Cybercriminals: Not Just Guys in the Basement Anymore

I am not so old that I could say that I remember a time when cybercriminals were not a credible threat to a healthy network but I could make the comment that I remember a time when they were not a GOOD as they appear to be today. Several key developments have led to the increase in the depth and breadth of the world of cybercrime.

1. Money, Money, Money…….MONEY

Make no mistake: cybercrime is a lucrative market. According to open source research, cybercrime is a $1.5 trillion market. It is a common joke among network defenders that we are in the wrong line of work. However, the fact of the matter is, conducting, assisting, or orchestrating malicious cyber operations pays well and, with the rise and ease of use of cryptocurrency, these operations are easier to monetize in near complete anonymity. (Yes, I said near. Don’t @ me.)

2. Everyone carries a computer now and is now a potential target

I am pretty sure my nephew has had a smartphone since he was, like, eight. I have seen jihadists in the caves of the Middle East with the latest version of the iPhone. I saw a documentary about how certain African governments are arming indigenous, nomadic tribes with GPS smartwatches to help track endangered animal movement. Each of these devices, phones, or watches is a computer with Internet access and each of them is a potential target. They can be bricked with ransomware, loaded up with cryptominers, or compromised to be part of a botnet and each of these operations can be monetized by cybercriminals.

3. Being a cybercriminal is now easier than ever!

I would argue that there was a time when you had to be a true hacker to run a hacking operation, access a network, arrange for sale, and then launder the payment. In the current threat environment, more and more operations utilize tools to conduct a majority of the “heavy lifting” when it comes to actual operations, not to mention the creation and implementation of cryptocurrency. Using readily available tools, low level individuals with as little computer experience as the average user can now conduct a successful cybercrime operation.

4. IoST (Internet of Stupid Things)

Speaking of things being connected to the Internet…….everything is connected these days and a good portion of them doesn’t have security in mind when they are developed. Medical devices, HVAC systems, vehicles, critical infrastructure assets, security systems, fire control systems, pet food dispensers, in addition to the myriad of applications and software that is used to manage them, are all potential infection vectors. Hell, my coworkers just told me about a coffee cup at Best Buy that has Bluetooth capability.

I think we can all agree that the threat landscape is broader than ever, it is easier than ever to be a cybercriminal, and we are becoming more and more connected via the Internet. As an analyst, one of my primary concerns is that while people accept that cybercrime is on the rise, no one is really considering them an increasingly sophisticated threat.

Let me be clear: cybercriminals can be dangerous. Amidst all the low-level “noise” of unsophisticated cybercriminals, exist the highly capable malicious actors who can execute highly complex, highly lucrative operations. A trend that is causing further concern is how these highly capable cyber actors are being used for nation state missions. There is evidence to suggest that nation states like Iran, China and Russia seek out the services of cybercriminals to conduct cyber operations for government-sponsored missions. So what are the advantages of finding a “hacker for hire?”

1. It wasn’t me

One of the more useful benefits of using cybercriminals as contractors is being able to deny any association with the operations, should the mission go awry. Russia and China especially are consistently working on their global image and how they are perceived on the international stage, so using cybercriminals to conduct operations allows them that distance which enables them to maintain that image while continuing to have the advantage of adversarial cyber operations.

2. Outsourcing and crowdsourcing

I have the unpopular opinion that some cybercriminals are more capable than a majority of some nation state actors. In some cases, I believe that countries rely on cybercriminal contractors to execute missions that are outside of the scope of their own capabilities. (Looking at you, Iran.) Which makes sense when you stop to consider it, as cybercriminals are constantly looking for an edge to better conduct successful operations while government workers may suffer from mission burn out, boredom, or lack of up-to-date training. Additionally, cybercriminal contractors have the ability to outsource and crowdsource their work. I could write an entire paper on the fascinating nature of the cybercriminal professional network. Should a cybercriminal need access or a custom tool or some other resource, they are likely to find a solution faster than a government-run operation. Which brings us to…..

3. Honor among thieves

Cybercriminals exist in a world where reputation is everything. Should a nation state representative reach out to a reputable cybercriminal contractor, that cybercriminal is motivated to do the work for the price, content and time agreed upon in order to protect their reputation. If a nation state reaches out to cybercriminal, they are more likely than not to deliver as promised.

4. Better hobby than most

If you happen to be a capable computer network specialist, there is a good chance that you might have similar hobbies at home. There is evidence to suggest that some individuals may log off their government computer, go home, log on to the dark market, and continue to do similar work. Familiarity with government missions make for exceptionally well informed cybercriminals.

5. Snitches get……. jobs

Russia especially has been accused of having tacit tasking ability to the Russian cybercriminal world. However, they are not the only country that may or may not arrest a cybercriminals, only to turn them loose with a government-backed mission. Having a cybercriminal, no matter how capable, gives nation states the advantage of having access to the criminal networks.

6. Vengeance is sweet and the Internet is everywhere

According to Internet World Stats, 55% of the global population has access to the Internet, which roughly shakes out to about 4.2 billion users. As discussed above, the introduction of mobile devices has allowed more and more people access to a potential victim but what also should be considered is that now people can potentially use it for adversarial uses. As the Iranian contractors showed in 2013, distributed-denial-of-service (DoS) operations can significantly disrupt U.S. networks. Politically motivated cybercriminals can harness these resources to conduct these types of operations. In fact, I predict that the U.S. will see more low-level cybercriminal activities originating from countries other than the typical adversaries (Iran, China, North Korea, and Russia).

I have the privilege of having many people who are current or former U.S. Navy in my life and, as such, I get a lot of maritime analogies. (Life is like the sea, I get it.) However, one I actually like is how boats and ships can be compared to how large organizations vs small organizations conduct cyber operations. Ships (our nation states actors) are large, powerful, capable entities but have difficultly changing course or quickly adapting to changes in the landscape. Boats (cybercriminals), on the other hand, are light, quick, and adaptive but lack the resources to be the “heavy hitters” sometimes needed for combat. So in order to be best effective, you deploy BOTH for the best advantages, right? That is what nation state cyber organizations are doing. Combining their government resources with the cybercriminal capabilities have given nation states a significant advantage in the new cyber threat landscape.

As a cyber threat intelligence analyst, I would argue that our community tends to consider nation state actors to be the source of the most sophisticated and capable cyber threat operations. However, I would argue that we need to shift that scope to include the cybercriminals or cyber contractors in how we are accessing the threats of nation state actors.

So it might still be a guy in a basement……he is now just working part-time for Russia.