{"id":54747,"date":"2022-08-18T09:07:09","date_gmt":"2022-08-18T01:07:09","guid":{"rendered":"https:\/\/version-2.com\/?p=54747"},"modified":"2022-09-29T17:41:20","modified_gmt":"2022-09-29T09:41:20","slug":"countering-hack-for-hire-groups-how-do-they-work-recent-attacks-and-preventive-measures","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2022\/08\/countering-hack-for-hire-groups-how-do-they-work-recent-attacks-and-preventive-measures\/","title":{"rendered":"Countering \u2018Hack-for-hire\u2019 Groups: How Do They Work? Recent Attacks and Preventive Measures"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

\"\"<\/p>\n\n

Just as we have cybersecurity professionals working diligently to secure organizations and prevent the loss of information assets, there are also threat actors that offer offensive services such as commercial cyber surveillance or spyware as a service. Similarly, government-backed actors are acting at the behest of state surveillance agencies. Another breed of cyber threat actors identifying themselves as Hack-for-hire groups is also actively operating in the current cyber ecosystem. Below is more information on who they are, how they work, and what organizations and individuals can do to keep them at bay.<\/p>

Who are the Hack-for-hire Groups?<\/strong><\/h2>

Hackers as a whole need no introduction. As a subgroup, Hack-for-hire groups constitute experts who offer hacking as a service to entities not having the skills or the capability to do so. For instance, police and law enforcement agencies engage hackers to help them get breakthroughs in cybercrime. These kinds of experts are referred to as ethical hackers. On the flip side, different groups are offering hacking services to various entities to also carry out  illegal or illegitimate activities.<\/p>

While ethical hackers offer services to genuine organizations to ward off infiltration from malicious actors, \u2018hackers for hire\u2019 groups generally offer their services to various entities in order to spy on their rivals and steal or corrupt sensitive information. For instance, when there is litigation between two companies, one of them may use the services of a Hack-for-hire group to infiltrate their opponent\u2019s email account or information systems as a way to predict their next moves or learn something they can leverage against their competitors.
<\/p>

The Hack-for-hire entities either offer their services to a limited audience or advertise their services to anyone willing to provide proper remuneration, regardless of the final objective. Google\u2019s Threat Analysis Group<\/u><\/a> (TAG) has identified \u2018Hack-for-hire\u2019 groups from India, the UAE, and Russia to be among the foremost actors in this activity sphere.<\/p>

Some Hack-for-hire groups masquerade as private investigators, whereas some work with the freelancing community to avoid employing their personnel directly. <\/p>

Are the Hack-for-hire Groups Similar to Commercial Surveillance Vendors?<\/strong><\/h2>

Though the activities are similar, commercial surveillance vendors are different from Hack-for-hire groups because these companies sell their product to the user in order to operate and secure their information systems from cyber-attacks. On the other hand, the Hack-for-hire groups conduct cyber-attacks by exploiting security vulnerabilities and taking advantage of known cybersecurity flaws when undertaking their campaigns. As mentioned above, Hack-for-hire services usually help one entity to exfiltrate crucial data of its opponent. Therefore, they are also known as cyber mercenaries. The similarity of both these vendors is that they sell their services to others.
<\/p>

Whom do these Hack-for-hire Groups Target?<\/strong><\/h2>

Hack-for-hire groups generally target high profile individuals, journalists, political activists, human rights activists, and other high-risk users globally, compromising their privacy, safety, and security. Besides, these cyber threat actors conduct cyber espionage and trade secret theft. Hack-for-hire services are not only offered at the corporate  levels but also at the individual level. The below graph shows the typical pricing for various hacking services. It could be hacking social media, changing grades on an educational institution network, or infiltrating personal computer systems to steal information. In essence, anyone can be a target for the Hack-for-hire groups. The following graph<\/u><\/a> shows the average prices threat actors charge for providing hacking services, among which personal attacks, website hacking, and grades change are among the ones with the highest costs (Prices are in USD, converted from Bitcoin). 
<\/p>

