The fight between attackers and security researchers often is portrayed as a kind of spy versus spy operation, with each side making moves and countermoves in order to stay undetected and continue operating. But while top-tier attackers pay close attention to the details and are adept at hiding their tracks, that doesn’t necessarily hold true for the rest of the herd.
New research from security firm Digital Shadows into the operational security practices of attacker groups shows that there is a wide variety in the quality and professionalism that attackers display when conducting their operations. For attackers at the top of the pyramid–think intelligence services and APT groups–operational security is of the utmost importance and they take it very seriously. There are operations known to security researchers that have been going on for years and yet the researchers don’t have a clear idea of who is behind them. On the other hand, inexperienced cybercriminals often make simple mistakes early on that lead to them being caught.
“Just as threat actor motivations and capabilities vary from group to group, so does OPSEC tradecraft. Different actors have different requirements for privacy and anonymity. Cyber crime forum operators must balance staying off the radar of law enforcement with the ability to sell and market their products. Nation state espionage actors often possess more mature tradecraft, but this isn’t always the case. Hacktivist OPSEC can range from less mature with teenagers launching DDoS attacks, to more mature groups targeting high profile banks and doing data dumps,” Digital Shadows said in its new report.
Rick Holland, vice president of strategy at Digital Shadows, said that attackers often start at the low end of the spectrum, with credit card fraud and other simple crimes. When they have some success there, they may move up to more complex and risky crimes that require better OpSec, but they’re not always up to the task.
“Their OpSec is only going to be as good as it needs to be to stay hidden.”
“There’s a lot of immature people and OpSec. A lot of people start in carding and go after consumers. Carding is where you start, and those that are successful will stay around and become more mature,” Holland said in an interview. “Their tenure, as far as how long they’ve been operating, is a factor. The new groups have to mature their OpSec. If someone is a money mule and they have to go into the physical world to cash out, their OpSec is higher, so the roles matter.”
Attackers of various skill levels communicate, recruit, and compare notes on forums, which often are members-only. Researchers monitor these forums for information on attackers’ tactics and potential targets, and Holland said there’s typically a connection between the risk in what the attackers are doing and their level of operational security. As attackers move up the food chain and come up against more professional and skilled defenders, they are forced to step up their game.
“You see different levels of OpSec on different forums. Their OpSec is only going to be as good as it needs to be to stay hidden,” Holland said. “If someone is ideological, they may have less OpSec because they want people to know what they’re doing.”
One of the most common mistakes that cybercriminals make, Holland said, is not separating their real lives from their online criminal enterprises. In an example laid out in the Digital Shadows report, the alleged operator of a notorious botnet known as Dridex made this mistake and it led investigators right to him.
“In October 2015, the U.S. Department of Justice revealed an indictment against a suspected administrator of a Dridex botnet. The Moldovan suspect, Andrey Ghinkul, was also known by his online nickname, Smilex. Ghinkul was alleged to be part of a group that disseminated Dridex – used to automate the theft of confidential personal and financial information, such as online banking credentials, from infected computers through the use of keylogging and web injects,” the report says.
“It was estimated by the Federal Bureau of Investigation (FBI) that at least $10 million USD in direct loss to the United States is attributable to Dridex. A subsequent review of the digital shadow of Smilex, revealed a somewhat lax attitude towards operational security, with easily identified traces of the nickname ‘Smilex’ being used alongside the attacker’s real name. From there it was relatively easy to identify a date of birth and a social media presence, including a rather open Facebook profile revealing details of holidays abroad and expensive foreign vehicles.”
Attackers and fraudsters are not just interested in hiding their activities; they also need to hide and launder the money they make from their crimes. This has been made much simpler in recent years with the advent of cryptocurrencies such as Bitcoin. Holland said many cybercrime groups have taken an interest in Bitcoin and use third-party services to launder their currency and break the publicly documented connection between sending and receiving Bitcoin addresses.
“They’re very interested in Bitcoin and digital currency,” he said.