Digital Criminal Ontology; Trading Pistols for Programmers

By James Allman Talbot, Head of Incident Response & Threat Intelligence, Quorum Cyber

Since computers were first connected with Ethernet cables, Hollywood started romanticizing hackers. In 1983, WarGames was released. The movie was a science fiction thriller starring Matthew Broderick and Ally Sheedy as high school students who accidentally hacked a military supercomputer using an acoustic coupler, a device that connects phone lines with computers to send and receive data.

Shortly after WarGames came Sneakers in 1992. In Sneakers, a group of hackers steal a “black box” decoder that exploits a flaw in the encryption algorithm and uses it to hack into the air traffic control systems and the U.S. power grid.

The fascination with hacking continues today as Hollywood scriptwriters poured out pages of epic hacker-related entertainment from The Matrix in 1999 to Mr. Robot in 2019. However, as fictional as these stories may be—real life holds even stranger, true hacker tails.

Hackers; The Reality

The damage from hackers can result in the bizarre to the devastating. In July 2017, the BBC reported how two individuals could hack into a Laserwash (automated car wash) to make it attack vehicles once inside. “…at the Black Hat conference in Las Vegas, Billy Rios of security firm Whitescope and Jonathan Butts from the International Federation for Information Processing showed how easily the system could be hijacked.” Hacking in via a weak password and an outdated Windows Control System, they wrote “an exploit to cause a car wash system to physically attack…” and “make the roller arms come down much lower and crush the roof of a car…” The carwash hacking was more of a publicity stunt, but it proved how vulnerable our connected world has become. There were far more nefarious incidents to follow.

Also, in 2017, Equifax experienced the most significant recorded data breach. Equifax let several security areas lapse and allow attackers access to sensitive Personally Identifiable Information (PII), including date of birth, social security numbers, addresses, driver’s license numbers, etc., of over 143 million customers. The hack went undetected for 76 days, and in the end, according to the Federal Trade Commission, “The company has agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 50 U.S. states and territories. The settlement includes up to $425 million to help people affected by the data breach.”

In a bizarre example of reality following the fictional WarGames movie, in 2021, the Colonial Pipeline, an American fueling company, was the target of hackers who unleashed the DarkSide (named after the hacking group) ransomware via a legacy Virtual Private Network (VPN) system that did not have multi-factor authentication. Darkside stole 100GB of data and caused a fuel shortage along the east coast.

More recently, in 2022, the Red Cross disclosed that a state-backed hacking group gained access to the personal information (names, locations, and contact information) of over 515,000 people in the “Restoring Family Links” program that helps reunite families separated by war, disaster, and migration.

Rise Of The Hive 

Today, hackers have organized into well-structured businesses that compete for top talent, from CEOs and HR to project managers and coders. CNBC writes that these organizations have “a leader, like a CEO, who oversees the broader goals of the organization. He or she helps hire and lead a series of project managers, who execute different parts of each cyberattack.” The news article explains that “Criminal groups also have aggressive salespeople work to displace their competitors by stealing territory,” and that some groups “offer DDoS-for-hire services.”

Several hacking groups are more prolific than others, and a few have become infamous in the last few years—the Hive group is one such gang. Active since 2021, the Hive made its name by successfully targeting several healthcare providers in the U.S., then moved to schools and colleges, government agencies, real estate companies, and even police departments across the country. Not shy about boasting about its crimes, the group even posts details of some of them on its dark web blog.

Instead of stopping solely conducting attacks, Hive realized it could make even more money by selling its software to other groups or individuals, creating the Ransomware-as-a-Service (RaaS) model. This model allows the group to concentrate on just one stage of the cyber-attack chain rather than trying to manage every step, selling access and tools to other groups who want to take advantage of it. This model made it easier for researchers to obtain malicious code to understand how it works. But it sometimes makes it harder for them to identify which group has conducted which crime because multiple groups use Hive’s code.

In just a few years, Hive has undoubtedly become one of the most dangerous cybercrime gangs on the planet. One cyber security firm ranked it the second most successful in 2022 after LockBit. Known for its aggressiveness and frequent attacks, its members work hard to evolve their tactics, techniques and procedures (TTPs) to keep security experts from blocking its objectives.

Naturally, few crime groups declare how much money they make, and most organizations that have suffered from ransomware attacks don’t like to state how much they have paid out. The FBI believes the Hive has already targeted more than 1,300 companies around the globe, helping it to bring in approximately US$100 million in ransom payments to date.

Conclusion

Magnetic tape was first used for data storage in 1951, and the first gigabyte capacity hard disk drive was introduced in 1980. Along the transition from tape to digital storage, criminals began to trade in their pistols for programmers as a less physical method for stealing money. In 1988, a 23-year-old Cornell University graduate student named Robert Tappan Morris unleashed the first documented denial of service hack dubbed the “Morris Worm.” According to FBI.gov, “At around 8:30 p.m. on November 2, 1988, a maliciously clever program was unleashed on the Internet from a computer at the Massachusetts Institute of Technology (MIT).” Before the invention of the World Wide Web, the Morris Worm targeted connected computers across the U.S., including Harvard, Princeton, Stanford, Johns Hopkins, NASA, and the Lawrence Livermore National Laboratory.

The business of stealing your business has leaped from the pages of fiction to the frightening reality of every corporation and educational institution worldwide. Routine cyber security protection is no match for today’s well-organized and funded bad actors. These shadow organizations will continue to exploit the code and even patches used in every part of the business.

Hacker organizations are growing too quickly and too smart, outpacing many IT staff in knowledge, technique, and passion. Companies need to augment their in-house cybersecurity skills with expert Virtual CISOs, cloud security services, and incident response preparedness. Third-party cybersecurity experts have unique insights into the latest hacking techniques and are prepared to identify and respond accordingly. Invest in expert cybersecurity help—because hacking organizations are outpacing your budget, knowledge, and desire.

About the Author

21James Allman-Talbot is the Head of Incident Response and Threat Intelligence at Quorum Cyber. James has over 14 years of experience working in cybersecurity and has worked in a variety of industries including aerospace and defense, law enforcement, and professional services. Over the years he has built and developed incident response and threat intelligence capabilities for government bodies and multinational organizations, and has worked closely with board level executives during incidents to advise on recovery and cyber risk management. James can be reached online at [email protected] and at https://www.quorumcyber.com/.