Taia Global report cites two cases as evidence of increased mercenary activity.

One case involves Su Bin, a Chinese businessman with residency in Canada. Bin, who is currently incarcerated while the Canadian government moves to strip him of his residency, was charged in an FBI complaint in June 2014 and indicted in August by a U.S. grand jury on five felony charges. Those include conspiracy to steal trade secrets and to illegally export defense articles related to the F-22 and F-35 fighter jets, as well as the C-17 transport aircraft.

According to Taia's report, Bin ran a mercenary group in which he acted as the subject matter expert and data broker, while two of his China-based co-conspirators - also indicted, but not named - handled network penetration and data stealing. Bin's attack campaign began in 2010, the indictment says, and included his team stealing 630,000 digital files - totaling 65 gigabytes of data - on the C-17 alone.

Taia Global also cites a July 2014 report from the cybersecurity team at Airbus Defense and Space about an APT-style campaign run by a group of attackers, who appeared to be Chinese, that it dubbed Pitty Tiger. It said the group had attacked four targets, mostly based in Europe, which it declined to name, although there was one from each in the defense, energy, telecommunications and Web development sectors.