The identity of a hacker may be one of the most uncertain questions that faces the cybersecurity industry when reporting on the intent or motivations of an attacker. The motives and character of the hacker are built with conjecture, supposition, and guess-work quite often. Imagination is often left to fill in the gaps left by a lack of concrete evidence, and the imagination of the analyst is influenced by their experiences of past attacks and maybe even pop culture representations of “the hacker.” Rarely is the question of character, that very literary quality, factored into decisions relating to such important issues as intellectual property theft, national defense, criminal money laundering, and disinformation, all of which are occurring on the international stage. Yet pop culture representations of the hacker are beginning to accurately describe this multifaceted reality and may even serve as a model for the defense of online systems.

The hacker character is a cliché to be sure, but the motives and intentions of the hacker also have the potential to shape global affairs. We know some of these hacker crews with familiar Advanced Persistent Threats (APT) identifications. APT crews are used by the United States to collect the markers of particular “threat actors.”³ Working for the Russian Federation’s main intelligence agency known as the GRU (Glavnoye Razvedyvatel’noye Upravleniye), APT 28, otherwise known as “Fancy Bear,” is understood to be responsible for a range of attacks including, but not limited to, those against the German and French elections in 2016 and 2017, and the World Anti-doping Agency hack in 2016.⁴ APT 29, otherwise known as “Cosy Bear,” is also among the more famous APT crews and represents a highly sophisticated cyberespionage group working for the Russian Federation’s foreign intelligence agency known as the SVR (Sluzhba Vneshney Razvedki).⁵ Based on many years of analysis, the US security firm CrowdStrike was able to determine that both Fancy Bear and Cozy Bear were involved in the hack on the Democratic National Committee servers, which were later dumped on WikiLeaks ahead of the 2016 election.⁶ There are similar threat actors working globally in China, North Korea, Iran, and the United States, many of which with an APT identification through laborious reporting and attribution practices. At present, attribution of attackers is an under-theorized and under-researched area in cybersecurity. Florian Egloff suggests that there is a dual process of “sense-making” that then follows closely on “meaning-making” about the nature, scope, and purpose of an attack that emerges from attributing the attacker or attackers.⁷ The attribution of activities is so uncertain because there is often very little actual evidence remaining after a successful attack. Worse still, attackers often intentionally muddy the waters with false attributions or claims on behalf of another country, and there may be many motivations that might only be understood long after an attack. Uncertainty and unreliability are tools for an attacker and leave analysts in a position similar to a reader of fiction, drawing conclusions from glimmers of evidence without direct access to the intentions of an author.

In 2003, Dave Aucsmith, Brendan Dixon, and Robin Martin-Emerson at Microsoft developed threat personas that were designed to capture many of the typical motivations for potential attackers and adds important information to an institutional “threat model.”⁸ Developing a threat model accounts for all users of a system, including hostile users intent on stealing, disrupting, or damaging your systems. A good threat model should help developers build more secure systems by designing software systems with security in mind from the beginning; this integration of development, security, and operation (DevSecOps) will allow for simpler mitigation and recovery steps. At first blush, we might want to start this security-focused design process by “thinking like an attacker,” but it is likely impossible to account for the evolving motivations of all threat actors, regardless of their sophistication.⁹ Thinking like a hacker is a futile speculative exercise, so resources are perhaps best spent actually attacking one’s own system. These “white hat” hackers are condoned by a target in the hopes of improving security by finding weakness by attacking it.¹⁰ A penetration test of this kind can expose more information about potential attackers by reverse engineering their methods in advance. Cybersecurity analysis, like close reading a book, requires the careful description of events that seeks to transform implicit meaning into explicit understanding and insight. It may then be possible to better anticipate vulnerabilities with an integrated understanding of the social, historical, and cultural contexts in which a threat actor operates.

The characters and attitudes defined in the cyberpunk genre can help explain some of the attitudes held by threat actors because the genre represents a shared cultural background regardless of country or even language. The cultures of the communities that support open source tooling, operating systems, and programming languages are another bridge point between opposing APTs. A North Korean hacker will need access to documentation and message boards to steal, for example, cryptocurrency or run a ransomware campaign, which is an important part of their operations at present.¹¹ Could it be possible that the individuals responsible for these attacks are also consuming Western attitudes and ideas as they deploy their attacks? Could a contest of ideologies be occurring through this cultural backdoor of message boards, documentation, and science fiction? The evidence of social engineering to initiate their attack chain suggests that some cultural overlap is possible, even necessary for any hacking to happen.

