Just as we have cybersecurity professionals working diligently to secure organizations and prevent the loss of information assets, there are also threat actors that offer offensive services such as commercial cyber surveillance or spyware as a service. Similarly, government-backed actors are acting at the behest of state surveillance agencies. Another breed of cyber threat actors identifying themselves as Hack-for-hire groups is also actively operating in the current cyber ecosystem. Below is more information on who they are, how they work, and what organizations and individuals can do to keep them at bay.
Who are the Hack-for-hire Groups?
Hackers as a whole need no introduction. As a subgroup, Hack-for-hire groups constitute experts who offer hacking as a service to entities not having the skills or the capability to do so. For instance, police and law enforcement agencies engage hackers to help them get breakthroughs in cybercrime. These kinds of experts are referred to as ethical hackers. On the flip side, different groups are offering hacking services to various entities to also carry out illegal or illegitimate activities.
While ethical hackers offer services to genuine organizations to ward off infiltration from malicious actors, ‘hackers for hire’ groups generally offer their services to various entities in order to spy on their rivals and steal or corrupt sensitive information. For instance, when there is litigation between two companies, one of them may use the services of a Hack-for-hire group to infiltrate their opponent’s email account or information systems as a way to predict their next moves or learn something they can leverage against their competitors.
The Hack-for-hire entities either offer their services to a limited audience or advertise their services to anyone willing to provide proper remuneration, regardless of the final objective. Google’s Threat Analysis Group (TAG) has identified ‘Hack-for-hire’ groups from India, the UAE, and Russia to be among the foremost actors in this activity sphere.
Some Hack-for-hire groups masquerade as private investigators, whereas some work with the freelancing community to avoid employing their personnel directly.
Are the Hack-for-hire Groups Similar to Commercial Surveillance Vendors?
Though the activities are similar, commercial surveillance vendors are different from Hack-for-hire groups because these companies sell their product to the user in order to operate and secure their information systems from cyber-attacks. On the other hand, the Hack-for-hire groups conduct cyber-attacks by exploiting security vulnerabilities and taking advantage of known cybersecurity flaws when undertaking their campaigns. As mentioned above, Hack-for-hire services usually help one entity to exfiltrate crucial data of its opponent. Therefore, they are also known as cyber mercenaries. The similarity of both these vendors is that they sell their services to others.
Whom do these Hack-for-hire Groups Target?
Hack-for-hire groups generally target high profile individuals, journalists, political activists, human rights activists, and other high-risk users globally, compromising their privacy, safety, and security. Besides, these cyber threat actors conduct cyber espionage and trade secret theft. Hack-for-hire services are not only offered at the corporate levels but also at the individual level. The below graph shows the typical pricing for various hacking services. It could be hacking social media, changing grades on an educational institution network, or infiltrating personal computer systems to steal information. In essence, anyone can be a target for the Hack-for-hire groups. The following graph shows the average prices threat actors charge for providing hacking services, among which personal attacks, website hacking, and grades change are among the ones with the highest costs (Prices are in USD, converted from Bitcoin).
(Image Source: comparitech.com)
How do the Hack-for-hire Groups Work?
TheHack-for-hire groups work in various ways. Google’s TAG has observed that the Indian Hack-for-hire entities use freelance actors and try to avoid getting involved directly. They also work with third-party investigative services as a way to maintain some form of distance between their work. Below are some examples that would help you understand how they work.
The Indian Hack-for-hire Entity
TAG has observed an Indian hand in the recent targeting of an IT business service provider in Cyprus, a Nigerian educational institution, a shopping mall in Israel, and a Balkan fintech company.
TAG has been tailing the Indian Hack-for-hire actors since 2012. It was found that the threat actors have worked previously for Indian offensive security service providers like Belltrox and Appin. Additionally, a specific group belonging to them has targeted healthcare, government, and telecom sectors in Saudi Arabia, the UAE, and Bahrain with credential phishing campaigns.
Sample AWS Phishing Interface
(Image Source: Threat Analysis Group | Google)
They have links with Rebsec, an entity that has openly advertised offering corporate espionage on its website.
