Editorial Type: Feature Date: 2020-11-17 Views: 4,322 Tags: Security, Xcina Consulting, Citizen Lab, Gigamon, Mimecast, Ivanti PDF Version:
Hacker for hire groups are on the rampage globally, leaving a trail of destruction in their wake. The right cyber resilience strategies must be put in place to counteract this growing threat

According to a new report published by internet-watching Citizen Lab, hacker for hire groups are targeting hundreds of thousands of institutions around the world, including advocacy groups, journalists, elected officials, lawyers, hedge funds and companies.

“We give the name ‘Dark Basin’ to a hack-for-hire organisation that has targeted thousands of individuals and organisations on six continents, including senior politicians, government prosecutors, CEOs, journalists and human rights defenders,” states Citizen Lab. “Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high-profile public events, criminal cases, financial transactions, news stories and advocacy.”

In 2017, Citizen Lab was contacted by a journalist who had been targeted with phishing attempts and asked if it would investigate. “We linked the phishing attempts to a custom URL shortener, which the operators used to disguise the phishing links. We subsequently discovered that this shortener was part of a larger network of custom URL shorteners operated by a single group [Dark Basin]. Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing email addresses of targets. We used open source intelligence techniques to identify hundreds of targeted individuals and organisations. We later contacted a substantial fraction of them, assembling a global picture of Dark Basin’s targeting.”

Citizen Lab’s investigation yielded several clusters of interest, including two clusters of advocacy organisations in the United States working on climate change and net neutrality. “While we initially thought that Dark Basin might be state-sponsored, the range of targets soon made it clear that Dark Basin was likely a hack-for-hire operation. Dark Basin’s targets were often on only one side of a contested legal proceeding, advocacy issue or business deal.”


What this all too clearly demonstrates is that cybercrime has evolved and cybercrime-as-a-service (CAAS) is now a commonplace activity. “Not so long ago, if one wanted to launch a distributed denial of service [DDoS] attack, then one would need to develop the required malware, push the malware out into the web, infect enough computers to create a sufficiently large attack force and then launch the attack against the desired target domain,” says Kev Brear, director of consulting – Technology Risk – Xcina Consulting. “This was a time-consuming and labour-intensive process, and it required a fair degree of technical expertise to develop the malware and manage the DDoS attack process.”

However, the world of technology has ‘progressed’ and it is entirely possible to purchase a DDoS attack from the ‘Dark web’. “One simply has to make contact with one of the numerous vendors of the services and specify the target, the magnitude and duration of the attack, pay the required fee (usually in crypto-currency) and then one sits back and observes as the crime unfolds,” he adds. “The DDoS attack will have an associated service level agreement, but quite how the SLA is enforced in the event of a disagreement is currently an opaque area!”

This “commoditisation of cybercrime” now extends beyond DDoS attacks, states Brear, and it is possible to purchase ransomware attacks, targeted hacks, bespoke malware, phishing email templates, industrial espionage services, and lists of potential targets for frauds and extortion attempts. “The other consequence of the commoditisation of cybercrime is that traditional criminals can purchase the required technical solutions to combine with their criminal prowess, and produce ever more inventive methods to defraud and attack people and organisations.”

Action Fraud, the UK’s dedicated resource for reporting fraud and cybercrime, has estimated that UK citizens have already lost some £16 million from online scams and frauds perpetrated since the UK lockdown began. “Also, the illegal takeover, or compromise, of cloud-based email accounts is approaching epidemic proportions and shows no signs of abating anytime soon,” Brear warns.

“Despite the focus on disruption to business operations created by the Covid-19 crisis, the traditional challenges created by cybercrime have not diminished and organisations need to have in place appropriate protective measures, security response plans and business continuity arrangements to maintain their critical services and functions.”

What is clear from these findings is that the range of threats that face organisations is increasing and now, more than ever, it’s essential that companies have the right cyber resilience strategies in place to counteract this growing threat – which has only been amplified by the coronavirus pandemic and remote working. This is supported by another recent report published by cyber security specialist firm Mimecast, titled ‘State of Email Security’, which has detailed some of threats facing businesses today. The report surveyed 1,025 global IT decision makers. Some of key findings include:

  • 60% of IT professionals surveyed believe it’s inevitable or likely they will suffer from an email-borne attack in the coming year
  • 72% of respondents reported an increase in phishing on their organisations and, due to the global pandemic, threat actors are broadly using impersonation and BEC to steal from unsuspecting users. Mimecast has found that impersonation fraud attempts jumped by a staggering 30% from January to April 2020
  • 47% of IT professionals surveyed in the UK say the volume of email-based spoofing of customers, vendors or business partners, using their brand to trick an organisation into giving cybercriminals money, sensitive intellectual property or login credentials has increased over the past year
  • 51% of IT professionals surveyed in the UK say the volume of email-based spoofing of well-known internet brands (Microsoft, PayPal etc), asking employees for money, sensitive intellectual property or login credentials has increased over the last year.