Let’s pick an example that is typical of these security reports: In a white paper published by ESET, an internet security company, looking into infiltration of European military contractors on LinkedIn, it is possible to see how the Lazarus group (APT 37 and 38) sought to appear Western by mimicking imagined Western ideology.¹² The attack chain begins with a simple social engineering message in LinkedIn offering a high-paying position in a well-known company from a fake account, impersonating a HR manager. The initial message reads, “Dear Sir, Collins Aerospace is a global aerospace and defense company” and includes a link to the legitimate site; the fake account goes on by saying, “I saw your profile in LinkedIn and then I like your enthusiasm. We welcome elites like you. I want you to work in our company. I should be very grateful if you would accept my request. Contact us.”¹³ After a brief back and forth on LinkedIn’s messaging service, the attacker sends a job offer as a pdf. The pdf, in this attack, was a renamed RAR archive containing a link to the job offer, which is opened by the Command Prompt. The Command Prompt delivers a pdf decoy to the target, while also copying malware on the target machine and scheduling its activation. Because the target employee already works in the aerospace industry, these messages are expected from time to time and allow for high value data gathering, exfiltration of corporate secrets, and lateral movement into corporate networks. Once an attacker has a target’s attention, they can then expand to more sophisticated a custom remote backdoor, a custom version of Powershell, and playload droppers. ESET attributes the attack to North Korean Lazarus Group based on a first-stage malware file called “NukeSped.FX.”¹⁴ The ability to credibly impersonate Westerners—with an understanding of the employment market, social media, and desirable targets—means that an attacker must work to understand their target as completely as possible. An attack begins with empathy and understanding only to weaponize the trust of a target. There is always something inspired about an interesting hack. The initial target has several hallmarks of the cyberpunk hackers, which is surprising considering the attack originated in all likelihood from a state that is distinctly separate from Western influence. The attacker knowingly attacks corporate “elites.” They mock the “enthusiasm” Western employees must demonstrate to climb a corporate ladder, which must surely appear absurd to those working on behalf of dynastic North Korean dictatorship.

Cyberpunk-styled hackers have appeared as equal part counter-culture iconoclast, genius programmer, and cyberspace prophet, which might complement North Korean ideology is strange ways. In Brunner’s The Shockwave Rider, Nick Haflinger escapes from Tarnover corporate re-education, where he is sought for his ability to phreak phone lines with skills akin to a musical prodigy.¹⁵ Brunner was able to warn, Cassandra-like in 1975, “don’t dismiss the computer as a new type of fetters.”¹⁶ Maybe North Korean hackers feel similarly? Case, from Gibson’s Neuromancer, floats on the margins of society working to repair his body. Pat Cadigan’s Gina, in “Rock on” and Synners, is a synthesizer of experience who delivers virtual pornography and peak experiences through her cranial jacks; Gina’s abuse becomes a reflection of those who abuse her, as she struggles to survive. These hackers are victims of societal injustice. They each resist the ways technologies exacerbate problems like the corporate takeover of civil society or government surveillance. The marginalization of individuals by criminal organizations and the indifference of government agencies is surprisingly generalizable, and the exploitation of the mind through cyberspace as a resource is perhaps enticing to many. The hacker-style resistance to power, or the desire to wield it, can be mapped to a North Korean state-sponsored attacker if they are resisting Western technologies, corporations, and democratic society.

These fictional hacker characters share a similar quality with Aucsmith’s threat personas: hacker characters are proud of their unique abilities and revel in their unlauded exploits. The hacker character may be justified in having an inflated ego due to their proficiency. Their lack of compensation further justifies their resentment for their adversaries and the vulnerabilities their adversaries so ignorantly fail to defend against. There is a kind of competitive brinkmanship in just proving it can be done. Paired with this sense of pride is also a sense of righteousness in committing illegal acts. Often, these fictional hackers have legitimate grievances that justify hacking into computer systems that support unjust systems of power. The ha...