A cyber criminal is a cyber criminal. Any person or group of people who use legitimate programs or malicious code for nefarious purposes is a hacker, and is breaking any number of laws.
However, beyond this commonality, there are different calibers of cyber crime. To an extent, this is obvious in the implications of certain attacks over others. For instance, the breach of the Office of Personnel Management is far more severe, than say, a phishing scam against a Facebook user that posts advertisements to his or her page without permission. Much as in the physical world, it's important to classify cyber attacks based on their severity.
But at what point does cyber crime become cyber terrorism? This is the question that Trend Micro posed its recent report, "Dark Motives Online: An Analysis of Overlapping Technologies Used by Cybercriminals and Terrorist Organizations."
Let's start with the overlap
There are very clear differences in how cyber criminals and terrorists behave, but first, let's take a look at some of the similarities between the two. According to Trend Micro, cyber criminals and terrorists both have the need to maintain anonymity on the Web for obvious reasons. This isn't surprising, seeing as both of these parties are law breakers. As a result, they will tend to abuse tools that have been developed for legitimate purposes.
"Both groups are known to abuse tools and services that have been developed to help those who have a legitimate reason to hide their identities (such as journalists, whistleblowers, and activists)," Trend Micro wrote. "Some examples of these tools include anonymizing programs such as TOR, and certain encryption tools found in the Deep Web."
It's important to understand that these tools were made for real-life use cases. Misusing them would be in the same vein as using cameras on smartphones to stealthily take pictures of a person's credit card at a restaurant. It's the not the camera that's the problem – it's the dark motives of the thief.
Another such example of a useful tool that is abused by both cyber criminals and terrorists alike is secure email services, which are used by criminals and terrorists in an attempt to communicate via secure channels. Social media is another common communication tool used by both parties. Trend Micro noted that in Brazil, where law enforcement is only recently being take to task in their fight against cyber crime, some hackers will actually brag about their exploits on social media.
Also on the list of tools that cyber criminals and terrorists will use include file-sharing and hosting services, instant messaging and interestingly, distributed denial-of-service-attack mitigation tools. Legitimate organizations in a wide variety of industries rely on DDoS mitigation tools to create "a working mirror for websites that are either experiencing heavy traffic or being subjected to denial of service attacks," according to Trend Micro. Criminals abuse this tool to mask the actual hosted IP address of a certain website.
Same tools, different motives
Just because cyber criminals and terrorists use many of the same legitimate tools for their dark bidding doesn't mean that cyber security experts and law enforcement can't tell them apart.
Trend Micro noted that the nature of communication that occurs over these portals is a dead giveaway. Even if, for example, the parties communicating were using code words, if the purpose of the digital liaison appears to be haggling on prices, or sharing of malicious code, it's more likely to be the work of cyber criminals. However, if the communication is more abundant, has more parties involved and appears to be geared toward planning events, meet ups or getting messages out to the public, there's a stronger chance that the communication is part of terrorist organization.
Another case-in-point example is the afore-mentioned DDoS mitigation tools. Hackers might use these tools to hide the source of websites used to buy and sell exploit kits, stolen data and other cyber-crime related contraband. Terrorists, on the other hands, would use this tool as a way to launch propaganda websites and blogs, and subsequently hide the hosted IP.
Propaganda: The tell-tale marker of terrorists
This is a perfect lead-in to one of the most glaring differences between terrorists and the garden-variety hacker: The former is typically trying to spread propaganda, whereas the latter is usually on a quest to make money through any number of cyber schemes.
There are cases where the profiles of the black hat hacker and the terrorist become blurred. For example, larger-scale, organized hacking groups might demand a greater level or coordination in their use of messaging tools. However, with the rare exception of high-profile, self-proclaimed hacktivist groups like Anonymous, hackers have virtually nothing gain from open propaganda. That's the territory of terrorists.
An example of how terrorists use the Dark Web occurred only hours after the attacks occurred in Paris late last year. According to Security Affairs contributor Pierluigi Paganini, a massive ISIS propaganda hub sprung up in the Dark Web shortly after the attacks. Paganini noted that applications buried deep in the Web includes social media, forums, gaming platforms, instant messaging apps and more, all of which were being utilized with a single purpose, which was to spread terrorist propaganda. This is the sort of activity that hackers who are trying to steal software licenses, purchase login credentials or sell stolen personally identifiable information (PHI) would have no reason to partake in.
Beyond propaganda, Trend Micro researchers noted that many many terrorist organizations have creates their own applications capable of encrypting data, widely dispersing information, enable secure instant communication, DDoS tools and more. Many of these tools have been identified by name, and chances are, anyone using them will be assumed to be in some affiliated with a terrorist organizations.
The reason highlighting these differences is so important is because it helps law enforcement agencies and counter-terrorism task forces hone in their targets. At the end of the day hackers are criminals, but they're criminals of a different caliber than terrorists. They might go to jail if they caught, but their are rarely, if ever, as far-reaching or as threatening to public safety. The ability to distinguish between the two is therefore essential.
While cyber criminals and terrorists do share certain tendencies in their online misgivings, there are very clear distinctions between how the two behave. Knowing the difference can help experts determine which cyber threats are cause for concern to the privacy and financial security of Internet users, and with are a danger to national security.