Cybercrime awareness TTPs Proactive Threat Intelligence

Attacker Motivations Matter: Use Threat Intelligence to Stay One Step Ahead

By PRODAFT Team on October 24, 2023

Back

Understanding the cybercrime industry is key to mounting a successful defense.

There are many insightful statistics in the 2023 Verizon Data Breach Report, but one stands out more than the rest:

Nearly 19 out of every 20 cyberattacks are financially motivated.

According to the same report, organized crime groups are behind nearly two-thirds of data breaches. These organizations have successfully extracted enormous amounts of wealth from companies, government agencies, and individuals around the world.

Cybercrime may cost as much as $8 trillion USD by the end of 2023. For comparison, that’s larger than the market capitalization of Apple, Microsoft, and Google combined. If cybercriminals had their own country, it would be the world’s third-largest economy after the United States and China.

This is a transfer of wealth of unprecedented size, and a significant part of it is being re-invested into new cybercrime capabilities. Cybersecurity leaders can’t afford to ignore how this money is being spent. Paying close attention to attacker motivations can provide valuable insight into the types of threats to watch out for.

What Does “Financial Motivation” Really Mean?

At first glance, the term is easy to understand. Financially motivated cybercrime groups want to steal money using deception, coercion, or other illicit means.

But for cybersecurity professionals who dig deeper, this term can reveal a lot more. It can show how organized cybercrime groups actually work, and what kinds of targets they find appealing.

For example, financially motivated hackers are constrained by economics the same way any organization is. There is an industry-wide incentive to hire top talent, specialize in niche services, and sell excess capacity to other organizations. This incentive frequently comes into conflict with the need to guarantee higher profits by executing cyberattacks as cheaply as possible.

Cybercrime actors have come up with many ways to address this need. As with any rapidly growing industry, different organizations have taken different approaches. These details deeply impact the way those cybercrime groups operate, and the degree of risk they are willing to tolerate.

How the Cybercrime Business Works

One of the most widely reported cybercrime developments of the last few years is the cybercrime-as-a-service model. This model has cybercrime developers building individual tools and licensing them to other threat actors to use against victims. The user-friendly platforms provided by GandCrab, REvil, and Lock Bit are just a few examples.

This approach rewards cybercriminal groups for working together, and makes them more resilient against sudden setbacks. The cybercriminals behind the RIG Exploit Kit relied on a credential-stealing trojan called Raccoon Stealer for many years. After Raccoon Stealer’s lead developer was killed in the Russia-Ukraine conflict, RIG threat actors substituted the software for Dridex, which provides attackers with additional features.

Dridex is a popular, tried-and-true software tool found in many different exploits and contexts. It’s likely that Raccoon Stealer was a less expensive choice, allowing RIG Exploit Kit users to reap greater rewards from their highly automated approach to initial access, which focuses mostly on malvertising and automated JavaScript injections.

As with any industry, larger and more consolidated groups command resources that others can’t afford. Wizard Spider is one of the most profitable cybercrime groups in the industry due to its centrally managed, vertically integrated business structure. It built its own panel-hosted cracking application and even hired a team of telephone operators to coerce non-responsive victims into paying.

How Cybercrime Organizations’ Business Structures Impact Their Techniques, Tactics, and Procedures (TTPs)

The size and scope of a cybercrime group directly influence the way it operates, and the financial considerations it takes when attacking victims. The leaders of cybercrime groups are as keenly aware of potential risks as any business leader.

Two examples from our published research effectively demonstrate how these differences impact the way threat actors behave:

RIG Exploit Kit users may not be willing to expend a great deal of time or energy attacking targets they don’t expect to successfully breach. They successfully exploited between 20,000 and 25,000 devices per day during a late-2022 campaign – Attackers had no need to worry about the hundreds of thousands of unsuccessful attempts they made during the same time.

Wizard Spider can afford to take on much riskier targets and expend considerable resources overcoming security controls. Its vertically integrated capabilities and an extensive team of software-specific sub-teams can manage attacks from start to finish. It can easily deploy hundreds of millions of dollars if needed to expand the group’s capabilities.

A well-prepared organization with robust security policies will need incident response playbooks that take these differences into account. The degree to which attackers are willing to expend resources targeting individual victims can make a significant difference in the overall risk their attacks present. Without this knowledge, it’s impossible to predict how far threat actors are willing to go.

Threat Intelligence Data is Crucial for Early, Effective Detection

Knowing how financially motivated cybercrime groups actually drive profits is key to mounting a successful defense against them. It allows security leaders to deploy limited resources more effectively against high-priority threats.

For example, one cybercrime group may use automation to cast a large net with tools like the RIG Exploit Kit. Blocking unauthorized processes and isolating infected devices might be enough to thwart an active attack – at least in the short term. The group will eventually change its tactics and find new ways to exploit targets.

A well-equipped, highly coordinated team of threat actors like Wizard Spider requires a much more robust response. Our team discovered Wizard Spider threat actors manually using 16 different tools to exploit victims. If your incident response team only blocks one or two of these tools, hackers will simply switch to another.

If you are a cybersecurity leader facing an active attack scenario against an unknown threat actor, there is no way to tell which response playbook will be the most effective. Responding to cyberattacks without this kind of data is a gamble, and the odds are stacked heavily against decision-makers who don’t have actionable, up-to-date data available.

PRODAFT exposes the inner workings of the world’s most notorious cybercrime groups. It allows cybersecurity leaders to match observed indicators of compromise with specific threat actors, providing valuable insight that can guide incident response workflows when organizations need it most.