It has been reported that a hackers-for-hire group dubbed “Dark Basin” has targeted thousands of individuals and hundreds of institutions around the world, including advocacy groups, journalists, elected officials, lawyers, hedge funds and companies, according to the internet watchdog Citizen Lab. Researchers discovered almost 28,000 web pages created by hackers for personalised “spear phishing” attacks designed to steal passwords, according to a report published yesterday.
Cyber is fertile ground for entrepreneurs, on the light side and the dark. With the amount of money to be made hacking and the means to ensure anonymity, it was only a matter of time until mercenaries emerged. This might not be all that new, but it is now the big time for Hacking Inc. (my term for commercial, for-hire mercenary hacking). This is organized crime for the cloud era, and there’s a perfect storm right now: people with skills, not much gainful employment for many, a rich target environment and money to be made. It’s another reminder that everything we build can be targeted, and good cyber like good health and hygiene requires a mindset and work. It’s also time to remind ourselves that we should have a collective mission to make the risk and cost of hacking offensively so bad that other job options look better in comparison. It’s time to make Hacking Inc. have less of a boom and ensure that we can all get more robust and hardened to their techniques. Nothing in the kit of this or most of the rest of Hacking Inc.’s toolkit is particularly brilliant, so let’s not let them have their way.
Cyber defenders implicitly know that it’s the attackers who define the rules for their attacks and that cyber criminal activity is fundamentally a business. Hacking for hire, or cyber-mercenaries, are part of that business landscape and one where targeted attacks are likely to only increase. While Dark Basin is reported to have engaged in spear-phishing attacks, its important to recognise that organisations engaging in hacking for hire will use whatever combination of techniques meet the scope of the customer contract. It is also equally likely that such groups will implant latent command and control systems within their victims to facilitate either long running intelligence gathering or to reduce the time for any future targeted attacks.
From a defensive cybersecurity posture, minimizing the threat from implanted control systems starts with a robust inventory of what “normal” looks like for all deployed software within the organisation. This includes the mundane like software asset inventories, but also a thorough understanding of what data is collected, processed and retained by the business which then is coupled with a clear understanding of which systems have access to the data and who is authorized to both read and modify it. These are the relationships which cyber-criminals of all stripes attempt to recognised and exploit. They are also the relationships which governance, risk and compliance teams need to know in order to best protect the business from attack.