Anatomy of the Modern Hacker Organization

In my previous post Evolution of the Modern Hacker, I briefly discussed the path that hackers have charted to become sophisticated, mature, and keen business people. Their growth from adolescence to maturity has culminated into a traditional model for running a business, with all of the infrastructure and support organizations that we would commonly expect to find in a modern IT industry organization.

"Executives" sit on top of the hacker organization. They are the business people who determine the overall business strategy, establish relationships with other hacking-support organizations that they may outsource services to, and establish revenue objectives. More than the traditional mob bosses, rather than skim off of the top of the revenue stream, they establish a pay for performance hacking network while also diversifying the revenue streams.

"Profilers" specialize in finding actionable information. We can view them as the business developers who identify and pursue targets for revenue generation. They cull these targets from corporate web sites and social networks such as LinkedIn, looking for key executives, financial management, or human resources professionals, anyone who may have access to the banking and payroll systems for an organization.

In some cases, "Profilers" may leverage a "Call Center" to conduct targeted social engineering activities to gain more information or gather intelligence that will improve their access to the targeted organization or individual. These "Call Centers" typically operate on a "per target" or "target demographic" basis.

"Product Developers" then design and develop the tools for conducting hacking activities. Hacking software development activities run exactly the same as legitimate development organizations, with periodic releases, upgrades, and patches. Some organizations even develop product licensing models for selling the product to the hacker public, often on a server and per user basis, and then provide premium support services to maintain the product over some period of time. This advanced development structure has resulted in a great leap in "root kit" sophistication, allowing it to propagate with little to no detection, to gain advanced command and control capabilities, and to even forge communications with targets.

"Attackers" represent the organization's primary revenue generators, specializing in using their tools to conduct attacks against a set of targets. Similar to sales engineers and consultants, this community approaches the targets employing various tactics to gain access to an organization's cash reserves or information. In some cases, "Attackers" leverage external "Leads Generators" that have control of vast networks of "time-shared" hacked computer systems to attack multiple targets that share desirable characteristics. Once engaged, the "Attackers" proceed to pilfer organizational assets and transfer them back into the organizational collective.

"Human Resources" then recruits and manages a network of distributors for moving assets from the target to the hacker organization, especially for financial transfers. This team maintains web sites for dummy corporations that provide standard access to corporate resources, including email and payroll services, and then leverages job seeking sites, such as Monster and Careerbuilder, to hire "Financial Consultants." For a percentage of all money transfers, these money mules follow instructions for receiving funds from targets and transferring those funds via wire transfer services such as Western Union to hacker organization agents under the guise of paying "independent consultants."

Defending against these organizations depends on accepting that they exist and that they pose a threat. Legitimate organizations have been lulled into a sense of complacency based on the premise that they will fly "under the radar" and that no one has any reason to target them. They're wrong. We're seeing reports every day of how these hacker organizations are taking down small businesses, public utilities, local governments, and school districts, anyone who might have money in their accounts at the end of the month.

Active defense is the answer. We're helping organizations identify where their business or mission objectives are most at risk and to determine how to leverage what they already do well to protect themselves from harm. I'll follow up soon with a description of a common attack and how to keep from becoming a victim.