Security news that informs and inspires

The Origin of Threat Groups: Setting the Foundation

By

Editor’s Note: This is the first of a two-part series into how threat groups originate. This first part will focus on the beginnings of threat groups, and how the groups lay the groundwork for their malicious activities; while the second part of the series, coming out next week, will focus on how cybercrime groups further scale their operations.

Human resource representatives. Performance reviews. “Employees of the month.” These are part of the strategies that have shaped some of the behind-the-scenes operations of the Conti ransomware group, which were unearthed after a self-reported security researcher set up a Twitter account in late February called “Conti Leaks” and has since then been leaking two years worth of the group’s internal chat logs, in addition to credentials, email addresses and command-and-control (C2) server details.

The Conti leaks illustrate a never-before-seen picture into the inner workings of sophisticated threat groups, including day-to-day roles, management styles, recruitment and hiring processes and the establishment of compensation models. Researchers previously have been able to glean inklings of how cybercriminal groups operate through methods like scouring underground forums, performing incident response or reading indictments and court filings. Beyond that, the inner workings of threat groups have remained in large part a mystery.

The leaks have revealed how sophisticated threat actors have fine-tuned their operational strategies to mimic those of legitimate businesses. With threat groups forming, and breaking apart, on a quicker scale than ever before, understanding these processes behind how threat groups set the foundations for their operations is paramount, said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.

“The mixing of threat groups over time shows us that they are much more agile and able to scale more quickly,” said DeGrippo. “They really have the formula figured out now, allowing the scale and speed at which they are coming together to be accelerated.”

“The mixing of threat groups over time shows us that they are much more agile and able to scale more quickly."

Top-level talent is at the heart of cybercriminal groups, and the more established groups are made up of an intricate hierarchical web of members that have been hired through mature recruitment processes. A popular method for recruitment involves posting recruitment ads, both on underground forums and via legitimate recruitment sites.

For Conti, the group’s main recruitment efforts revolve around illegally accessing the resume databases of legitimate Russian-speaking job services like headhunter.ru or superjobs.ru, and contacting candidates by email. Another recruitment tactic is through word of mouth: The group manages an employee referral program, where successful referrals lasting more than a month could earn the referring member a bonus.

“We see really frequently that people in these communities know each other - they maintain a network of contacts in the underground forums for people working in different areas,” said Jeremy Kennelly, senior manager, financial crime analysis with Mandiant Threat Intelligence. “They may go out and reach out to people they worked with before, and attempt to recruit them to their newest schemes. These avenues map closely to the way that people get recruited to legitimate jobs.”

Various groups have launched innovative recruitment campaigns: The REvil ransomware group, for instance, pulled a publicity stunt where they deposited a million dollars in bitcoin into an account, and then posted a recruitment ad on a very active forum thread that was discussing the deposit. The Conti leaks, meanwhile, revealed that the Conti group actually had “recycled” this recruitment drive by extracting high-quality candidates that had added their contact details to the forum thread and spamming them with job offers.

“These underground forums are where threat actors are selling access to organizations, but they’re also selling their own expertise,” said DeGrippo. “If an actor is selling initial access to a place, they almost operate like a value-added reseller, offering consulting services for traditional software development or setup. The reality is, it’s a mature marketplace and industry.”

“These underground forums are where threat actors are selling access to organizations, but they’re also selling their own expertise."

Some groups have also attempted to reach out to employees at legitimate companies, offering them money to provide forms of access. For instance, recently the Lapsus$ cybercriminal group posted a message to their Telegram channel claiming that they were looking to recruit insiders at companies in the telecommunications, software/gaming, call center or server hosting industries.

Part of the conversation here also includes the motives of the recruits themselves, whether it’s money, ego, curiosity or ideologies. When recruiting members, threat actors make promises of not only high salaries, but also bonuses and opportunities for career growth. The Conti leaks, for instance, show how the group has put in the effort to invest in those that they hire, with one member, under the alias “Twin,” providing in-depth training for new recruits, including training manuals and one-one-one interactions, which go through different scenarios they may encounter during a compromise.

“We know that these threat actors have a curiosity to learn, improve their skills, and break things," said Austin Warnick, lead analyst with Flashpoint.

Though Conti human resource representatives and team managers appear to be upfront about the “illegal” projects that members would be tasked with, according to Intel 471 researchers, the Conti leaks reveal that prospective employees view the group as a workplace. Security researchers with Check Point Software pointed to one prospective candidate that claimed to have developer experience going back to 1980, “contrary to the prevailing stereotype of young and reckless cybercriminals, who have an illusion of invincibility and nothing to lose."

