It’s not uncommon to see a hacker in a movie or a television show sitting in a dark basement, frantically typing as he or she simultaneously transfers money from the largest bank in the world, changes traffic lights from green to red to stop the good guys, raises the temperature on a nuclear core and turns off life support for a key character’s beloved family member — all in a 10-minute span. That’s quite a lot of skills for one person to possess and execute in such a short period.

What If I Told You Hoodies Are Passé?

Let’s put a pin in the potential time dilation and address the fact that the movie hacker is probably wearing a hoodie. In more extreme movies, hackers wear badass leather trench coats, don dark shades and have hip handles like “Cho$3n0ne.”

Recent reports show that 80 percent of cyberattacks are driven by organized crime. While there are still mischievous lone wolves, the evolution of malware into toolkits or even ransomware-as-a-service, as reported in the latest “IBM X-Force Threat Intelligence Quarterly,” means that collaboration is the new modus operandi for attacks on corporate networks. And although these groups are meeting online in the Dark Web, they are also showing up to an office, working on projects and maybe even sitting in a drab gray cubicle.

There Is No Spoon

Let’s get back to that time dilation point. There is every chance that attackers have spent their lives developing skills that enable them to write code that penetrates networks in all sorts of creative ways. Of course, attacks could also be executed by script kiddies with an exploit kit purchased off the Dark Web. What television and movies often get wrong, however, is the amount of time it takes to execute a complicated attack and get results.

On a good day, I can boot up my computer and log into all my corporate systems in the time it takes to brew a pot of coffee, doctor my cup with cream and sugar and wash the spoon. In that light, being able to affect a multitude of disconnected systems ranging from banking software to elderly SCADA systems in a 10-minute span is about as realistic as learning kung fu by uploading the skills directly to your brain.

Even if systems could be affected in near-instant time, the more successful attackers take their time to be stealthy and tiptoe through networks, leaving malware in place and undiscovered for up to 225 days, according to some sources. Imagine how many spoons you could wash while the malware lies dormant in your network!

The more data they can siphon out over that longer period, the more hackers maximize their return on investment in developing or buying the malware toolkit. As cybercrime rings are organizing and operating like businesses, the long game makes better business sense.

Download the Q3 2015 IBM X-Force Threat Intelligence Quarterly

Free Your Mind From Hacker Tropes

My favorite part about movies and television that use these “omnipotent hacker” tropes is that the hacker will often meet his downfall because he made a dumb mistake, like not obfuscating his IP address, either because he didn’t know how or simply forgot to do it. Perhaps his shades and coat are too tight and cut off circulation to his brain?

It’s time we stop focusing on “The One” and recognize “The Multitude.” The evolution of collaborative cybercrime necessitates collaborative defense, and as security practitioners and vendors, our skills and defenses can grow through tools like a threat intelligence sharing platform. Organizing and collaborating on threat intelligence akin to the collective hive mind that attackers use can help us dodge the bullet of targeted attacks.

More from Threat Research

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…