Oftentimes, priority no. 1 for a hacker preparing to launch a cyberattack is finding a suitable launchpad. The goal: to obfuscate the origin of an attack.
To mask themselves, attackers generally compromise computer servers and networks operated by other organizations. These nodes then serve as unwitting springboards for further electronic assaults.
“The important thing is to recognize how an attacker works,” Oren Falkowitz, co-founder and CEO of Area 1 Security, a cybersecurity startup based in Redwood City, Calif., tells Fortune. “Consistently, what they’re doing is setting up shadow infrastructure—what we describe as relays or proxies.”
Get Data Sheet, Fortune’s technology newsletter.
The vast majority of cyberattacks use spoofed email messages or bogus websites to try to dupe unsuspecting employees into downloading malicious software or giving up login credentials. Such ploys are designed to trick their victims—but they don’t go very far when the booby-trapped messages arrive from addresses handled by known bad actors. That tends to raise an alarm.
So the attackers disguise themselves, burrowing into seemingly innocuous networks. Computer security experts call this approach a “stepping stone attack,” given all the intermediary hops involved.
“They want to have a mechanism to hide their activity, and to make their attacks and traffic blend with general network behavior,” Falkowitz, an NSA alum, says.
That’s where Area 1 comes in. The company installs sensors on compromised machines—with their owners’ permission—in order to surveil adversaries’ traffic, gather intelligence, and funnel that information to cybersecurity companies that can then better preempt attacks.
Area 1 shared a copy of a new report with Fortune that describes several incidents drawn from real-life experiences demonstrating hackers’ tactics. Below are four archetypal ways that attackers attempt to conceal their digital tracks, according to the report.
- Through small businesses
In one illustrative example, foreign nation state-backed hackers took over outdated Windows 2003 servers run by a saddle-maker, moved laterally onto other servers, and used those to send spear-phishing emails to more than a hundred targets, including contractors of the U.S. Department of Defense.
(By the way, here’s a good example of a welding shop used as an attack intermediary in this New York Times story about Area 1 from earlier this year.)
2. Through public schools
Earlier this year, attackers exploited a vulnerable web application on public school servers and broke into them. After bouncing around the networks and installing backdoors, the gang used the school’s computers to launch even more attacks. “Just another example of machines that are typically unprotected and appear innocuous,” Falkowitz says.
3. Through social clubs
In this case, frequenters of a certain watering hole got hit with, well, a “watering hole attack.” Having breached the network, the attackers were able to distribute malware to anyone who connected to the club’s Wi-Fi.
“They lured users into a space where they’re prone to go to for social reasons,” Falkowitz says. Hackers then piggybacked into their corporate networks later on. Falkowitz says Area 1 has seen less than a dozen of these kinds of attacks in the wild, so to speak.
4. Through SCADA facilities
Earlier this year, an unnamed industrial equipment manufacturer fell victim to a hacking. After absconding with oodles of data, the attackers recycled their access into the network as part of a “supply chain attack,” sending emails to targets at other companies since people are likelier to open emails from supposedly trusted sources, like their business relations.
Falkowitz says Area 1 has seen “somewhere between 50 and 80 machines at different organizations” targeted this way.
The upshot? Attackers will use whatever computing resources they can lay their hands on, so long as it will cloak their activities and offer a staging ground for their next attack.