The goal of this two-part blog is to advance knowledge about how threat actors operate by examining social patterns and psychological traits of these highly-effective cybercriminals, who continuously adapt their capabilities to maintain their stronghold within this ecosystem. By pinpointing the common behaviors in significant financially-motivated cybercriminals, organizations can develop mitigation efforts by anticipating threat actors’ specific characteristics and how their successful maneuvers will influence similar schemes and strategies in the future.
We will share insights into how the Intel 471 Intelligence Team has tracked and analyzed insights from 2010 to 2022 across the cybercrime underground where most of these schemes proliferate in a highly organized business model and operating across forums and marketplaces. Our focus is on some of the most effective actors in the underground — Ransomware-as-a-Service operators (RaaS), network access brokers (NABs), and prolific carders.
You can read Part I here.
4. No face, no case
Similar to how effective cybercriminals adapt in the face of a challenge, they know how to take advantage of an opportunity. One of the most impactful ways cybercriminals have done so is the layers of anonymity the internet can provide those who want to hide their true identity.
Anonymity is not a zero-sum game for threat actors. The better a cybercriminal can deter anyone from determining who they really are, the better chance they have of not getting caught. However, those who wish to succeed must achieve the right balance of being known enough to establish credibility. Those throughout the underground who have balanced this typically implement better OPSEC practices, such as using email addresses and handles unaffiliated with personal accounts so as not to be connected to their real identities. They also are careful to avoid revealing personal information when conversing on forums.
Threat actors use a variety of tools such as bulletproof hosting (BPH) services, Tor browsers and VPNs to protect their infrastructure and identities. Actors also make their funds and transactions anonymous with cryptocurrency mixing services. By attempting to make cryptocurrency funds and transactions untraceable, a threat actor’s profits are less likely to be tracked by security researchers or law enforcement.
Yet, these strategies and tools are not always enough to allow actors to maintain a low profile. Highly successful cybercriminals monitor how much attention they receive and know when to lay low, and usually return with a new alias and an improved strategy to stay under the security industry’s radar. In absence of returning, they sometimes just end their operations and sit on their money.
In February 2021, the founder of one of the most popular carding marketplaces, Joker’s Stash, retired after having amassed an alleged fortune of more than US $2 billion. While sales peaked at US $139 million in 2018, it dropped afterward as carding activity lost popularity, likely due to anti-fraud technologies becoming more sophisticated, as well as the rise of ransomware.
Additionally, when the GandCrab RaaS affiliate program was terminated, the actor stated, “all the best things eventually come to an end. In one year, people who worked with us have earned over US $2 billion…This money has been successfully cashed out and invested in various legal projects, both online and offline ones.” The actor appeared to have met GandCrab’s ultimate goal, ceased operations after receiving a significant amount of public attention and disappeared before any arrests could be made.
5. Easy does it
Malicious actors of all skill levels skew toward the easiest possible path to earn money. Sure, there is a possibility that cybercriminals could daisy-chain multiple zero-days together for the purpose of stealing data from an organization, but the overwhelming majority of attackers cast an extremely wide net with the understanding that they may only score access to a handful of organizations. However, the most effective cybercriminals derive as much value as possible from that small return.
Intel 471 observed that effective threat actors engage in active scanning—a process that is extremely easy to set up and automate—to efficiently attack organizations by exploiting entities with unpatched vulnerabilities. That was then followed up with or accompanied by brute-force and credential-stuffing attacks on downstream systems to gain access to networks.
The process was the bedrock of many actors who are known as the best network access brokers in the cybercrime underground. Their business strategy is to sell high volumes of access to global organizations in different sectors to appeal to numerous buyers. This tactic has been adopted by many other actors, who appear to attack any organization they can easily gain initial access to rather than spending time and effort targeting particular organizations. Some of the most successful actors employed these strategies and outsourced the ways they obtained the access, even going so far as hiring penetration testers to gather access for their own schemes.
The Intel 471 Intelligence Team monitors one particular access broker has demonstrated consistent involvement in brute-force attacks and offered RDP access credentials to organizations all over the world, including entities based in Africa, Asia, Central America, Europe, North America and South America. Since 2017, the actor did not specifically target one region or industry, which allowed for a wider breadth of offers to sell to a generalized audience.
