Pages

7 August 2022

The Cyber Mercenary Business is Booming

Emilio Iasiello

A recent report revealed several private sector Indian companies that have been involved in using corporate cyber espionage tactics against entities involved in litigation in an effort to influence their outcomes. What started off as a hacker-for-hire situation, quickly bloomed into an organized commercial endeavor for the hacker, who recruited and grew a small group of Indian colleagues to be hired out to private investigators employed by clients involved in lawsuits. The reporting focused on three particular companies (BellTroX, CyberRoot, and Appin), though there are several more of these cyber mercenary groups whose customers have ranged from multinationals to individuals with personal grievances they are seeking to satisfy.

Though this reporting focused on Indian companies, there has been an increasing amount of literature exposing the activities of these “cyber mercenaries” – gray hat companies that are also referred to as private sector offensive actors, that advertise their services under the rubric of forensics, pentesting, information security research, or auditing. Ultimately, these capabilities are purchased by customers for more malicious purposes. Per Microsoft, cyber mercenaries employ two types of business models: a access-for-hire approach where the group sells end-to-end hacking tools to the customer who conducts their operations independent of the group’s help; and a for-hire service where the customer provides targeting information and the group does all of the work. In addition to companies involved in litigation, the prime targets of cyber mercenaries have included but are not limited to politicians, political activists, human rights, journalists, among other targets. These cyber mercenaries are found globally, though recent reports have focused on those based in Austria, China, India, Russia, and the United Arab Emirates. Since early July 2022, Google has been aggressively identifying and shutting down the websites of these groups, closing at least 30 domains associated with these actors. These are but minor, temporary wins in a much larger and global effort.

Though deemed as being non-state affiliated, a segment of these groups possess sophisticated hacking capabilities that experts believe to be on par with some advanced persistent threat operations, and using similar attack methodologies used by their state counterparts. In addition to deploying spearphishing and specialized malicious plugins, a recent report revealed that at least one of these cyber mercenary conclaves targeted European and Central American victims by exploiting a zero-day vulnerability in Windows that would facilitate surveillance, a tactic typically employed by state-caliber actors to assure entry into high-value targets. In some instances, cyber mercenary groups have been known to help each other out whether through the sharing of infrastructure, tools and resources, or individuals.

What’s more, this appears to be a booming business, with these groups adapting the established cybercrime-as-a-service model to market cybersecurity services to appear legitimate as evidenced in BellTroX’s advertisement and even legally incorporating their companies. Some like the Israel-based NSO group have gained notoriety over the past several years for these questionable activities. NSO sold its spyware tool Pegasus to governments and law enforcement entities, the fallout from which is still being revealed in news outlets. One Austria-based group listed services on its website consistent with a cybersecurity vendor but was exposed when a data leak disclosed that it also engaged in cyber warfare, biometrical facial recognition, and unmasking foreign information warfare. It’s connection to the previously mentioned Windows zero-day that would deploy malware in surveillance cameras would be extremely useful to law enforcement and intelligence entities and would risk crossing privacy and human rights concerns.

While gray hat companies are pushing the boundaries of illicit for-hire activities, the emergence of a group dubbed Atlantis Intelligence Group (AIG) puts a spin on this growing industry. While not a gray hat company per se, AIG has engaged in recruiting cyber mercenaries – which may be individuals or gray hat groups – who possess specializedskillsets that are used to aid on specific parts of an attack that AIG has been contracted out to perform. By segregating phases to increase operational security practices, AIG has found a way to protect the core group, as well as preserve the integrity of the overall operation. The contracted mercenaries are never given permanent group member status and have no knowledge of the larger operation, thereby limiting their insight into how AIG does its business and insulating the senior AIG individuals from exposure. Many of the ad-hoc positions being sought are consistent with initial access such as spearphishing and social engineering attacks. AIG’s practices further show how these entities continue to refine cyber mercenary activities, perhaps learning from where other groups like the aforementioned Indian companies and the now defunct HackingTeam, and Gamma International, Ltd., mis-stepped resulting in their public exposure of their activities. Based on these security considerations, it certainly appears that AIG is looking to be a longstanding player in the for-hire services industry.

What’s clear is that the offerings provided by cyber mercenaries have value to both public and private sector customers, increasing their value with demonstrated records of success. These groups have proven themselves adaptable and do not focus on any particular industry making them an attractive option to conduct corporate and industrial cyber espionage for the purposes of providing competitive advantage to their clients. Perhaps more importantly, they represent an affordable resource. For states, they provide an instant capability for those lacking the fiscal, material, and human resources required for stealthy cyber operations, or if deployed internally, perform surveillance and help support domestic control. For already cyber-capable states, cyber mercenaries are a natural complement to be leveraged as cut-outs, that if contracted properly, provide plausible deniability should their activities be detected.

The extent with which cyber mercenary companies will be utilized by states remain to be seen. However, they are already proving to be viable options for the private sector. Moreover, the full extent of these operations is not known, though the number of these types of gray hat companies seems to be larger and more global than perhaps previously suspected suggesting the appetite for such services by corporate clientele. This also raises the question if some activities that have been detected by organizations haven’t been misidentified thereby obstructing a more thorough understanding of who is perpetrating the malfeasance and why. Failing to do so risks incorrectly informing organizations of the nature of the threat, impairing victims from adjusting their cybersecurity postures appropriately.

No comments:

Post a Comment