March 29, 2023 By Jonathan Reed 4 min read

Google’s Threat Analysis Group (TAG) recently released a report about growing hack-for-hire activity. In contrast to Malware-as-a-Service (MaaS), hack-for-hire firms conduct sophisticated, hands-on attacks. They target a wide range of users and exploit known security flaws when executing their campaigns.

“We have seen hack-for-hire groups target human rights and political activists, journalists and other high-risk users around the world, putting their privacy, safety and security at risk,” Google TAG says. “They also conduct corporate espionage, handily obscuring their clients’ role.”

The level of detailed information these groups can access is astonishing. Here’s what organizations need to know about this emerging threat to data security.

Hack-for-hire not as-a-Service

The recent rise in Ransomware-as-a-Service has alarmed security experts across the globe. Unlike MaaS, hack-for-hire activity appears to be much more targeted. For example, Reuters recently reported on thousands of email records exposing an Indian hack-for-hire group. These actors were called upon to interfere in lawsuits all over the world. The cyber spies work for litigants seeking to gain an edge.

The Reuters report quoted Anthony Upward, managing director of Cognition Intelligence, a U.K.-based countersurveillance firm saying, “It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles.”

Reuters reported that at least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of the Indian hack-for-hire attempts.

This is a far cry from a MaaS portal that sells online subscriptions for malicious services. MaaS groups increasingly look a lot like SaaS brands. Some MaaS groups have openly accessible websites, monthly newsletters, marketing campaigns, video tutorials, white papers and Twitter accounts.

While hack-for-hire groups may advertise, they aren’t usually helping clients get a cryptocurrency payout. And you can’t sign up for a subscription service. It’s more than likely that hack-for-hire clients have a specific target and goal in mind. And it frequently involves espionage. They even say so right on their websites:

Source: Google TAG

Deathstalker and dead drop resolvers

While hunting for evidence of the hack-for-hire Deathstalker group intrusions, Kaspersky identified a new variant of the Janicab malware. The group used Janicab to target legal entities in the Middle East throughout 2020 and possibly during 2021. The group’s activity may even have extended back to early 2015 and has targeted legal, financial and travel agencies in the Middle East and Europe.

It appears that Deathstalker was using YouTube, Google+ and WordPress web services as dead drop resolvers (DDRs).  Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Actors can post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victim computers will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that network hosts are already communicating with them prior to a compromise. Common services, such as those offered by YouTube, Reddit, GitHub, Google or Twitter, can be used in DDR. This enables adversaries to blend in with normal traffic. What’s more, web service providers commonly use SSL/TLS encryption which gives intruders an added level of protection.

Hack-for-hire motives

Unlike ransomware gangs which typically seek a quick cryptocurrency payout, hack-for-hire groups specialize in espionage or the targeting of individuals. This means they attempt to infect computers, systems and networks while remaining hidden for long periods of time. And they frequently target emails. What could their motives be? Kaspersky offered several hypotheses as to what might be Deathstalker’s motives, such as:

  • Legal disputes involving VIPs
  • Legal disputes involving financial assets
  • Intent to blackmail VIPs
  • Tracking financial assets of/for VIPs
  • Competitive/business intelligence for medium/large companies
  • Intelligence on medium/large mergers and acquisitions.

Meanwhile, Trend Micro reported that cyber mercenaries are being used to attack political opposition, dissidents, journalists and human rights activists. Malicious tools are used to spy on these targets, and the consequences can be devastating. For example, some politicians and journalists that must flee their home countries become the target of aggressive cyberattacks.

As per Trend Micro, one Russian-based hack-for-hire group named Rockethack will steal highly sensitive information from individuals and businesses on demand. But the group also seems to crave data itself. Before a customer even asks for a new service, the hackers may already be thinking about and collecting troves of personal and private data. The Russian-based hack-for-hire group targets key employees of corporations who have access to large amounts of personal data.

A trove of exfiltrated data

What kind of data does Rockethack have up for sale? It sounds like something out of a spy novel. Trend Micro reported that Rockethack can dig up data such as:

  • Information on Russian passports, foreign passports and marriage certificates
  • Information on purchased tickets where a passport is needed (train, bus, airlines and ferries)
  • Border data on individual persons
  • Data on passengers arriving at Russian airports
  • Data on passengers of Russian long-distance train stations
  • Interpol records
  • Criminal records
  • Traffic safety records
  • Migrant permits
  • Traffic camera shots
  • Traffic police data (fines, registration of cars)
  • Weapon registration
  • Federal tax service records
  • Credit history records
  • Bank account balance
  • Bank account statements
  • Phone number(s) associated with bank account
  • Banking card registration data
  • Reason and date for account blocking
  • The phone number and passport information
  • Phone call and SMS records with/without cell tower locations
  • Blocked phone numbers
  • Map where calls were located
  • Location of phone/SIM card
  • Printout of an SMS message.

Exposing the hidden threat

Hack-for-hire groups might go undetected for months, or even years, while highly sensitive and detailed information is exfiltrated. For this reason, more advanced tools are required, especially at the enterprise level.

Solutions such as Security Information and Event Management (SIEM) can correlate hybrid cloud data sources to reveal an attacker’s path. Meanwhile, threat intelligence can be used to validate the source of the attack as a known command and control center.

When threat actors trigger multiple detection analytics, move across the network or change their behaviors, SIEM can track them. More importantly, SIEM can correlate, track and identify related activities throughout a kill chain with built-in automated prioritization.

Hack-for-hire groups don’t seem to get many headlines. Perhaps it’s because they aren’t easily discovered. Maybe, businesses should start looking harder.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today