Skip to main content

Computer users would be forgiven if they feel a bit these days like the barbarians are coming over the gate. Every week seems to bring the news of some new major hack bringing trusted systems to their knees and flooding the dark net with personal information (a nomenclature which sounds like it was invented to frighten elderly NCIS viewers).

If neither the power of the IRS nor the resources of Sony are enough to keep data safe, what hope do average users have?

Not a whole lot. In fact, according to CNN and the Ponemon Institute, roughly half of all U.S. adults are fed up with the fact that their personal information has been stolen to empower identity thieves. If that paints a bleak picture, the truth about how this happens only makes matters worse. Massive data breaches have gotten more common and more ambitious, according to security experts, in part because the hackers themselves are operating on a grander scale.

It’s trite, if true, to observe that cybersecurity has changed in many ways since the Internet evolved from the days of being that thing in the computer lab. Back in those days the threats suited the size of their environment. IT directors battled low level threats like malware and “script kiddies,” the derisive name for teenagers who download set-piece hacks and unleash them as a form of digital vandalism.

Today the stakes have gotten bigger and so have the threats. According to cybersecurity expert Steve Barone, founder and CEO of CBI Risk Management, modern hackers aren’t just skilled. They’re organized, well-funded and incorporated, often operating formally or with corporate clients. Interestingly, what their attack looks like depends a lot on where they live.

It turns out there’s a lot to the geography of a hack.

Russia/Former Soviet Union

In the former Eastern Bloc countries, Barone said, hackers operate in daylight, many of them even organized into legitimate corporations. Some of the companies exist to make their money by breaking into computers around the world, while for others this is a side operation. Yet regardless, it’s big business in the former Soviet Union.

Which means the mob is in.

The corporatization of hacks may be the most distinctive thing about Eastern Bloc attacks, and that big money approach suffuses everything that they do. Security experts often note this region for its surgical approach, launching targeted attacks against high profile individuals for big payouts.

A Russian hacking corporation may monitor its target patiently, sometimes for weeks or even months, in order to establish patterns of Internet usage. This lets them set up far more effective attacks, such as the “watering hole.” In this particular attack a hacker will set up passive malware on a website, designed to download onto users’ computers and infect them without the original system ever the wiser.

In some hands, it’s a form of effectively broadcasting a virus, an indiscriminate attack on a user base. For many Eastern Bloc hackers, though, the watering hole is tailored to a single user, one who research has revealed will sooner or later visit that site. Targeting C-level executives, professors and other big-money victims, Eastern Bloc hacking corps take their time and go for the biggest payday possible.


Security experts describe China as almost the polar opposite of the former Soviet Union.

“China as an adversary: they’re very loud and clangy when they get into the networks,” said James Scott, a senior fellow with the Institute for Critical Infrastructure Technology. A contributor to the ICIT’s brief Know Your Enemies, a primer on geographic threat vectors in cybersecurity, Scott has studied regional signatures extensively. Much of it has to do, he explained, with local conditions and goals.

While the former Soviet hackers are big money players, and so more surgically pursue larger payouts, attacks from China are generally government orchestrated attempts to consume as much data as possible.

“They’re in panic right now [to catch up technologically,” he said. “They’re throwing sheer number as far as attacks and going after everything and anything from aerospace to academia to hospitals. They’re saying, ‘We’ll figure out a way to use it later, but go after everything before the U.S. and the West starts making cybersecurity and [digital] hygiene a part of their culture.'”

The result is a noisier threat vector, one that’s less concerned with subtle, undetected attacks than it is with expatriating as much data as possible. The hackers often act with similar brazenness to their Russian counterparts as they often operate in the open as a branch of the Chinese government.

North Korea

A similar actor to China in that attacks out of North Korea are government sponsored, this epicenter has two distinctions that set it apart.

First, North Korean attacks lack the sophistication of those that come out of China. Calling them “script kiddies,” Scott said that the government relies on third parties to do the heavy lifting when it comes to technical sophistication. The country has a dedicated cyberwarfare agency Bureau 121, but it likely suffers from the same crippled development in both material and human capital as the rest of the country.

Second, North Korean attacks are actual attacks. As ICIT mentioned in their report, “North Korea uses cyber-warfare as a cost effective branch of their military. Many in North Korea see cyber-warfare as the strongest weapon.”

As a result, these attacks have in the past focused on targets with military and political value, including financial and media institutions. There is some dispute, however, about some of the attacks attributed to Pyongyang, most notably the Sony Pictures hack of 2014.

Southeast Asia/India

In Southeast Asia, a band of territory roughly stretching from Vietnam to India, hackers pursue fast capitalization, according to Scott. Absent the resources or time table of an Eastern Europe attack, attacks from this section of the world focus on quick fraud and low-key attacks.

A Southeast Asian hacker is more likely to be operating as a petty criminal than one of the corporate or government agents from elsewhere.

“The criminal element,” Scott said, “is looking for capitalization. That’s why ransomware is going to be big.”

This is a region that produces high volume, low stakes attacks such as fake antivirus software and ransomware, which locks up and erases a computer unless the victim pays for the decryption key, typically in bitcoins. As with much of the rest of the world, the profile here meets the circumstances. This band of countries doesn’t have a malicious state actor or the kind of cohesive resources that build the infrastructure seen elsewhere. Instead it’s more about individuals working in Internet cafes looking to make a relatively small amount of money.

The U.S.

The most targeted nation in the world, the U.S. has a wide variety of home-grown threats as well. Increasingly one of the iggest concerns out of America is corporate espionage.

Given the effectiveness of U.S. law enforcement, hacker groups in America remain underground and can’t create the kind of overt institutionalization that they can in other countries. That doesn’t mean that they remain disorganized however. Identifying one such group as “Butterfly Group/Morpho,” the ICIT wrote that they are “organized and efficient.”

“The emergence of the Butterfly group should remind organizations that corporate espionage groups and non-state sponsored APTs [Advanced Persistent Threats] still exist," the ICIT said. "In fact, in certain aspects, they are more dangerous than state sponsored groups. Mercenary and espionage groups may possess specific knowledge of what information to steal or from what systems to steal data. This information may come from competitors or it may come from insider threats within the organization.”

Many American companies will pay good money for the kind of information that a hacker can steal, Scott said. Patent secrets, insider information stolen from law firms, strategy documents, all of this information is worth billions in the right hands, and it absolutely has a market here in the United States.

This isn’t an exhaustive list by absolutely any stretch of the imagination. It’s a series of profiles, and like any profile is limited both in scope and precision… a hacker can work anywhere he’s got a laptop and a wireless connection, and many from the regions above have their own way of doing business. Out of China alone, for example, many private criminal attacks have also been identified such as the Elderwood Platform and the mercenary group Hidden Lynx.

Still, hackers are swapping digital attacks all across the world. One of the remarkable things is how much geography seems to play a role in the Internet’s borderless world.