Any well-orchestrated cybercrime operation can be viewed through the prism of the iceberg analogy. The tip of the iceberg combines the campaign’s tactical and strategic levels. The former comprises unorthodox tactics, techniques, and procedures (TTPs) leveraged to gain a foothold in a target network, and the latter mostly boils down to clever, hard-to-trace attack monetization.
The operational tier is hidden underneath the surface, which involves flexible management of a gang’s resources and serves as the glue for the dodgy ecosystem. Albeit less conspicuous than the remaining two, this one is hugely important for achieving strategic goals. Think of it as project management employed by a cybercrime organization.
The ever-evolving techniques in threat actors’ operational style are difficult for information security researchers to analyze, and for good reason. To do it, white hats need some insider knowledge and have to stay consistently zoomed in on subtle tweaks in the dynamic cybersecurity statistics and trends, which is daunting.
The silver lining is that some reports by security professionals shine a light on the project management methods at a cybercriminal’s disposal. For example, insights into the modus operandi of the infamous Russia-linked FIN7 group help better understand how organized cybercrime organizations work, what technologies they use, how they recruit “employees,” and how they keep a record of victims. That said, let’s try to lift the curtain on the operational art of online crime.
Lucrative attacks and technological innovation don’t necessarily overlap
Agile operational practices make a difference in the increasingly competitive cyber threat landscape. These include the ability to breach multiple high-profile targets in a short amount of time, exfiltrate large amounts of proprietary information, offer high salaries to team members, and get the hang of new offensive tools.
It might sound counterintuitive, but tech proficiency isn’t the main hallmark of a successful gang. Garden-variety phishing skills, combined with monetization competence through regular mechanisms such as cryptocurrency mixing services, wire transfers, and the abuse of stolen credit cards, will typically suffice. Nevertheless, their importance is overshadowed by well-polished resource management and team coordination.
Malicious actors’ project management approach
It’s operational proficiency that distinguishes advanced persistent threat (APT) groups from run-of-the-mill cyber malefactors out there. These skills are key to compromising and cashing in on dozens of victims simultaneously without even having to harness the latest top-notch technological advancements.
Judging by the analysis of the above-mentioned FIN7 APT, which has been active since 2013 and is still going strong, this type of competence boils down to a fusion of frictionless business processes and well-thought-out human resource management. The building blocks of this strategy in the repertoire of high-performing gangs are as follows:
- Business processes have to be thoroughly tested and easy to reproduce.
- The role of APT “stakeholders” is to manage people, projects, data, and financial assets.
- Technological innovation isn’t a top-of-mind priority for managers. They are focused more on the permanent enhancement of the TTPs that are already in place.
A multi-pronged business model
Cybercriminals follow the money. To excel in doing so, they have to harness monetization techniques that can be easily adapted to different targets. The most successful gangs use the following algorithm to turn unauthorized network access into financial gain:
- Selecting a target organization.
- Discovering the target’s valuable assets.
- Picking an employee who will be on the receiving end of a social engineering attack. This can be done by researching the person’s pain points through open-source intelligence (OSINT) and other sources, including dark web databases from past breaches. With insider threats gathering momentum today, malicious actors may also look for attack opportunities based on the foul play of double-dealing employees.
- Sending a phishing email to try and dupe the individual into running a remote access Trojan (RAT) or ransomware on their computer.
- Lateral movement inside the infected network aims to identify valuable data such as bank records and authentication details for accessing financial transaction processing systems.
- Post-exploitation transfers funds away from the target’s business accounts and extracts the collected data.
- Selling the proprietary data on the dark web or using it to execute supply chain attacks against the target company’s contractors.
It’s worth emphasizing that perpetrators try to strike a balance between hitting multiple targets and squeezing the most out of the infiltrated organizations, and they hardly ever fully concentrate on monetizing a specific breach. It’s important for these folks to keep the ball rolling, so they maintain a constant flow of new attacks.
Keeping a record of victims
Tracking all the victims along with the exploitation statuses is another important component of crooks’ project management methodology. Each project in their internal system corresponds to a compromised company. It harbors comprehensive information about the victim’s business model, the data stolen, and the resources allocated to transforming unauthorized access into profit. It also includes the list of dedicated “employees.”
To ensure a smooth implementation of this logic, APT groups may leverage reputable project management software. Furthermore, the interoperability between “stakeholders,” developers, operators, and translators is aligned with proper DevOps.
The case of the FIN7 gang illustrates the dark side of such progressive project management. These folks reportedly use turnkey applications to track their victims along with the progress of every breach. They also maintain a secure chat system to manage personnel, conduct interviews with job candidates, and discuss the wages with team members.
To take it up a notch, the criminals are known to mishandle legitimate issue-tracking products like Jira. When an organization is infiltrated, FIN7 operators add an issue ticket and then update this record with new info in the form of comments as the compromise moves on.
This popular tool is also abused to store victims’ authentication data, screenshots, keystroke logs, and other information that serves as a launch pad for expanding the attack surface. By and large, the solution’s inherently benign functionality gets weaponized to retain all breach information in one place and to facilitate the coordination between threat actors.
The HR piece of the puzzle
The human element remains a cornerstone of any high-profile cybercrime organization, eclipsing technologies in terms of importance. APT actors have various job functions that range from managers and operators to translators and programmers.
It’s not uncommon for these groups to hire people via fake security companies under the guise of recruiting penetration testers or developers. The headhunting workflow involves private online chat services to interview candidates.
In this scenario, any ethical hacking professional would easily suspect that they are being manipulated. First off, network penetration testing is fulfilled within a limited time frame, whereas the job functions offered by the rogue front organization presuppose a continuous probing of multiple digital infrastructures for entry points and exploiting them.
Second, pen testers are supposed to communicate with their customers to request and exchange information throughout the security evaluation. Third, white hats never deposit malicious programs for post-exploitation, nor do they harvest credit card information or compromise point-of-sale systems.
The biggest giveaway, however, is that a regular penetration test always culminates with a comprehensive report that outlines each stage of the undercover breach, enumerates the tools used, and provides recommendations to address the discovered vulnerabilities. None of that is the case with real-life cyberattacks.
Sophisticated TTPs alone aren’t enough for a cybercriminal clique to succeed in what it does. Staying afloat in these murky waters is, first and foremost, a matter of operational agility, a kind of project management in the crooks’ offensive genre. This includes clever recruitment, seamless DevOps-style collaboration within teams, clear-cut distribution of roles, attack monetization templates based on industry, and the use of software to track a large number of victims and document all the breach statuses in real time.
At the end of the day, criminal organizations that master these techniques perform exceptionally well. It’s too bad they steer their project management proficiency in the wrong direction.
Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.