How are cyber criminals evolving their business models?
We often talk about cyber criminals in our insight articles, but who are they and what are they up to? Are they really as innovative as their ethical and legal counterparts?
What do we mean by cyber criminals?
Cyber criminals are the threat actors behind organised crime, which is responsible for 80% of all data breaches. In this article we will focus on a particular cyber criminal group behind organised crime, FIN7, and cover some of their business models and tactics.
FIN7 is an international cybercrime group leading the organised crime scene. According to the Department of Justice, FIN7 has been linked to financial losses in excess of $3 billion.
They started their cyber hacking journey in the USA by breaking into companies and stealing payment card information. The group then uploaded the data onto the dark web for sale. The significant return from these activities started to decline when banks introduced new technology to increase the security on their credit cards, specifically the chip. The reduced returns meant FIN7 needed a new business model.
Ransomware for sale?
FIN7 rebranded itself into a Software as a Service (SaaS) provider – developing and selling ransomware to other cyber criminal groups. (Ransomware is software which encrypts a firms data and demands a payment of anything from a few hundred to millions of dollars, before releasing a decryption key to unlock the files.)
The ransomware market quickly turned into a highly lucrative industry where a single ransomware attack could offer returns in excess of 8 figures.
Offering the ransomware to other hackers, FIN7 marketed their very own product called DarkSide. The product was first observed in the market in August 2020.
DarkSide was the ransomware behind the Colonial Pipeline cyber attack in May 2021. It was the largest cyber attack on an oil infrastructure target in the history of the United States. Colonial Pipeline paid the requested ransom (75 bitcoin or $4.4 million) and with help, were eventually able to recover approximately $2.3 million from the ransom payment.
By becoming an intermediary, FIN7 were able to limit their risk as other groups would be responsible for compromising organisations, deploying the ransomware and communicating with victims for payment. FIN7 would typically get commission on each successful ransomware payment.
“DarkSide was very profitable for FIN7 earning almost US$7 million. The
economies of scale achieved from the ransomware product was a major
turning point in FIN7’s evolution as a leading cybercriminal
The returns offered them new cyber crime opportunities, however, they had a new challenge to overcome before this could be achieved, recruiting skilled people.
New tactics: “hiring” tech talent using an alias
To remain a market leader in ransomware and evolve its illegal products, FIN7 needed to recruit new tech savvy people. The typical recruiting ground of the dark web was littered with undercover authorities posing as potential hackers seeking employment opportunities with criminal organisations.
FIN7 decided to innovate. In order to recruit from the same talent pool as legit tech companies, FIN7 created a fake security firm called Bastion Secure. Using a copied website and details of the genuine UK based Bastion Security firm, FIN7 set itself up to start the recruitment of tech professionals.
Advertising on the open internet, “Bastion Secure” posted generic IT positions on real job seeker boards in Russia and the Ukraine. They offered a 9-5, Monday to Friday role in an effort to appear legitimate, it worked.
Their plan was simple, knowing the recruitment process for genuine tech companies, Bastion Secure moved potential candidates through a 2-stage interview process before tasking them with a technical skills assignment, which in reality was a genuine cyber attack on an unsuspecting business. The candidates had no idea they were actually participating in an illegal cyber hack.
A candidate’s story
One particular candidate that was lured to the fake site and tech role disclosed how the website and job description appeared unremarkable, nothing that would alert you to one of the world’s most notorious cybercriminal organisations being behind the ruse.
He stated the hiring process was somewhat unorthodox and eventually started to raise his suspicions that something wasn’t quite right.
Bastion Secure conducted the process without any face-to-face meetings, not even a phone call. All correspondence was through encrypted messaging using the applications Telegram and Talkz.
For the final assignment, Bastion Secure instructed him to connect to a client (an unsuspecting business) and run software on the client’s network. The candidate realised the software he was deploying was ransomware, and therefore connected him with illegal hacking. He shared the software with researchers who were able to connect it to FIN7.
This interesting story reveals that our perceptions of cyber criminals hiding in dark corners of the internet are being challenged. They are creating novel methods and tactics to continue their cyber criminal activities, often replicating the models which traditional businesses use or in some cases, being more innovative.
Your business digital footprint is becoming increasingly exposed to highly sophisticated and motivated cyber criminals. Are you prepared to deal with the cyber threats of today?
Kloudwerk works with you to help you keep the cyber criminals out. We offer affordable cyber security consultancy packages for business customers. Visit our Cyber Consultancy page for more information