Any well-orchestrated cybercrime operation can be viewed through the prism of the iceberg analogy. The tip of the iceberg combines the campaign’s tactical and strategic levels. The former comprises unorthodox tactics, techniques, and procedures (TTPs) leveraged to gain a foothold in a target network, and the latter mostly boils down to clever, hard-to-trace attack monetization.
The operational tier is hidden underneath the surface, which involves flexible management of a gang’s resources and serves as the glue for the dodgy ecosystem. Albeit less conspicuous than the remaining two, this one is hugely important for achieving strategic goals. Think of it as project management employed by a cybercrime organization.
The ever-evolving techniques in threat actors’ operational style are difficult for information security researchers to analyze, and for good reason. To do it, white hats need some insider knowledge and have to stay consistently zoomed in on subtle tweaks in the dynamic cybersecurity statistics and trends, which is daunting.
The silver lining is that some reports by security professionals shine a light on the project management methods at a cybercriminal's disposal. For example, insights into the modus operandi of the infamous Russia-linked FIN7 group help better understand how organized cybercrime organizations work, what technologies they use, how they recruit “employees,” and how they keep a record of victims. That said, let’s try to lift the curtain on the operational art of online crime.
Agile operational practices make a difference in the increasingly competitive cyber threat landscape. These include the ability to breach multiple high-profile targets in a short amount of time, exfiltrate large amounts of proprietary information, offer high salaries to team members, and get the hang of new offensive tools.
It might sound counterintuitive, but tech proficiency isn’t the main hallmark of a successful gang. Garden-variety phishing skills, combined with monetization competence through regular mechanisms such as cryptocurrency mixing services, wire transfers, and the abuse of stolen credit cards, will typically suffice. Nevertheless, their importance is overshadowed by well-polished resource management and team coordination.
It’s operational proficiency that distinguishes advanced persistent threat (APT) groups from run-of-the-mill cyber malefactors out there. These skills are key to compromising and cashing in on dozens of victims simultaneously without even having to harness the latest top-notch technological advancements.
Judging by the analysis of the above-mentioned FIN7 APT, which has been active since 2013 and is still going strong, this type of competence boils down to a fusion of frictionless business processes and well-thought-out human resource management. The building blocks of this strategy in the repertoire of high-performing gangs are as follows:
Cybercriminals follow the money. To excel in doing so, they have to harness monetization techniques that can be easily adapted to different targets. The most successful gangs use the following algorithm to turn unauthorized network access into financial gain:
It’s worth emphasizing that perpetrators try to strike a balance between hitting multiple targets and squeezing the most out of the infiltrated organizations, and they hardly ever fully concentrate on monetizing a specific breach. It’s important for these folks to keep the ball rolling, so they maintain a constant flow of new attacks.
Tracking all the victims along with the exploitation statuses is another important component of crooks’ project management methodology. Each project in their internal system corresponds to a compromised company. It harbors comprehensive information about the victim’s business model, the data stolen, and the resources allocated to transforming unauthorized access into profit. It also includes the list of dedicated “employees.”
To ensure a smooth implementation of this logic, APT groups may leverage reputable project management software. Furthermore, the interoperability between “stakeholders,” developers, operators, and translators is aligned with proper DevOps.
The case of the FIN7 gang illustrates the dark side of such progressive project management. These folks reportedly use turnkey applications to track their victims along with the progress of every breach. They also maintain a secure chat system to manage personnel, conduct interviews with job candidates, and discuss the wages with team members.
To take it up a notch, the criminals are known to mishandle legitimate issue-tracking products like Jira. When an organization is infiltrated, FIN7 operators add an issue ticket and then update this record with new info in the form of comments as the compromise moves on.
This popular tool is also abused to store victims’ authentication data, screenshots, keystroke logs, and other information that serves as a launch pad for expanding the attack surface. By and large, the solution’s inherently benign functionality gets weaponized to retain all breach information in one place and to facilitate the coordination between threat actors.
The human element remains a cornerstone of any high-profile cybercrime organization, eclipsing technologies in terms of importance. APT actors have various job functions that range from managers and operators to translators and programmers.
It’s not uncommon for these groups to hire people via fake security companies under the guise of recruiting penetration testers or developers. The headhunting workflow involves private online chat services to interview candidates.
In this scenario, any ethical hacking professional would easily suspect that they are being manipulated. First off, network penetration testing is fulfilled within a limited time frame, whereas the job functions offered by the rogue front organization presuppose a continuous probing of multiple digital infrastructures for entry points and exploiting them.
Second, pen testers are supposed to communicate with their customers to request and exchange information throughout the security evaluation. Third, white hats never deposit malicious programs for post-exploitation, nor do they harvest credit card information or compromise point-of-sale systems.
The biggest giveaway, however, is that a regular penetration test always culminates with a comprehensive report that outlines each stage of the undercover breach, enumerates the tools used, and provides recommendations to address the discovered vulnerabilities. None of that is the case with real-life cyberattacks.
Sophisticated TTPs alone aren’t enough for a cybercriminal clique to succeed in what it does. Staying afloat in these murky waters is, first and foremost, a matter of operational agility, a kind of project management in the crooks’ offensive genre. This includes clever recruitment, seamless DevOps-style collaboration within teams, clear-cut distribution of roles, attack monetization templates based on industry, and the use of software to track a large number of victims and document all the breach statuses in real time.
At the end of the day, criminal organizations that master these techniques perform exceptionally well. It’s too bad they steer their project management proficiency in the wrong direction.
Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE's position nor that of the Computer Society nor its Leadership.