6. Knowledge is power
High-achieving threat actors often possess inquisitive qualities and engage in lifelong learning. They are adept in, and sometimes exposed to, technology in their education and early life. They continue to seek out mentors, enroll in legitimate and illegitimate courses, follow tech media, attend lectures and maintain awareness of new areas of learning. Training courses, step-by-step guides, manuals and video demonstrations enable underground threat actors to increase their skill level or sophistication. Whether it’s purely technical or rooted in social engineering, the constant drive for knowledge helps effective threat actors to achieve their goals.
A prominent initial access merchant observed by Intel 471 said in an interview that he allegedly first attempted hacking at school by “pranking” classmates’ computers with a remote access trojan (RAT). The actor revealed in an ‘interview’ he viewed successful ransomware operators as role models and allegedly planned to open a RaaS program and assemble a powerful hacking team in five years. At the time of the ‘interview’, the actor allegedly already assembled a small hacking team that included some real-life friends and a few people found on a cybercrime forum.
7. Putting the ‘organized’ in ‘organized crime’
Over time, cybercriminal networks have become more organized, collaborative and well-funded. As highly-skilled threat actors have developed their business, they’ve reinvested some of their earnings back into their enterprises. Similar to other professional business ventures, threat actors reinvest profits back into their illicit enterprise to improve their capabilities, infrastructure, platforms and offers. This widens their ability to hone their technical skills and enables them to conduct more sophisticated attacks.
There has been a pronounced shift in the way cybercriminals treat their operations in the last decade. By and large, threat actor groups view negotiations and attack methodologies with a business mindset, particularly with regard to professionalizing their services and the way they communicate. Rather than reacting based on emotion, they approach interactions with standard operating procedures and clarify the expectations of affiliates early and often throughout the relationship. Additionally, strong leaders provide the structure necessary to organize resources in the right direction.
For example, One RaaS operator stated to a victim in a ransomware chat log observed by Intel 471: “our goal is money, we are not interested in causing harm. We tell you the amount we want to receive for unblocking the network and deleting all the files that we have downloaded from you. We come to an agreement, and after receiving the money, you receive a decryptor and proof of file deletion.”
The language in these logs mimics typical IT support communications, which encourages cooperation to solve a problem (despite the fact the group who is conducting the support operations probably launched the attack). Most RaaS operators also claimed additional losses could be avoided if the victim cooperated with the ransomware program negotiator’s terms. Ransomware operators also clearly state their objectives and engage in effective communication strategies when uploading ransom notes. Using professional language in ransom notes and negotiations demonstrates how cybercrime continues to progress toward a more advanced business model. These practices likely increase financial gain over the long term. As when these cybercriminals determine what is successful they repeat it continuously.
A systemic pattern moving forward
Habits determine an actor’s long-term effectiveness, and we observed sound decision-making and behaviors contribute to actors’ success. Once an actor’s perceived gains outweigh the chances of risk, they mobilize to harness favorable situations or conditions, increasing their opportunities and bolstering their security posture. We observed actors get ahead by developing and obtaining capabilities, demonstrating their leadership skills and nurturing both underground partnerships and insider relationships. Actors successfully evade detainment while making large profits by engaging with trusted affiliates, corporate insiders and network access brokers and developing and using the right tools and tactics at the most appropriate times to maximize benefits and decrease risk.
Actors who have been successful for years likely will continue to be in the short term. Yet, these attributes alone do not guarantee a thriving criminal career. Cybercrime thrives in places where threat actors can operate with less fear of negative consequences. Therefore, understanding a country’s infrastructure, economic situation and level of corruption is vital to discerning environments where cybercrime can flourish. For instance, we observe many attacks originating from Russia. Russia likely will continue to foster an environment for successful cybercrime operations following its war in Ukraine and demonstrated corruption of power from top leaders.
All of these traits point back to cybercriminals’ primary motive: making money. No matter the scheme or the technical adjustments made to enhance profit, the judgment and decision-making strategies and common traits of effective actors are likely to remain constant over time.
