Birds of a Feather, Flock together. An old, yet very true saying. Cybercriminals are stealing a staggering volume of data and money from companies around the world. The damage from cyber-attacks costs businesses US$400 billion a year. This has become a huge criminal enterprise and operators include state sponsored groups, such as Russia, China and North Korea.
Cybercrime groups have become more organized and specialized in the past few years. Gone are the days of single actors placing malware or creating other havoc for organizations. Cybersecurity reports often talk about threat actors and their malware/hacking operations as self-standing events. In reality, the cybercrime ecosystem is much smaller and far more interconnected than the layperson might realize.
Cybercriminals often have complex supply chains, similar to legitimate software companies, and they regularly develop relationships within the rest of the e-crime ecosystem to acquire access to essential technology that enables their operations or maximizes their profits. According to cybersecurity researchers, these third-party technologies can be classified into three categories: Services, Distribution, and Monetization.
Services category can include:
- Access Brokers - threat actors who breach corporate networks and sell access into a company's internal network to other gangs.
- DDoS attack tools - also known as DDoS booters or DDoS-for-hire, these groups provide access to web-based panels from where anyone can launch a DDoS attack against a target.
- Anonymity and encryption - threat actors who sell access to private proxy and VPN networks, so hackers can disguise their location and origin of their attacks.
- Phishing kits - threat actors who create and maintain phishing kits, web-based tools used to automate phishing attacks, and the collection of phished credentials.
- Hardware for Sale - threat actors who sell custom-made hardware, such as ATM skimmers, network sniffing devices, and more.
- Ransomware - also known as Ransomware-as-a-Service, or RaaS, these groups sell access to ransomware strains or a web-based panel where other gangs can build their own custom ransomware.
- Crime-as-a-Service - like RaaS, but these groups provide access to banking trojans or other forms of malware.
- Loaders - also known as "bot installs," these are threat actors who already infected computers, smartphones, and servers with their own malware and offer to "load/install" another group's malware on the same system, so the other group can monetize it through ransomware, banking trojans, info-stealers, etc.
- Counter antivirus service/checkers - these are private web portals where malware devs can upload their samples and have them tested against the engines of modern antivirus systems without the fear of the malware's detection being shared with the AV maker.
- Malware Packing services - these are web-based or desktop-based tools that malware developers use to scramble their malware strain's code and make it harder to detect by antivirus software.
- Credit/debit card testing services - these are tools that hackers use to test if the payment card numbers they acquired are in a valid format and if the card is (still) valid.
- Webinject kits - these are specialized tools, usually used together with banking trojans, to allow a banking trojan gang to insert malicious code inside a victim's browser while they visit an e-banking (or any other) site.
- Hosting & infrastructure - also known as bulletproof hosting providers, their name is self-evident as they provide private web hosting infrastructure specifically tailored for criminal gangs.
- Recruiting for criminal purposes - these are specialized groups that recruit, bribe, or trick normal citizens into participating in a cybercrime operation (e.g., someone who travels to the US to bribe a Tesla employee to run a malicious tool inside the company's internal network).
- Groups that run spam campaigns on social networks or instant messaging apps.
- Groups specialized in email spam distribution.
- Groups who develop and sell exploit kits.
- Groups who purchase traffic from hacked sites and distribute it to malicious web pages that usually host exploit kits, tech support scams, financial scams, phishing kits, and others.
- Money mule services - groups who offer to physically show up and pick up money from hacked ATMs, receive money in their bank accounts, and then redirected to the hackers, their preferred money laundering or reshipping fraud service.
- Money laundering - groups who often operate networks of shell companies through which they move funds from hacked bank accounts, ATM cash-outs, or cryptocurrency heists. Some money laundering services also operate on the dark web as Bitcoin mixing services.
- Reshipping fraud networks - groups that take stolen funds, purchase real products, ship the products to another country. The products, usually luxury goods like cars, electronics, or jewelry, are then resold and converted into clean fiat currency that's transferred to the hackers who contracted their services.
- Dump shops - groups that sell data from hacked companies via specialized websites and social media channels.
- Ransom payments & extortion - groups specialized in extorting victims, and which can be contracted by other gangs in possession of stolen data.
- Collection and sale of payment card information - also known as carding shops, these are typically forums where cybercrime groups go to sell stolen payment card data.
- Cryptocurrency services - a form of money laundering, these services offer to "mix" stolen funds and help hackers lose the trail of stolen funds.
- Wire fraud - as the name says, groups that are specialized in performing wire fraud, such as BEC scams.
Tracking all the connections between groups and their suppliers, and who works with who, is almost impossible today due to the broad use of encrypted communication channels between parties. However, in the realm of malware attacks, some signs of cooperation can be observed by the way the malware moves from attackers to infected hosts. Although these connections can never be fully verified, it is obvious that when the Emotet malware is downloading the TrickBot malware - that the two gangs are cooperating (this as part of a "loader" mechanism provided by the Emotet crew for the TrickBot gang).
In narcotic investigation, law enforcement often target lower level individuals in a criminal syndicate. From there criminal investigators work their way into higher levels in the narcotrafficking organization. Crime is crime and similar investigative tactics can be employed. Law enforcement agencies are most likely to achieve better results in disrupting cybercrime operations when targeting these shared service suppliers. This will result in disrupting the activities of multiple cybercrime groups at once. While higher level cybercrime gangs often have effective operational security (OpSec) and do not reveal any details about their operations, targeting lower-tier enablers, who do not always protect their identities, could providing law enforcement agencies with data that could help them unmask and track down the bigger groups.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings: