Oct 14, 2020 23:00:00

How are cybercriminal organizations operated?

Security researchers are discussing how cybercriminal organizations are operated, taking as an example the cybercriminal organization

FIN7 , which is said to have earned more than $ 1 billion (about 105 billion yen).

CrimeOps: The Operational Art of Cyber Crime | Okta Security
https://sec.okta.com/articles/2020/08/crimeops-operational-art-cyber-crime

FIN7 is an international cybercriminal organization that appears to be based in Russia. In 2018, the members issued multiple arrests, but as of 2020, it still remains a large force.

According to security researcher Grugq, FIN7 is an organization that shouldn't be seen from a technical point of view. For example, attacks rely on classic phishing , and the tools used for attacks are also common malware reuse.

FIN7, which does not have advanced technology, was so successful that it earned more than 100 billion yen because of the groundbreaking project management that Mr. Grugq describes as 'innovation.' In particular, sophisticated talent management and business processes are spectacular, Grugq points out.

FIN7 talent was recruited through a fake front company. The core members of FIN7 recruited members under the guise of a fake security company, and even conducted interviews with prospective personnel using HipChat , a chat tool for business.

The talent gathered in this way has benefited organizations through effective cybercrime processes and monetization templates that can be applied by a variety of companies and organizations. The workflow is as follows:

-Selection of target organization.
・ Search for personnel that are potential weaknesses of the target organization.
-Send an email to the person to open the Trojan.
-Build a monitoring network.
-Identify financial processing such as access to the target business account or retailer.
-Withdraw funds from your account and obtain the collected data via the network.
・ Sell the obtained financial data.

'A reliable criminal process makes it possible to derive value from any victim, so FIN7 builds a portfolio of exploitable victims,' Grugq said of FIN7's series of criminal processes. I managed it. '

FIN7 managed the portfolio in units of 'projects' that linked the victim companies with the human resources who attacked the companies. Each project contained information about the victim, the assignment of personnel, and data extracted from the victim. The portfolio built in this way was always informed of progress through JIRA , a project management software.

According to Grugq, the fact that FIN7's technical capabilities are not high is also an advantage that FIN7's profits do not depend on the technical skills of its members.

Based on these findings, Grugq summarized the innovations of FIN7 as follows.

・ Transition from technology-based innovation to business-based innovation.
-Reproducible and adaptable criminal process.
-Portfolio management to scale the process.
-Use of project management software that can manage a large number of victims.
-Capacity building for running projects in parallel.
・ Skillful division of roles, structuring, and securing human resources.
-Development environment that incorporates DevOps and agile .