“In Eastern Europe or Russia it’s not seen as this shameful or embarrassing thing, it’s just a job in those cultures, a way to make money,” said Proofpoint’s DeGrippo. “They don’t take it as something dangerous.”

“A handful of groups ushered in this new era of a really organized concept around running a cybercrime business that parallels a real business or startup."

The Conti leaks also shed light on the intricate web of roles and responsibilities needed to carry out various tasks, with Intel 471 researchers estimating that the group had 150 members at one point making up different departments and teams working on various projects. In some cases, members have also met in person: The group has several physical offices, with a head of office operations to boot.

The roles and responsibilities for threat groups vary, with some roles being built out in-house and others outsourced, depending on the resources that a group has. While Intel 471 researchers said the development team makes up Conti’s core operations, the group also has subdivisions that build malware, test functionality, as well as roles for recruiting and onboarding new employees. Conti leaders have also set up upper and middle management: While in some cases the top-level member, known in the leaked chat messages as “Stern,” would send direct broadcast messages to the group, other times middle management would be involved. The leaks showed some team leaders even engaging in Performance Reviews where they discuss how members have done over the past year, any training opportunities and upcoming Conti plans.

Beyond these responsibilities, ransomware groups are also known to have several specialized roles, including ones that concentrate on understanding the victim’s business - the industry, what type of data is important to them, what type of ransom to ask for based on how much money the target has - as well as roles for storing and backing up exfiltrated files, updating ransom victim shaming sites, and managing payments and negotiations. Internally, groups also have roles for members who recruit, vet candidates and ensure the status of operations, as well as split payments with the affiliates that are potentially involved and those that manage the entire operation. Within UNC2840, which distributed the Ryuk ransomware, teams existed that exclusively took the role of ransomware deployment, for instance.

“Someone would first open the door with the understanding of this environment, and would then hand off the job to this team, which just deploys the ransomware,” said Kennelly.

The mature cybercriminal underground economy, where both tools and services can be found, has also allowed these roles and processes to “become very easy.” Kennelly said that the core elements of a cybercrime group include the attack infrastructure (the systems from which groups control malware), the communication infrastructure (a covert or encrypted chat medium, like Telegram or Discord) and various malware families and tools - and many of these are available for purchase instead of groups needing to build them from the ground up. Bulletproof hosting services can be found on the underground or even in online messenger platforms like TK and Telegram, researchers have found, including dedicated and virtual hosting providers, service protection like anonymization services, reverse proxy services and VPNs, and additional infrastructure provisions like IoT hosting services or telecom-related services like SMS spamming. So, while the Trickbot group might maintain its own team of developers - including the infrastructure, design documents and internal processes - a smaller operation might decide to go buy something off-the-shelf instead, such as initial access to an environment.

“It’s so easy to set up a Telegram channel and set up low-level attacks,” said Warnick. “Using these platforms, they can share information about cyberattacks, ideas, breach data and more.”

“At the macro level, the global cybersecurity community needs to understand more about the drivers, origins, growth and sophistication behind these cybercriminal groups."

It’s vital for organizations to understand the inner workings of these threat groups, said Jason Passwaters, chief operating officer and co-founder with Intel 471, because it can help security teams better adjust their threat models, which in turn helps protect against cybercriminals’ various tactics. Conti itself has accumulated at least 700 victims since the group’s emergence in 2020, with attacks against health care providers, 911 systems, and many other critical organizations being connected to Conti affiliates in 2021.

“A handful of groups ushered in this new era of a really organized concept around running a cybercrime business that parallels a real business or startup,” said Passwater. “Once that was built up, it lowered the barrier of entry for lower level threat actors to get involved.”

Micki Boland, cybersecurity architect with Check Point Software, said that most groups when they start out grow substantially on “small successes paid in cryptocurrency,” so businesses need to plan accordingly, in part by understanding that all organizations regardless of industry or size are potential targets.

“At the macro level, the global cybersecurity community needs to understand more about the drivers, origins, growth and sophistication behind these cybercriminal groups,” said Boland. “These groups start small, typically with one or two individuals seeking financial gain through hacking and ransomware attacks… These cybercriminal groups do not need to hit the bank so to speak at startup, they will seek small wins.”