Cyber Threats, Cyberwarfare, Cyberstalking & Botnets
This lesson explores the four major threat categories in Unit I's advanced coverage: the broader taxonomy of cyber threats, the emerging domain of cyberwarfare between nation-states, the personal crime of cyberstalking, and the technical infrastructure of botnets used by criminals.
---
Taxonomy of Cyber Threats
A cyber threat is any potential malicious action targeting digital systems, data, or the people who use them. The NIST Cybersecurity Framework categorizes threats as:
| Threat Category | Description | Example Attack | Impact Level | Difficulty to Defend |
|---|---|---|---|---|
| Malware | Malicious software designed to harm | Ransomware, spyware, worms | Very High | Medium |
| Social Engineering | Manipulating humans to reveal information | Phishing, vishing, pretexting | High | High |
| Network Attacks | Exploiting network protocols | Man-in-the-middle, ARP spoofing | High | Medium |
| Denial of Service | Overwhelming systems to cause downtime | DDoS via botnet | High | Medium |
| Advanced Persistent Threat | Long-term, stealthy intrusion campaigns | Nation-state espionage | Critical | Very High |
| Insider Threats | Threats from authorized users | Data theft by employees | Very High | Very High |
| Supply Chain Attacks | Compromising trusted third-party software | SolarWinds, Log4Shell | Critical | High |
| Zero-Day Exploits | Attacking previously unknown vulnerabilities | Stuxnet exploited 4 zero-days | Critical | Extremely High |
---
Cyberwarfare
Cyberwarfare refers to state-sponsored or state-directed cyber operations against other nations. The objective may be espionage, sabotage, disruption of critical infrastructure, disinformation, or financial damage. Unlike conventional war, cyberwarfare is:
- Asymmetric: A small team can cause massive damage to a superpower's infrastructure
- Deniable: Attacks can be attributed to criminal groups, making retaliation politically difficult
- Pervasive: Digital attacks can happen simultaneously across thousands of targets
- Persistent: APT groups maintain access for months or years before executing their primary objective
Key Historical Cyberwarfare Events:
| Event | Year | Attacker | Target | Method | Impact |
|---|---|---|---|---|---|
| Stuxnet | 2010 | US/Israel (attributed) | Iran nuclear centrifuges | PLC-targeting worm | Destroyed ~1000 centrifuges |
| Sony Pictures Hack | 2014 | Lazarus Group (N. Korea) | Sony Entertainment | Destructive malware | $35M damage, data leak |
| Ukraine Power Grid | 2015–16 | Sandworm (Russia) | Ukrainian power infrastructure | SCADA attack | Power outages affecting 230,000+ |
| NotPetya | 2017 | Sandworm (Russia) | Ukraine (spread globally) | Destructive wiper | $10 billion global damage |
| SolarWinds | 2020 | APT29 (Russia) | 18,000+ US govt + private orgs | Supply chain compromise | Ongoing espionage |
Exam Tip: Stuxnet is considered the world's first cyberweapon. It specifically targeted Siemens PLCs controlling Iran's uranium enrichment centrifuges. Stuxnet exploited 4 Windows zero-day vulnerabilities simultaneously — unprecedented at the time.
---
Cyberstalking
Cyberstalking is the use of digital technology — internet, email, social media, GPS tracking, spyware — to harass, intimidate, surveil, or threaten an individual. Unlike physical stalking, cyberstalking can occur from any location globally and operates 24/7.
How Cyberstalking Works:
- Information gathering — Aggregating public information from social media, data brokers, public records
- Monitoring — Installing spyware/stalkerware on victim's device; tracking location via GPS apps
- Contact — Sending threatening emails, messages, fake accounts, impersonation
- Escalation — Publishing private information (doxxing), filing false complaints, contacting victim's employer
Legal Framework:
| Jurisdiction | Law | Section | Offense | Penalty |
|---|---|---|---|---|
| India | IT Act 2000 | Section 66E | Voyeurism, privacy violation | 3 years + fine |
| India | IPC | Section 354D | Stalking | 1–3 years imprisonment |
| India | IT Act 2008 | Section 67 | Publishing private images | 5 years + ₹10L fine |
| USA | VAWA | Federal law | Interstate cyberstalking | Up to 5 years federal prison |
| EU | GDPR + national laws | Various | Data-enabled stalking | Heavy fines + imprisonment |
---
Botnets — The Criminal Infrastructure
A botnet (robot network) is a collection of internet-connected devices (called bots or zombies) that have been infected with malware and are controlled by an attacker (the botmaster) through a Command and Control (C2) server, without the device owners' knowledge.
