By Orpheus Analysts
In this blogpost, the Orpheus analyst team unpacks the threat from hack-for-hire groups operating on behalf of corporate clients.
When we consider cyber ‘threat-actors’ we generally think about nation-states, cyber-criminals, hacktivists and insiders. In our experience very little consideration is given to competitor organisations. I suspect that there may be an element of an interesting cognitive bias at play here – ‘mirror imaging’. We make the assumption that, because the companies we work for adhere to a set of ethical standards, that everyone else will too. Unfortunately, there is growing evidence to suggest that the cyber-threat from competitor organisations is growing rapidly.
We reassure ourselves that corporate cyber-espionage is comparatively rare, because in well-regulated environments, the cost-benefit or risk-to-reward profile for engaging in such activity makes it largely unattractive.
Yet still, in recent years researchers and journalists have uncovered a number of ‘hack-for-hire’ groups providing corporate espionage services, although we also assess these services are probably being hired by governments too. Incidents involving these groups include:
- The targeting of Financial Times’ journalists covering the Wirecard accounting scandal.
- Numerous operations carried out by the hack-for-hire group Dark Basin, which is believed to be an Indian technology company called BellTroX InfoTech Services. The group has targeted journalists, environmental groups and financial services providers on behalf of corporate clients and was likely involved in the Wirecard case mentioned above.
- The Russian group RedCurl, which we believe likely operates on a ‘for-hire’ basis. The group uses carefully crafted spear phishing emails that mimic its victim’s email templates and has stolen corporate documents and business emails from 26 victims in a number of sectors.
- The DealthStalker hack-for-hire group, which has been linked to corporate espionage operations in a range of geographies.
- A wide-ranging campaign by the hack-for-hire group CostaRicto, which has pursued targets across several continents but appears to focus on South and Southeast Asia. The group is likely another India-based operation and uses custom tools and above-average operational security.
What has changed? We generally think of threat as being a function of capability, intent and opportunity, and it appears likely that all of these variables have changed in relation to corporate cybercrime. Let’s have a look at each of these factors.
- Capability: The key factor increasing capability is the evolution of the groups outlined above which will provide services on a commercial basis. Not only does this provide corporate entities with the technical ability which is required, but it also provides a safety cut-out, and a degree of plausible deniability. In the case of BellTroX InfoTech Services, the company offers a range of legitimate business series (including penetration testing) alongside whatever other activities they were up to. Crucially, the kind of groups outlined above are also able to develop and operate their services in more permissive law enforcement environments, in part because in some cases their services may have been developed to support their government’s requirements. For instance, the hack-for-hire group Patchwork is believed to operate on behalf of the Indian government and most of the groups outlined above likely service both corporate and government needs.
- Intent: The only evidence that the intent to conduct such operations is anecdotal, based on examples like those given above. Some appear to be driven by the desire to collect evidence on individuals or groups deemed to be a threat to their company – for instance, Dark Basin has been linked to espionage operations against environmental organisations challenging ExxonMobil. Others may have a simpler motivation: the commercial intellectual property or business data of rivals. With the world economy in unchartered territory, and many businesses looking increasingly precarious, it would perhaps be surprising if this change was not reflected in increased risk-taking by companies fighting to stay afloat.
- Opportunity: Physical surveillance of an individual now seems anachronistic to the point of quaintness. It is easier, more deniable and more scalable to find out what someone is up to by deploying malware on their mobile phone and / or laptop and intercepting their messages and reading their documents? The fact that we all now carry around potentially huge volumes of information in our phones and on our laptops, and many organisations completely fail to protect these vital assets – which also double as gateways to entire corporate networks – means that the opportunity is massively increased.
In conclusion, that the capability of corporate entities to engage in cyber-enabled corporate espionage has increased significantly in recent months is beyond doubt, as is the increased opportunity. Although the intent of corporate entities to engage in such activity is less clear-cut, there are good reasons to assess that this has also increased. Orpheus Cyber encourages you to factor corporate espionage by competitor organisations into your threat assessments, and to take commensurate defensive measures. Many ‘hacker-for-hire’ organisations are exploiting commonplace, unpatched vulnerabilities on their target’s public facing infrastructure – effectively walking in through an open door.