An analysis of the evolution of cybercrime from its beginnings in the 1990s to its billion-dollar presence today has one overriding theme: the development of cybercrime as a business closely mimics the evolution of legitimate business, and will continue to evolve to improve its own ROI.
In the early days, hacking was more about personal prestige and kudos than about making money – but the dotcom made people realize there’s money to be made on the internet. This first phase of cybercrime loosely fits the period from 1990 to 2006.
From this simple realization, HP Wolf Security’s study of The Evolution of Cybercrime (PDF report) shows an underground business that follows and mimics the overground business ecosystem – digital transformation included. “Digital transformation has supercharged both sides of the attack-defense divide – shown, for instance, by the increasing popularity of ‘as a service’ offerings,” said Alex Holland, senior malware analyst and author of the report. “This has democratized malicious activity to the point where complex attacks requiring high levels of knowledge and resources – once the preserve of advanced persistent threat (APT) groups – are now far more accessible to a wider group of threat actors.”
Malware has become commoditized – typified perhaps during the era Zeus. Zeus originally cost $8,000, but competition with the lower priced SpyEye brought the price down to around $500. In 2011 the source code was leaked, and it effectively became free.
At the same time, criminal gangs were consolidating and moving towards an ‘as a service’ operation. Specific kits became available so that inexperienced wannabe criminals could hire everything necessary to deliver different types of attack. This has become so widespread and diversified that it is best thought of as the criminal underground now operating a malware-as-a-service ecosystem. To handle this, the gangs themselves developed a role-specific model – with different specialists handling the different components of running a criminal business.
This ecosystem has adopted the same hierarchical structure as the overground, with just a few top criminals effectively controlling cybercrime syndicates rather than individual separate criminal gangs.
ADVANCED SYNDICATES
This is the state of the criminal underground today – a few advanced ‘syndicates’ capable of sustained long-term attacks against major targets, supplemented by a vast number of non-technical ‘small time’ criminals buying readymade kits or low-cost vulnerabilities.
Wolf Security found that 91% of advertised exploits cost under $10 – sucking in large numbers of non-technical wannabes. This compares to the far smaller number of custom exploits ranging in cost from $1,000 to $4,000 sold to the elites.
In times of economic uncertainty and duress, it is easy to understand the attraction of making a few dollars on the side. While accessing the dark web can hardly be done by accident, it is still not difficult. Holland gave SecurityWeek an example taken from the gaming world.
“Many people come into cybercrime through breaking cheats for video games,” he said. “The skill set for finding cheats in video games is very close to reverse engineering, vulnerability finding, and bug hunting. So, the potential criminal might think, ‘Okay, I’ve managed to bypass this popular video game’s cheat engine; maybe I can make some more money on the side, since it turns out that my skills are in very high demand by cyber criminals’.”
This is a subtly attractive argument: cheating at games is considered a legitimate part of playing games. It’s not a big stretch from justifying cheating at games to cheating the internet. But it’s still only the start of the journey into the underground ecosystem – you don’t cheat a game and suddenly get offered exploits. You must find and join a forum, but you will only get access to relatively innocuous public forums. Here, though, you can start to build a reputation, prove your worth and demonstrate you don’t work for law enforcement. It is here that you can hope to meet the sponsors who might invite you into the deeper and darker forums, and this feeds the base of the cybercrime pyramid.
The pointy end of the pyramid is altogether different. This comprises a relatively small number of syndicate leaders directly ‘controlling’ the elite gangs. Interestingly, it is getting difficult to distinguish between the cybercrime gangs and nation states. Many, certainly not all, of the major syndicates operate out of geopolitically adversarial nations: Russia, China, Iran and North Korea.
NATION STATE THREAT ACTORS
Nation states and elite criminals now use the same tactics and procedures, often share similar targets and even share personnel. The old difference of surveillance for nation states and financial for criminal gangs has been eroded by growing global sanctions, so that even nation-state hackers are not averse to hacking for national financial gain.
As a result, it is becoming difficult to determine whether criminals or certain governments are the ultimate controllers of the cybercrime underground. Holland suggests we need a new term for where it is difficult to determine between straight criminality and state-sponsored attacks: state-permitted.
The real purpose of Wolf Security’s analysis of the evolution of cybercrime is to set the baseline for a ‘horizon scanning’ exercise: ‘this is what and why we have the current state of cybercrime, but based on this, what should we expect in the future?’. The report’s researchers have four predictions.
Firstly, we can expect destructive data denial attacks will become more destructive. Sectors depending on IoT-delivered time-sensitive data will be targeted. “We are also seeing a resurgence in destructive attacks on critical infrastructure,” says the report, “such as the wiper attacks in late 2021 and 2022, following in the footsteps of Shamoon (2012) and Michelangelo (1991), with malware that wipes data and disables systems without demanding a ransom.”
Secondly, nation-state APT techniques will be increasingly adopted to drive more targeted attacks against manufacturing and other sectors. This will, in effect, be a consolidation of the already blurred line between criminal and nation state activities. North Korea’s Lazarus group is a good example – is it a criminal or nation group? The answer is ‘both’. “North Korea has undoubtedly shown a way forward for impoverished nations to not only boost their economies, but to also potentially get around sanctions. The horse has bolted, this is happening and that has been a definitive change over the past four years,” said Mike McGuire, a senior lecturer in criminology and one of the report’s authors.
ARTIFICIAL INTELLIGENCE
Thirdly, there will be increasing criminal adoption of new technologies. Artificial intelligence will be used against the defenders rather than just by the defenders. Deepfake BEC operations will increase, and AI model poisoning will grow. Web3 might make access to users’ PII more difficult, but could also provide new opportunities for reputation systems that support cybercrime by easily transferring reputations across multiple marketplaces and forums. ‘Cloud cracking’ will increase; that is, the use of public cloud compute power to increase the speed of brute-force attacks. And then there’s the coming of quantum computing, which will undoubtedly be harnessed by nation states and elite gangs.
Fourthly, the cybercrime ecosystem will continue to drive greater efficiency to improve its own return on investment. The top three exploits isolated by HP Wolf Security in early 2022 are all at least four years old. “When the window of opportunity to exploit old vulnerabilities is so large,” says the report “the return on investment to weaponize new vulnerabilities is poor. Instead, cybercriminals are more likely to focus on increasing the speed and efficiency of their intrusions.”
In effect, many of these developments will combine to ensure the threat from cybercrime will continue to grow: “We are likely to see attackers using AI and machine learning techniques to enable targeted spear-phishing attacks at scale. Attackers could deploy offensive tools that utilize AI capabilities to tailor phishing emails to key individuals at an organization and speed up their post-exploitation activities after gaining an initial foothold into a network.”
Related: Cyber Insights 2022: Improving Criminal Sophistication
Related: Cyber Insights 2022: Nation-States
Related: Cyber Insights 2022: Adversarial AI
Related: Securing the Metaverse and Web3