How a Botnet is Built (Step-by-Step):
- Infection: Attacker distributes malware via phishing emails, malicious downloads, drive-by downloads, or exploiting vulnerabilities
- Persistence: Malware installs itself at startup, hides from antivirus using rootkit techniques
- Registration: Infected device contacts C2 server and registers itself as a bot
- Command Delivery: Botmaster sends commands (via IRC, HTTP, peer-to-peer) to all bots simultaneously
- Execution: Bots execute commands — spam campaign, DDoS attack, crypto mining, credential theft
- Monetization: Botmaster earns through ransomware payments, selling botnet access, crypto profits
Botnet Use Cases:
| Use Case | How Botnets Enable It | Real Example | Revenue Model | Scale |
|---|---|---|---|---|
| DDoS Attack | All bots flood target simultaneously | Mirai botnet (620 Gbps attack on Krebs) | Extortion, competitor sabotage | 100,000s of devices |
| Spam Campaigns | Bots send millions of emails | Cutwail botnet (51B spam/day) | Sell spam services | 1.5M bots |
| Credential Theft | Keyloggers and form grabbers on each bot | Zeus botnet | Sell credentials on dark web | 3.6M bots (peak) |
| Crypto Mining | Use victims' CPU/GPU for mining | Smominru (524,000 Windows servers) | Cryptocurrency | ~$3.6M mined |
| Click Fraud | Bots simulate ad clicks | Various botnets | Fraudulent ad revenue | Billions of clicks |
| Ransomware Distribution | Bots deliver ransomware payload | Emotet → Ryuk delivery chain | Ransom payments | Enterprise targets |
---
Study Deep: Advanced Threat Analysis
- C2 infrastructure has evolved: First-generation botnets used centralized IRC servers (easily shut down). Modern botnets use peer-to-peer C2 (no single point of failure), domain generation algorithms (DGA) (generate thousands of random domain names as fallback), and fast flux DNS (constantly changing IP addresses).
- Nation-state actors and cybercriminals converge: The line between cybercrime and cyberwarfare is blurring. North Korea's Lazarus Group conducts financial cybercrime (stealing ~$3 billion in crypto since 2017) to fund the state while also conducting espionage operations. Iran and Russia similarly leverage criminal groups as proxies.
- Cyberstalking enablers are everywhere: Commercial "stalkerware" products marketed as parental controls or employee monitoring tools are routinely misused for intimate partner surveillance. The Coalition Against Stalkerware documents thousands of cases annually. Such tools bypass standard malware detection because they're "legitimate" commercial software.
- Botnet takedowns require international cooperation: Botnets operate across dozens of countries. Takedown operations (like the FBI/Europol operation against GameOver Zeus in 2014) require multinational law enforcement collaboration, court orders in multiple jurisdictions, and ISP cooperation to sinkhole C2 traffic.
- The Mirai botnet changed IoT security forever: In 2016, Mirai infected 600,000 IoT devices (IP cameras, routers) by scanning for devices with default usernames/passwords. The resulting DDoS attack disrupted major internet services including Twitter, Netflix, and Reddit. The source code was published online, leading to many derivative botnets. This event accelerated IoT security regulations.
Exam Tip: Botmaster controls the botnet; C2 server (Command and Control) sends instructions; Zombies/Bots are infected devices that execute commands. Botnets are used for DDoS, spam, credential theft, and ransomware delivery. The infected machines' owners are unaware their device is part of a botnet.