Google’s Threat Analysis Group (TAG) recently released a report about growing hack-for-hire activity. In contrast to Malware-as-a-Service (MaaS), hack-for-hire firms conduct sophisticated, hands-on attacks. They target a wide range of users and exploit known security flaws when executing their campaigns.

“We have seen hack-for-hire groups target human rights and political activists, journalists and other high-risk users around the world, putting their privacy, safety and security at risk,” Google TAG says. “They also conduct corporate espionage, handily obscuring their clients’ role.”

The level of detailed information these groups can access is astonishing. Here’s what organizations need to know about this emerging threat to data security.

Hack-for-hire not as-a-Service

The recent rise in Ransomware-as-a-Service has alarmed security experts across the globe. Unlike MaaS, hack-for-hire activity appears to be much more targeted. For example, Reuters recently reported on thousands of email records exposing an Indian hack-for-hire group. These actors were called upon to interfere in lawsuits all over the world. The cyber spies work for litigants seeking to gain an edge.

The Reuters report quoted Anthony Upward, managing director of Cognition Intelligence, a U.K.-based countersurveillance firm saying, “It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles.”

Reuters reported that at least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of the Indian hack-for-hire attempts.

This is a far cry from a MaaS portal that sells online subscriptions for malicious services. MaaS groups increasingly look a lot like SaaS brands. Some MaaS groups have openly accessible websites, monthly newsletters, marketing campaigns, video tutorials, white papers and Twitter accounts.

While hack-for-hire groups may advertise, they aren’t usually helping clients get a cryptocurrency payout. And you can’t sign up for a subscription service. It’s more than likely that hack-for-hire clients have a specific target and goal in mind. And it frequently involves espionage. They even say so right on their websites:

Source: Google TAG

Deathstalker and dead drop resolvers

While hunting for evidence of the hack-for-hire Deathstalker group intrusions, Kaspersky identified a new variant of the Janicab malware. The group used Janicab to target legal entities in the Middle East throughout 2020 and possibly during 2021. The group’s activity may even have extended back to early 2015 and has targeted legal, financial and travel agencies in the Middle East and Europe.

It appears that Deathstalker was using YouTube, Google+ and WordPress web services as dead drop resolvers (DDRs).  Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Actors can post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victim computers will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that network hosts are already communicating with them prior to a compromise. Common services, such as those offered by YouTube, Reddit, GitHub, Google or Twitter, can be used in DDR. This enables adversaries to blend in with normal traffic. What’s more, web service providers commonly use SSL/TLS encryption which gives intruders an added level of protection.

Hack-for-hire motives

Unlike ransomware gangs which typically seek a quick cryptocurrency payout, hack-for-hire groups specialize in espionage or the targeting of individuals. This means they attempt to infect computers, systems and networks while remaining hidden for long periods of time. And they frequently target emails. What could their motives be? Kaspersky offered several hypotheses as to what might be Deathstalker’s motives, such as:

• Legal disputes involving VIPs
• Legal disputes involving financial assets
• Intent to blackmail VIPs
• Tracking financial assets of/for VIPs
• Competitive/business intelligence for medium/large companies
• Intelligence on medium/large mergers and acquisitions.

Meanwhile, Trend Micro reported that cyber mercenaries are being used to attack political opposition, dissidents, journalists and human rights activists. Malicious tools are used to spy on these targets, and the consequences can be devastating. For example, some politicians and journalists that must flee their home countries become the target of aggressive cyberattacks.

As per Trend Micro, one Russian-based hack-for-hire group named Rockethack will steal highly sensitive information from individuals and businesses on demand. But the group also seems to crave data itself. Before a customer even asks for a new service, the hackers may already be thinking about and collecting troves of personal and private data. The Russian-based hack-for-hire group targets key employees of corporations who have access to large amounts of personal data.

A trove of exfiltrated data

What kind of data does Rockethack have up for sale? It sounds like something out of a spy novel. Trend Micro reported that Rockethack can dig up data such as:

• Information on Russian passports, foreign passports and marriage certificates
• Information on purchased tickets where a passport is needed (train, bus, airlines and ferries)
• Border data on individual persons
• Data on passengers arriving at Russian airports
• Data on passengers of Russian long-distance train stations
• Interpol records
• Criminal records
• Traffic safety records
• Migrant permits
• Traffic camera shots
• Traffic police data (fines, registration of cars)
• Weapon registration
• Federal tax service records
• Credit history records
• Bank account balance
• Bank account statements
• Phone number(s) associated with bank account
• Banking card registration data
• Reason and date for account blocking
• The phone number and passport information
• Phone call and SMS records with/without cell tower locations
• Blocked phone numbers
• Map where calls were located
• Location of phone/SIM card
• Printout of an SMS message.

Exposing the hidden threat

Hack-for-hire groups might go undetected for months, or even years, while highly sensitive and detailed information is exfiltrated. For this reason, more advanced tools are required, especially at the enterprise level.

Solutions such as Security Information and Event Management (SIEM) can correlate hybrid cloud data sources to reveal an attacker’s path. Meanwhile, threat intelligence can be used to validate the source of the attack as a known command and control center.

When threat actors trigger multiple detection analytics, move across the network or change their behaviors, SIEM can track them. More importantly, SIEM can correlate, track and identify related activities throughout a kill chain with built-in automated prioritization.

Hack-for-hire groups don’t seem to get many headlines. Perhaps it’s because they aren’t easily discovered. Maybe, businesses should start looking harder.