Today, cyberspace is constantly evolving, presenting organisations with new opportunities to adopt cost-effective cloud services and use the internet to open new channels. Unfortunately, the same technologies bring unanticipated risks and consequences to cyber security.
Barely a day passes without news of a major data breach or a new cyber threat. Security experts warn us that current threat actors include international groups with access to powerful, evolving capabilities to identify and attack targets.
What’s more alarming is that cyber criminals now function as an underground economy parallel to the broader economy.
Cyber criminal groups are operating as companies
Cyber crime has become a growth industry where the returns are high, and the risks are low. Researchers from Google and IBM described how cyber criminals operate by mimicking the behaviour of companies. Startlingly, cyber crime organisations compete for customers, fight for the best project managers, and even look for c-level executives to ensure they stay organised and operate effectively to steal your money and information.
Cyber crime is currently a multibillion-dollar business. McAfee estimates that the underground economy costs the world economy more than $1 trillion, roughly one percent of the global GDP. Moreover, experts predict that the cost will increase to $10.5 trillion annually by 2025, representing the greatest transfer of economic wealth in history.
Christopher Scott, a security expert and a member of IBM’s X-Force, throws light on cyber criminal organisations’ typical structure that includes a leader who oversees the broader group’s goals. Other personnel include project managers who execute different parts of each cyberattack and supervise different functions over the scope of the crime. Cyber criminal organisations also feature specialists in malicious software who buy or tweak a custom product to steal the exact kind of information the group requires. Other specialists might send fraudulent emails to deliver malicious software to the targets.
Criminal groups’ organisational structure is not the only thing copied from companies; they also offer B2B services to one another and sometimes hijack competitors’ progress in the same manner as it happens in the corporate world.
Similarly, this is the approach taken with good threat actors like DarkSide, REvil, and others who create and franchise ransomware-as-a-service (RaaS), just like legitimate vendors that offer software-as-a-service.
Attackers will penetrate organisations while franchisers provide the attack tools, communications, and ransom collection, all for a percentage of the stolen money. Some of these services even offer an offshore support team to help victims pay the ransom. In many cases, the support team is not even aware they are supporting crime; they simply have technical instructions to help ‘customers’ go through the process and provide technical expertise for any problems along the way.
Much like the importance of corporate reputation, a criminal group’s reputation is crucial to its success—the decision to pay a ransom after an attack can depend on the reputation of the attacking criminal group.
What’s more, criminal groups also have aggressive salespeople working to displace their competitors by stealing territory. This setup is particularly prevalent among groups offering distributed denial of service (DDoS) for hire services that rely on hundreds of thousands of compromised computers. In this case, criminal organisations with more devices in their botnet are more effective, making it common for one DDoS-for-hire specialist to attack computers targeted by another competitor.
It gets even more interesting when we discover that criminal groups offer social responsibility services, similar to company CSR. For example, DarkSide went to some lengths to portray itself as Robin Hood, claiming that part of its ransomware payments goes to charity. “Some of the money the companies have paid will go to charity,” DarkSide said in a post. “No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.”
The risk of getting too big in cyber crime
As a threat actor becomes big and organised with enterprise-like structures and strategies, they become more visible and attract more attention. Governments, regulators, and security experts are also advancing their technology and capabilities to identify the hallmarks of criminal-business arrangements. This results in some of them being caught and others choosing to shut down their operations voluntarily.
A good example is how ‘White House Dark Web Market (WHM)’, one of the largest and more successful dark web markets, closed with a message from admin (see the picture below) announcing they are retiring.
“We have reached our goal and now, according to plan, it’s time for us to retire,” the admin shared on their own dark web marketplace as well as on Dread Dark web forum. Interestingly, WHM are still keen on keeping their reputation until the last minute. Part of the group’s statement read, “Effective immediately, user registration and ordering have been disabled, everything else (yes, withdrawals included) is working as usual.” The statement continues, “All market rules are still in effect, so users (both buyers and vendors) should not try to take advantage of the situation and scam, the feedback system is still working and will be shared with Recon and other markets.”
Another instance is the BlackMatter ransomware that was allegedly shut down due to pressure from the authorities. The group announced plans to shut down in a message posted on its RaaS portal, where criminal groups typically register to access the BlackMatter ransomware strain. Also, the DarkSide group that attacked the Colonial Pipeline announced plans to drop from sight online due to the “pressure from the US.” On the other hand, some large groups on the dark web retire their activities after reaching their goals.
How should businesses respond?
Naturally, understanding how malicious hackers structure their business operations is vital so companies can firmly grasp what they are fighting. In addition, with cyber criminals forming larger (and hence bureaucratic) type organisations, companies need to scrutinise them to understand the structures, capabilities, tools, techniques, and practices they use.
Ultimately, when cyber criminals are so organised and working as smart startups, companies’ only chance of standing against them is to work together and invest in reliable cyber security capabilities.
Talk to Skillfield’s team of experts today and learn how advanced Machine Learning technology can help protect your business interests and stay ahead of the emerging threats.
References & Further Reading
Author: Hani Koshaji