Cybersecurity

Cybercrime organizations work just like any other business: Here's what they do each day

Key Points
  • Researchers from IBM and Google described how cybercriminal groups operate, and often mimic the behavior of companies, including the one you might work for. 
  • Cybercriminal organizations compete with each other for customers, fight for the best project managers and even look for "CEOs" to help them stay organized and on the task of stealing your money. 
Mediaphotos | Vetta | Getty Images

Cybercriminal organizations compete with each other for customers, fight for the best project managers and even look for leaders who serve in a CEO-like role to help them stay organized and on the task of stealing your money.

Researchers from IBM and Google described how cybercriminal groups operate, and often mimic the behavior of companies, including the one you might work for.

"We can see the discipline they have, we can see that they are active during office hours, they take the weekends off, they work regular hours, they take holidays," said Caleb Barlow, head of threat intelligence for IBM Security.

"It varies by groups. In organized crime, there is certainly a boss, much like you would hire a home contractor. That person doesn't necessarily do all the work. They hire the subcontractors, like the plumber and the electrician, that is typically how you do the work, you have lots of subcontractors."

Understanding how malicious hackers are able to structure their business operations is important, he said, so companies can better grasp what they're fighting, as the underground economy often functions in parallel with the broader economy.

They set and achieve quarterly goals

Cybercriminal organizations aren't all the same, but a typical structure looks like this: a leader, like a CEO, oversees the broader goals of the organization. He or she helps hire and lead a series of "project managers," who execute different parts of each cyberattack, explains Christopher Scott, who leads the response to security incidents as part of IBM's X-Force business.

If the goal of the group is to get money by hacking a company and stealing its information, a series of project managers will oversee different functions over the scope of the crime that play to their specializations.

Specialists in malicious software might start by buying or tweaking a custom product to steal the exact kind of information the group requires. Another specialist might work to send fraudulent emails to deliver the malicious software to targeted companies. Once the software is successfully delivered, a third specialist might work to expand the group's access within the targeted corporation, and seek the specific information the group hopes to sell on the black market.

IBM provided a graphic representation of how one real, 120-day targeted hacking campaign against a Fortune 500 company looks from the point of view of the criminal group executing it. (Click to enlarge.)

In this case, an attack against a Fortune 500 company meant to steal and destroy data, the different colors roughly represent different job functions, Scott explained.

On the left of the graphic, attackers who specialized in compromising corporate networks worked their way into the business to gain a foothold. Other "project managers" compromised various employee accounts by stealing their credentials, and used those accounts to execute different tasks in the scheme, from gaining access to sensitive areas or gathering information.

Gaps across the timeline represent periods where the hackers stopped doing some of their activities so they wouldn't trip sensors the company used to detect criminal activity.

At the end of the 120-day cycle, other specialists, represented in bright red, came in to finish the job, using different malicious code to destroy their tracks as well as the company's data.

They collaborate and compete with each other

Criminal groups don't exist in a vacuum. The offer what essentially are B2B services to one another and also hijack one another's progress -- just like the corporate world, explained Juan Andres Guerrero-Saade, who heads research at Chronicle, the Alphabet "Other Bet" company focused on cybersecurity.

"If I'm a good developer, then I will create the ransomware and sell it, or sell it as a service," just like legitimate companies that offer software-as-a-service, said Guerrero-Saade. "I will then maintain the malware and if you find victims and get them infected and get them to pay, I will take 10% or 20%."

Some of these service providers have seen their earnings cut back in recent years. In the first half of this decade, a type of malicious software known as banking trojans, which steal a person's credentials to take money from their bank account, became popular. Specialists who offered money-laundering services were in high demand. That demand has waned in recent years as ransomware grew more popular and criminals were able to get money directly.

"It created kind of a different dynamic. You didn't need money mules, you didn't anger the banks, folks [who were targeted] didn't know who to turn to, so that came into vogue," he said.

Criminal groups also have aggressive salespeople work to displace their competitors by stealing territory, explained Guerrero-Saade.

This is common among specialists who offer distributed denial of service (DDoS) attacks, which work to overwhelm a victim company's computers with so much information that they shut down.

Some criminal groups offer DDoS-for-hire services, and these services rely on each group having compromised tens or hundreds of thousands of computers. These hacked computers work together as a "botnet" to launch the DDoS attack.

Guerrero-Saade said it is common for one DDoS-for-hire service to attack only computers already compromised by a competitor, then take that botnet over for its own purposes. Criminals with more computers in their botnet are more effective, he explained. This way, the DDoS-for-hire service can undercut the competition and say "see, I have 100,000 computers while he only has 20,000 or so."

They get too big and fail

Companies are getting better at identifying the hallmarks of many of these different types of criminal-business structures said Scott.

But sometimes, they grow so big and so organized that they become too easy to identify -- and thus, go out of business.

"When you are dealing with these more bureaucratic type organizations, the activities are very predictable," he said. One group called Dyre, which specialized in banking trojans, became so large around 2015 that the group became one of the easiest to thwart, he said.

Understanding these trends is important for companies hoping to fight cybercriminals, Scott said.

"If you are chasing a particular adversary, you may actually get to understand how many of the same tools, techniques and practices they use. [Companies] don't have unlimited funds, but if you know the tactics properly, you can really focus the security spend."

IBM study: 77% of firms don't have cyber resiliency plans
VIDEO2:4602:46
IBM study: 77% of firms don't have cyber resiliency plans