Rebsec’s Offerings
(Image Source: Threat Analysis Group | Google)
The Russian Hack-for-hire Connection
Russia is generally considered a major source of cybercrime as many cyber incidents over the past decades have originated there. Google’s TAG has encountered a Russian threat actor targeting journalists, politicians, and various NGOs and non-profit organizations while investigating a 2017 credential phishing campaign. However, investigations revealed that the targets included many people or entities not affiliated with these organizations. This ‘Hack-for-hire’ actor has been referred to as Void Balaur.
The campaigns usually start with a credential phishing email that includes a link to a phishing page. Usually, it consists of notifications and messages spoofing Russian government agencies. Once the user’s system is compromised, the cyber attackers continue to break down security measures by granting an OAuth (Open Authorization) token to themselves on genuine email applications like Thunderbird. They may also link the user’s account to that of an attacker on a third-party provider network. They can then access email contents via IMAP (Internet Message Access Protocol) using a custom tool.
Russian Phishing Message
(Image Source: Threat Analysis Group | Google)
TAG also observed that the hacker website(s) advertised their capabilities for hacking and claimed it had received positive reviews from Russian underground forums like Probiv.cc and Dublikat.
Hacker Service Pricing List
(Image Source: Threat Analysis Group | Google)
The United Arab Emirates Hack-for-hire Modus Operandi
TAG has found out that the UAE Hack-for-hire group is usually active in the Middle East countries and North Africa (MENA region). Generally, they target government organizations, educational institutions, and political entities. The modus operandi involves using fake Google or OWA (Outlook Web App) password reset emails to filter out credentials from their targets.
While many Hack-for-hire malicious groups use open-source phishing frameworks, the UAE group uses a dedicated suite of tools, like Selenium, to automate web browsers. Additionally, this group works similar to the Russian entity by presenting OAuth tokens or linking the compromised target’s email account to the adversary-controlled account on a third-party email service provider.
Investigations revealed that the UAE Hack-for-hire group had connections with the original developers of the H-Worm and njRAT.
Fake Google Alert for Phishing
(Image Source: Threat Analysis Group | Google)
Preventive Measures to Protect from the Hack-for-hire Actors
Here are the preventive measures one can take to protect their information assets from these ‘Hack-for-hire’ actors.
- Phishing protection: You will notice a pattern if you watch the modus operandi of these Hack-for-hire actors. The attacks usually begin with a phishing email; therefore, a preventive measure is to increase awareness of phishing and similar fraudulent activities.
- Multi-factor authentication: Users can opt for 2FA (2-Factor Authentication) or Multi-factor authentication (MFA) as an additional layer of security against these threat actors.
- Updates and advanced protection: Google TAG recommends that high-risk users update their devices and enable Advanced Protection on their accounts. It also advises allowing Google Account Level Enhanced Safe Browsing.
- Spoofing precaution: Email spoofing is another crucial area of concern. As a user, one must be careful while accessing websites via search engines or any other source that cannot authenticate the genuineness of the website, for example, through a random email from an unknown source.
Generally, Hack-for-hire actors do not go further than compromising the email inbox and exfiltrating data. They mainly concentrate on social engineering attacks rather than introducing any malware. However, it would be best if you remained cautious as we cannot rule out instances of increased severity from malicious actors.
Final Words
Hack-for-hire groups are not a new phenomenon. As long as the objective is honorable with good intentions, such as fighting cybercrime, there should not be a problem with the Hack-for-hire actors as it falls within the ambit of ethical hacking. However, if their intentions are malicious, these groups have the potential to cause harm, as seen in various examples in the article. Thus, the need of the hour for organizations and even the general public is to take necessary countermeasures to prevent becoming targets of such malicious groups.
References
- Huntley, S. (2022, June 30). Countering hack-for-hire groups. Threat Analysis Group. https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/
- Glover, C. (2022, June 30). Investigation reveals network of Indian ‘hack-for-hire’ groups who steal data for paying clients. TechMonitor. https://techmonitor.ai/technology/cybersecurity/hack-for-hire-indian-cyber-mercenary
- Pernet, C. (2022, July 1). The business of hackers-for-hire threat actors. TechRepublic. https://www.techrepublic.com/article/what-are-hackers-for-hire/
#Google #phishing #threats #hacking #vicarius_blog
About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.