This research comes at a time when organisations across the globe have been forced to adopt remote work policies for employees in response to the coronavirus pandemic. Threat actors have seized this opportunity and evolved the ways they are targeting their victims. Domain-spoofing and email-spoofing have become mainstream attack vectors, according to the report. Nearly half of organisations (49%) surveyed report anticipating an increase in web or email spoofing and brand exploitation in the next 12 months, and it is a rising concern. In fact, 84% of respondents feel concerned about an email domain, web domain, brand exploitation, or site spoofing attack. It is critical for organisations to look beyond their email perimeters to determine how cyber threat actors may be using and damaging their brands online.

Similar to years past, impersonation attacks, phishing attempts and ransomware continue to be a major problem, according to the research. Seventy-two per cent of report participants said phishing attacks remained flat or increased in the last 12 months and 74% report the same of impersonation attacks. This indicates that phishing is potentially becoming more difficult to stop or prevent due to more advanced tactics like spear-phishing.

Ransomware also continues to wreak havoc, as just over half of respondents (51%) said ransomware attacks impacted their organisation, citing data loss, downtime, financial loss and loss of reputation or trust among customers.

The State of Email Security 2020 report also shines a light on the urgent need for a more cyber-aware workforce. Encouragingly, 97% of the respondents’ organisations offer security awareness training at varying frequencies and formats. However, 60% of those surveyed reported having been hit by malicious activity spread from employee to employee, pointing to the fact that the format or frequency of this training could be the problem. With frequent, consistent, engaging content that humanises security, security awareness training is an effective way to reduce risk inside the network and organisation.

While threat actors are gaining in sophistication and evolving, their tactics in many ways remain the same, points out Chris Goettl, director of security solutions, Ivanti. “This means businesses can cut through this sophistication and prioritise measures to maximise their cybersecurity strategies. For this reason, they should look to cybersecurity frameworks such as the CIS Critical Security Controls.


“By following the top five CIS guidelines and adhering to basic cyber hygiene measures, it’s possible to eliminate 85% of modern cyber threats. Take vulnerability management, for example: if IT and security teams don’t treat vulnerability management as an ongoing process, business infrastructure will be exposed, as hackers can find and weaponise vulnerabilities faster than these teams can patch. Automating this process can further protect the organisation by minimising the gap between the onset of new knowledge and remediation, reducing the period in which cybercriminals can strike.”

Goettl also recognises how businesses have faced an entirely new security challenge over recent months due to the added risks of a remote workforce. “For companies that weren’t prepared to support remote workers, this was a drastic change. It’s important that IT and security teams implement tailored measures to counter this drastic shift in attack surface, as remote working looks set to continue in some capacity for the foreseeable future.

For example, patching a remote or fluid workforce may require the implementation of a hybrid or cloud-based patch management solution that can implement patches to company-owned devices and BYOD, and that won’t take up valuable VPN bandwidth with update traffic.”

With workers undefended away from their offices and targeted by malicious actors, companies must keep security front of mind as they familiarise themselves with the ‘new normal’, says Adrian Rowley, senior director Sales Engineering EMEA at Gigamon. “As flexible working becomes the go-to, employees will be shifting between on-premise and remote working, combining user-owned and company devices (not to mention personal WiFi connections). This will make network perimeters even harder to define and to protect.

Traffic flows will also be impacted, with users switching from LAN to WAN and back – so inspecting encrypted and unencrypted data will be critical for IT and security teams to keep abreast of potential threats. Ultimately, the only way to drive security in these difficult circumstances is minimising blind spots and ensuring unclouded visibility throughout the network.”

To create security resilience in times of uncertainty, companies must move away from the idea that any asset or user within the network perimeter can be trusted, and a much stricter privilege regulation policy is needed - in other words, a Zero Trust (ZT) architecture, he continues. "This security strategy consists of scrutinising asset behaviour and only granting access based on this information, rather than based on pre-existing credentials. Because it's impossible to monitor what you can't see, companies need a clear view of everything that happens on their network to enable a ZT approach.

"What many businesses haven't grasped yet is that ZT isn't a product they can buy, deploy and use to dispel their security woes," states Rowley. "It's a mindset which must be applied to every IT and security decision. Shifting to a ZT model is no easy feat, but it's imperative to ensure fool-proof protection at a time when IT environments are complicated by a fluid workforce and cyberattacks are fiercer than ever."