Motivations Behind Cyber Attacks (Part 3) (Domain 2)
In this episode, we are wrapping up our series on threat actor motivations by focusing on three powerful and often destructive drivers behind cyberattacks: revenge, disruption and chaos, and cyber warfare. These motivations may be less predictable than profit or ideology, but they are no less dangerous. Each one brings a different set of risks, tactics, and responses that security professionals must understand and prepare for.
We begin with revenge. Revenge-motivated attacks are personal. These incidents are often driven by former employees, disgruntled contractors, or individuals who feel wronged by an organization. Their goal is not always to steal data or make money. Instead, they want to damage reputations, disrupt operations, or cause embarrassment as payback for a perceived injustice.
These attacks may involve insider knowledge, since the attacker often knows the systems and processes of the target. They may delete critical files, tamper with backups, expose internal documents, or use administrative access to sabotage services.
Indicators of revenge-motivated behavior include sudden changes in employee attitude, unusual access patterns before resignation, or attempts to bypass normal approval processes. Preventive measures include disabling accounts immediately after termination, reviewing logs for suspicious behavior, and limiting access to sensitive systems based on role and need.
One real-world example involved a system administrator who was fired but retained access credentials. In retaliation, he remotely accessed the network days later and deleted hundreds of virtual servers, causing widespread outages. The company was forced to rebuild its infrastructure from backups, and the attacker was later prosecuted. This case highlights how personal motivation can lead to large-scale damage, especially when access control is not enforced promptly.
Next, let’s look at disruption and chaos. These motivations are less about personal revenge and more about creating disorder. The goal is to interrupt normal operations, cause confusion, or overwhelm a target’s resources. These attacks are often random, politically neutral, and launched by actors who are interested in making a point or causing general instability.
Tactics used in disruption-focused attacks include mass defacements, distributed denial of service campaigns, destructive malware, or coordinated botnets that attack multiple targets at once. These attacks may not steal data or demand ransom. Instead, they create noise, confusion, and public visibility.
Targets are often chosen for symbolic reasons or because they represent a large user base. Government websites, public utilities, news agencies, and corporate brands are common victims. Disruptive attacks may be triggered by world events, cultural controversies, or coordinated campaigns on social media.
Historical examples include attacks that took down entire sections of the internet through domain name service providers. In one such case, attackers used a massive botnet made up of Internet of Things devices to launch a distributed denial of service attack against a major provider. The result was that major websites became unreachable for hours, including retailers, streaming services, and social platforms. Though no data was stolen, the financial and operational impact was significant.
Finally, we turn to one of the most serious motivations: war. Cyber warfare involves attacks carried out by or on behalf of nations to achieve military or political objectives. These attacks often target critical infrastructure such as power grids, water systems, transportation networks, or communication services.
Cyber warfare is different from other forms of cybercrime in that it is usually part of a broader strategy. It may be used to weaken an enemy’s defenses, disable their capabilities, or cause public panic during a conflict. These attacks may also serve as reconnaissance missions, identifying vulnerabilities in case they need to be exploited later.
Examples of cyber warfare include large-scale attacks on energy sectors, election systems, or defense contractors. In one highly publicized case, malware was used to physically damage equipment at a nuclear facility, slowing down a nation’s development efforts. In another case, coordinated attacks on a country’s power grid caused widespread blackouts, affecting millions of people and disrupting daily life.
The impact of cyber warfare is not limited to military operations. Hospitals, financial systems, and supply chains may also be affected. The consequences can be both immediate and long-term, affecting national security, economic stability, and public trust.
Defensive responses to cyber warfare include international cooperation, threat intelligence sharing, and investment in national cyber defense capabilities. Countries now have dedicated cyber commands, incident response teams, and legal frameworks to guide operations in cyberspace. In addition to technical defenses, there is a growing emphasis on public awareness and private sector involvement, since many infrastructure systems are owned and operated by commercial entities.
As you prepare for the Security Plus exam, remember that threat actors are driven by more than just profit. Some are motivated by personal revenge. Others by a desire to cause chaos. And some are engaged in full-scale cyber conflict as a form of warfare. You should be able to recognize the signs of each motivation, understand their methods, and recommend appropriate responses. The exam may give you a scenario involving unusual activity, and your job will be to determine the likely motivation and threat level behind the incident.
