Cybercriminal groups embrace corporate structures to scale, sustain operations

In this Help Net Security interview, Sandy Kronenberg, CEO of Netarx, discusses how cybercriminal groups are adopting corporate structures and employee incentives to scale operations, retain talent, and evade detection. He covers the strategic collaborations behind major attacks, business-like parallels, and the implications of these shifts as these groups grow more sophisticated.

What motivates cybercriminal groups to adopt mainstream corporate structures and employee incentives, and what impact does this have on recruitment and retention?

Loose, freelance hacker groups have had amazing success with notable breaches, but priorities change over time. These groups often start with an ideology that is politically motivated, but after some success, members often want financial gain, causing fractures, schisms, or name changes. These fractures or schisms lead to some of the major players being compromised and eventually hunted down by authorities.

Consider DarkSide, which was responsible for creating the tools used in the Colonial Pipeline ransomware attack in 2020. The group faced intense pressure from law enforcement globally.

In 2022, Russia’s FSB announced they had detained multiple members of the REvil ransomware group following requests from U.S. authorities. Some reports indicated that these arrests may have included individuals connected to DarkSide operations. Following this, the U.S. Department of Justice arrested a Ukrainian national, who was allegedly affiliated with REvil but was also connected to DarkSide operations according to some intelligence sources.

Alternatively, groups with corporate structures can be more effective longer-term. As an example: Conti is a major Russian-speaking ransomware-as-a-service (RaaS) operation that has a clear organizational structure. This organizational structure has allowed it to grow the ranks of loyal hackers who are given above average sustained compensation plus a percentage of any ransom. Furthermore, it is reported that their team is given access to tools, training, vacation and sick-time, and health benefits, similar to employees at traditional corporations. Most importantly, they are offered protection from law enforcement through operational security measures.

How do cybercriminal groups strategically collaborate with one another to amplify the success and impact of cyberattacks? Could you walk us through an example of such collaboration?

We have seen cross collaboration between groups that specialize in specific activities. For example, one group specializes in social engineering, while another focuses on scaling malware and botnets to uncover open servers that yield database breaches. They, in turn, can sell access to those who focus on ransomware attacks.

Recently, we have seen collaboration between AL/ML developers who scrape public records to build Org Charts, as well as lists of real estate holdings. This data is then used en masse with situational and location data to populate PDF attachments in emails that look like real invoices, with executives’ names in fake prior email responses, as part of the thread. These deceptive fakes are then sent to the proper people in accounting.

Can you provide examples of cybercriminal organizations that operate similarly to traditional businesses? What are some surprising parallels you’ve observed?

Continuing the previous example, when accounting staff reach out to get W9’s or follow-up on various questions, the hackers have set up complete corporate facades where individuals answer the phones and have supporting information to act like real companies. These operations work at-scale and are one of the reasons that Congress approved the Corporate Transparency Act (CTA). However, despite the best of intentions, the Act does little to stop this type of cybersecurity attack, as criminal enterprises will easily avert the disclosures required by the CTA.

Does the portrayal of cybercriminals as organized business entities alter how we understand their motivations and predict their future targets or methods?

Yes, the recent development in hackers organizing into larger groups has allowed the stakes to get even higher. Look at the Lazarus Group, who pulled off one of the largest heists ever by targeting Bybit and stealing $1.5 billion in Ethereum, as well as subsequently converting $300 million in unrecoverable funds. This group is likely state-sponsored and funding North Korean military programs. Therefore, understanding North Korean national interests will hint at future targets.

The increasing scale of their attacks likely reflects greater resources allocated by North Korea, more sophisticated tooling and capabilities, lessons learned from previous operations, and a growing number of personnel trained in cyber operations.

What shifts do you foresee in cybersecurity tactics, policymaking, or law enforcement strategies if this reframing of cybercriminal organizations (as organized entities instead of fringe gangs) becomes mainstream?

Many governments are ill-equipped to handle the increased pace of multi-pronged attacks from corporate-like hacker organizations who are leveraging AI tools that enhance social engineering attacks. The speed of the advances is now occurring way faster than ever before, and legislators don’t understand the complexity. For example, legislators underestimate the need for post-quantum security and effective AI legislation, like the proposed AI Liability Act or the European version called the AI Liability Directive (AILD).

Cybersecurity stakeholders need to employ the new tools that use AI to defeat AI. These tools are now available, and the logfiles can be given to law enforcement to help build a forensic trail. We can now provide shared awareness, securing corporations and corporate communications, that aggregate a multitude of signals to provide clear recognition of AI-enhanced social engineering attacks. Companies just need to start using them.