Over the past few years, a very small number of cybercriminals have become quite sophisticated and are able to cause significant damage. At the same time, a much larger number of actors have found the decreasing amount skills and resources necessary to engage in profitable cybercrime reason enough to pursue such low-level operations.
The result is a hollowing middle of many types of cyber attacks, with a small number of sophisticated actors on one side, a growing number of relatively simple operations on the other, and a decreasing percentage of intermediary actors. This trend is apparent in cybercrime, cyberespionage and even vulnerabilities research.
The number of truly sophisticated cybercriminal actors is small enough that many are known by name. For example, the small group of actors known as Carbanak is among those using techniques more typically used by nation states to spy on victims and thoroughly penetrate their systems to infiltrate significant sums. Other actors have ties to multiple cybercriminal operations, such as the group who have ties to Dyre, Dridex and even “legitimate” companies and government operations.
“… are easily available, easy to use, and easy to install on one’s own or victim websites.”
Such endeavors require significant expertise and resources, and as such are beyond the reach of most would-be cybercriminals. Fortunately, for them, and unfortunately for the rest of us, the barriers to entry to “regular” cybercrime are increasingly low. It is now possible for cybercriminals to make money with relatively simple operations. While there are certainly actors remaining to steal and monetize data, it is now possible to steal any materials from a company, not just valuable, monetizable data, and blackmail that company with the publicity news of any breach could attract. The Dark Overlord is perhaps the best known such operation, but they are not alone.
Ransomware is another way to monetize basic access to a victim. Ransomware claims to encrypt (although it sometimes destroys) victims’ data and promises to decrypt it in return for a ransom payement (although it sometimes does not). Victim’s data, and their ability to continue using their devices, is valuable to the victims, even if there is not anything immediately useful to traditional cybercriminal means of monetization. Baby pictures are important to a baby’s parents, even if no one else would ever pay, but the loss of operations can be quite serious: Atlanta learned this the hard way, when that city’s government suffered weeks of downtime when SamSam ransomware infected Atlanta’s administration.
Some of the better ransomware groups target organizations who really cannot afford much downtime, such as local governments and hospitals, but who remain relatively easy targets. For those that are not able even to target vulnerable sectors, there are basic, and even free, versions of ransomware that attackers with limited skills can use to target individuals.
Even simpler than ransomware is coin mining. This involves using victims’ resources to mine cryptocurrencies, and offers the advantage that it delivers instant money and little risk, as well as the not inconsiderable benefit that miners are easily available, easy to use, and easy to install on one’s own or victim websites. While some miners infect devices and run on them, others work in browsers and require only that victims visit the affected sites to use their processing power. This is so easy that even otherwise honest actors are using in-browser miners on their employer’s computers or while at work.
“Governments willing to spend a little more money are also able to purchase espionage capability …”
While this trend is more visible among cybercriminals, some spies are also getting in on the act. Truly sophisticated cyberespionage efforts worthy of the title Advanced Persistent Threat (APT) are not something that every country can deliver. Although prolific, sophisticated actors still dominate in that sphere, the ease of establishing basic operation are an attractive option for nation states or even political groups who would otherwise have nothing, particularly given the number of easy targets that are still accessible. According to a report from Lookout Security, Pakistan’s intelligence service did just that with their mobile malware that Lookout calls Stealth Mango and Tangelo (for Android and iPhones respectively). According to Lookout, the developers developed two versions of their spyware: one for Pakistan’s military intelligence service and one for private sale to civilians called TheOneSpy billed to customers as a way to keep track of teens and employees.1 TheOneSpy is a basic spouseware program that costs between 50 and 200 EUR per year, depending on the package chosen.2 Despite this simplicity, Stealth Mango and Tangelo did succeed in infecting at least some useful targets, including government and private sector actors in Southeast Asia, the Middle East, the United States and Europe (including Germany).
Governments willing to spend a little more money are also able to purchase espionage capability from companies such as Germany’s Lench IT Solutions, which makes a range of spyware under the names FinFisher, FinSpy, or from Italy’s Hacking Team. The latter lost many customers when hacktivists stole and leaked internal documentation showing that they worked with repressive regimes such as Sudan, Bahrain, Venezuela, and Ethiopia. They were rescued when an investor in Saudi Arabia linked to that country’s government bought a portion of the company, thereby also buying increased cyberespionage capability for the Kingdom.
“With such low barriers to entry, it is not surprising that many low-skilled actors are entering the cybercriminal and cyberespionage spheres.”
Even political groups below the nation state level are able to capitalize on existing tools and knowledge to conduct cyberespionage operations. One such group, the Gaza Hackers Team, also known as Gaza Cybergang and Molerats, is believed to be the work of Hamas. The group employed preexisting Trojans to target government, oil and gas, media, activists, politicians, and diplomats. They did so prolifically, but at a not at a high enough level to rank as a high priority for national counterintelligence efforts or cybersecurity researchers.
Recent months have observed a significant improvement in activity attributed to Gaza Hackers Team, including the use of relatively new vulnerabilities, but this higher-level activity could be the work of a more sophisticated actor impersonating Gaza Hackers Team3 to hide their own tracks and discourage in-depth attribution efforts.
The hollowing pattern is also visible in exploit development. As software vendors improve their own security, the number of vulnerabilities researchers able to reverse engineer their programs and develop truly sophisticated exploits is shrinking, while the time they require to do their work is growing. This drives many mid-level operators out of the that portion of the market. At the same time, the rise of bug bounties and other means of monetizing even low-level bugs (legal an otherwise) is attracting the large and growing number of low-level vulnerabilities researchers in countries such as India, where even relatively low payouts are enough to live well.
With such low barriers to entry, it is not surprising that many low-skilled actors are entering the cybercriminal and cyberespionage spheres. The problems for defenses is that, as the middle hollows out a small number of truly sophisticated actors remains, a group which pose such a risk that they attract a significant amount of defenders’ resources. At the same time, a large and growing group of low-skilled actors is growing. Individually, they may not seem like a truly big deal. As a whole, however, their numbers are enough that they pose a significant threat, one that will only grow as their numbers do.
Who we are
The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries for their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.
1 “Stealth Mango & Tangelo,” May 2018. Lookout. https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf
2 “Kaufe Jetzt.” Accessed May 20, 2018. The One Spy. https://www.theonespy.com/de/
3 Kovacs, Eduard. “Hamas-Linked ‘Gaza Cybergang’ Has New Tools, Targets,” October 20, 2017. Security Week. https://www.securityweek.com/hamas-linked-gaza-cybergang-has-new-tools-targets