(Image Source: <\/em>comparitech.com<\/u><\/em><\/a>)<\/em><\/p>

How do the Hack-for-hire Groups Work?<\/strong><\/h2>

TheHack-for-hire groups work in various ways. Google\u2019s TAG has observed that the Indian Hack-for-hire entities use freelance actors and try to avoid getting involved directly. They also work with third-party investigative services as a way to maintain some form of distance between their work. Below are some examples that would help you understand how they work.
<\/p>

The Indian Hack-for-hire Entity<\/strong><\/h2>

TAG has observed an Indian hand in the recent targeting of an IT business service provider in Cyprus, a Nigerian educational institution, a shopping mall in Israel, and a Balkan fintech company.
<\/p>

TAG has been tailing the Indian Hack-for-hire actors since 2012. It was found that the threat     actors have worked previously for Indian offensive security service providers like Belltrox and Appin. Additionally, a specific group belonging to them has targeted healthcare, government, and telecom sectors in Saudi Arabia, the UAE, and Bahrain with credential phishing campaigns. <\/p>

Sample AWS Phishing Interface<\/em><\/p>

(Image Source: <\/em>Threat Analysis Group | Google<\/u><\/em><\/a>)<\/em>
<\/p>

They have links with Rebsec, an entity that has openly advertised offering corporate espionage on its website. <\/p>

Rebsec\u2019s Offerings<\/em><\/p>

(Image Source: <\/em>Threat Analysis Group | Google<\/u><\/em><\/a>)<\/em><\/p>

The Russian Hack-for-hire Connection<\/strong><\/h2>

Russia is generally considered a major source of cybercrime as many cyber incidents over the past decades have originated there. Google\u2019s TAG has encountered a Russian threat actor targeting journalists, politicians, and various NGOs and non-profit organizations while investigating a 2017 credential phishing campaign. However, investigations revealed that the targets included many people or entities not affiliated with these organizations. This \u2018Hack-for-hire\u2019 actor has been referred to as Void Balaur<\/u><\/a>.<\/p>

The campaigns usually start with a credential phishing email that includes a link to a phishing page. Usually, it consists of notifications and messages spoofing Russian government agencies. Once the user\u2019s system is compromised, the cyber attackers continue to break down security measures by granting an OAuth (Open Authorization) token to themselves on genuine email applications like Thunderbird. They may also link the user\u2019s account to that of an attacker on a third-party provider network. They can then access email contents via IMAP (Internet Message Access Protocol) using a custom tool.<\/p>

Russian Phishing Message<\/em><\/p>

(Image Source: <\/em>Threat Analysis Group | Google<\/u><\/em><\/a>)<\/em>
<\/p>

TAG also observed that the hacker website(s) advertised their capabilities for hacking and claimed it had received positive reviews from Russian underground forums like Probiv.cc<\/a> and Dublikat.<\/p>

Hacker Service Pricing List<\/em><\/p>

(Image Source: <\/em>Threat Analysis Group | Google<\/u><\/em><\/a>)<\/em><\/p>

The United Arab Emirates Hack-for-hire Modus Operandi<\/strong><\/h2>

TAG has found out that the UAE Hack-for-hire group is usually active in the Middle East countries and North Africa (MENA region). Generally, they target government organizations, educational institutions, and political entities. The modus operandi involves using fake Google or OWA (Outlook Web App) password reset emails to filter out credentials from their targets. 
<\/p>

While many Hack-for-hire malicious groups use open-source phishing frameworks, the UAE group uses a dedicated suite of tools, like Selenium, to automate web browsers. Additionally, this group works similar to the Russian entity by presenting OAuth tokens or linking the compromised target\u2019s email account to the adversary-controlled account on a third-party email service provider. 
<\/p>

Investigations revealed that the UAE Hack-for-hire group had connections with the original developers of the H-Worm and njRAT. 
<\/p>

Fake Google Alert for Phishing<\/em><\/p>

(Image Source: <\/em>Threat Analysis Group | Google<\/u><\/em><\/a>)<\/em><\/p>

Preventive Measures to Protect from the Hack-for-hire Actors<\/strong><\/h2>

Here are the preventive measures one can take to protect their information assets from these \u2018Hack-for-hire\u2019 actors.<\/p>