Google’s Threat Analysis Group (TAG) recently released a report about growing hack-for-hire activity. In contrast to Malware-as-a-Service (MaaS), hack-for-hire firms conduct sophisticated, hands-on attacks. They target a wide range of users and exploit known security flaws when executing their campaigns.

“We have seen hack-for-hire groups target human rights and political activists, journalists and other high-risk users around the world, putting their privacy, safety and security at risk,” Google TAG says. “They also conduct corporate espionage, handily obscuring their clients’ role.”

The level of detailed information these groups can access is astonishing. Here’s what organizations need to know about this emerging threat to data security.

Hack-for-Hire Not as-a-Service

The recent rise in Ransomware-as-a-Service has alarmed security experts across the globe. Unlike MaaS, hack-for-hire activity appears to be much more targeted. For example, Reuters recently reported on thousands of email records exposing an Indian hack-for-hire group. These actors were called upon to interfere in lawsuits all over the world. The cyber spies work for litigants seeking to gain an edge.

The Reuters report quoted Anthony Upward, managing director of Cognition Intelligence, a U.K.-based countersurveillance firm saying, “It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles.”

Reuters reported that at least 75 U.S. and European companies, three dozen advocacy and media groups and numerous Western business executives were the subjects of the Indian hack-for-hire attempts.

This is a far cry from a MaaS portal that sells online subscriptions for malicious services. MaaS groups increasingly look a lot like SaaS brands. Some MaaS groups have openly accessible websites, monthly newsletters, marketing campaigns, video tutorials, white papers and Twitter accounts.

While hack-for-hire groups may advertise, they aren’t usually helping clients get a cryptocurrency payout. And you can’t sign up for a subscription service. It’s more than likely that hack-for-hire clients have a specific target and goal in mind. And it frequently involves espionage. They even say so right on their websites:

Source: Google TAG

Deathstalker and Dead Drop Resolvers

While hunting for evidence of the hack-for-hire Deathstalker group intrusions, Kaspersky identified a new variant of the Janicab malware. The group used Janicab to target legal entities in the Middle East throughout 2020 and possibly during 2021. The group’s activity may even have extended back to early 2015 and has targeted legal, financial and travel agencies in the Middle East and Europe.

It appears that Deathstalker was using YouTube, Google+ and WordPress web services as dead drop resolvers (DDRs).  Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Actors can post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victim computers will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that network hosts are already communicating with them prior to a compromise. Common services, such as those offered by YouTube, Reddit, GitHub, Google or Twitter, can be used in DDR. This enables adversaries to blend in with normal traffic. What’s more, web service providers commonly use SSL/TLS encryption which gives intruders an added level of protection.

Hack-for-Hire Motives

Unlike ransomware gangs which typically seek a quick cryptocurrency payout, hack-for-hire groups specialize in espionage or the targeting of individuals. This means they attempt to infect computers, systems and networks while remaining hidden for long periods of time. And they frequently target emails. What could their motives be? Kaspersky offered several hypotheses as to what might be Deathstalker’s motives, such as:

  • Legal disputes involving VIPs
  • Legal disputes involving financial assets
  • Intent to blackmail VIPs
  • Tracking financial assets of/for VIPs
  • Competitive/business intelligence for medium/large companies
  • Intelligence on medium/large mergers and acquisitions.

Meanwhile, Trend Micro reported that cyber mercenaries are being used to attack political opposition, dissidents, journalists and human rights activists. Malicious tools are used to spy on these targets, and the consequences can be devastating. For example, some politicians and journalists that must flee their home countries become the target of aggressive cyberattacks.

As per Trend Micro, one Russian-based hack-for-hire group named Rockethack will steal highly sensitive information from individuals and businesses on demand. But the group also seems to crave data itself. Before a customer even asks for a new service, the hackers may already be thinking about and collecting troves of personal and private data. The Russian-based hack-for-hire group targets key employees of corporations who have access to large amounts of personal data.

A Trove of Exfiltrated Data

What kind of data does Rockethack have up for sale? It sounds like something out of a spy novel. Trend Micro reported that Rockethack can dig up data such as:

  • Information on Russian passports, foreign passports and marriage certificates
  • Information on purchased tickets where a passport is needed (train, bus, airlines and ferries)
  • Border data on individual persons
  • Data on passengers arriving at Russian airports
  • Data on passengers of Russian long-distance train stations
  • Interpol records
  • Criminal records
  • Traffic safety records
  • Migrant permits
  • Traffic camera shots
  • Traffic police data (fines, registration of cars)
  • Weapon registration
  • Federal tax service records
  • Credit history records
  • Bank account balance
  • Bank account statements
  • Phone number(s) associated with bank account
  • Banking card registration data
  • Reason and date for account blocking
  • The phone number and passport information
  • Phone call and SMS records with/without cell tower locations
  • Blocked phone numbers
  • Map where calls were located
  • Location of phone/SIM card
  • Printout of an SMS message.

Exposing the Hidden Threat

Hack-for-hire groups might go undetected for months, or even years, while highly sensitive and detailed information is exfiltrated. For this reason, more advanced tools are required, especially at the enterprise level.

Solutions such as Security Information and Event Management (SIEM) can correlate hybrid cloud data sources to reveal an attacker’s path. Meanwhile, threat intelligence can be used to validate the source of the attack as a known command and control center.

When threat actors trigger multiple detection analytics, move across the network or change their behaviors, SIEM can track them. More importantly, SIEM can correlate, track and identify related activities throughout a kill chain with built-in automated prioritization.

Hack-for-hire groups don’t seem to get many headlines. Perhaps it’s because they aren’t easily discovered. Maybe, businesses should start looking harder.

More from News

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3). Top Five Cyber Crime Types In the past five…

4 min read

HHS Releases Hospital Cyber Resiliency Landscape Analysis

4 min read - On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness. The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct…

4 min read

Zombie APIs are a Top Security Concern as API Attacks Surge 400%

4 min read - Organizations of all sizes rely on application programming interfaces (APIs). The API explosion has been driven by several factors, including cloud computing, demand for mobile/web applications, microservices architecture and the API economy as a business model. APIs enable developers to access data remotely, integrate with other services, build modular applications and monetize their data/services. For enterprises that participated in a recent research study, the average number of APIs per organization was 15,564. Large enterprises (over 10,000 employees) had an average…

4 min read