Scams, astronomical profits… How hackers created a crime industry

Scams astronomical profits… How hackers created a crime industry

Mango updates his boss, Stern. In this month of July 2021, their organization claims a total of 87 employees. Not to mention the three new developers being recruited. “How much should we pay them?” he asks during a chat session. This conversation would be commonplace in any society, but Mango and Stern belong to a particularly sulphurous environment, cybercrime, and their confidential exchange ended up in the public square. Specialized in ransomware, the Conti group is suspected of having extorted at least 180 million dollars in ransoms in 2021. Before exploding in flight the following year for having called for support from Russia at the start of the invasion Ukraine: an infiltrator organized a massive data leak by publishing 60,000 internal messages, allowing an unprecedented dive behind the scenes of a cybergang. “What surprised us was the number of developers employed and the ability they had to move from one project to another like in a traditional company”, observes François Lexis, an engineer from the sub-directorate of the national police’s fight against cybercrime.

In a few years, the activity of malicious hackers has turned into a real industry. Gangs like Conti have fired on everything. In 2022, following attacks that hit France, the Paris prosecutor’s office opened 420 investigations into these malicious programs that encrypt your data to extort a ransom from you against… 17 in 2019! Today, cyberpolice are following more than 1,200 such cases. This is the consequence of a new modus operandi, the “Big Game Hunting”, this hunt for big fish is accompanied by ransoms that can reach several million euros. The specialist in flow analysis on the blockchain Chainalysis thus counted 457 million dollars in ransoms paid in 2022, against around 765 million for 2020 and 2021, the two years when the phenomenon exploded. For industry experts, there is no reason for the trend to reverse. “Forced digitization has created a technical debt that no one wants to pay,” said Laurent Oudot, co-founder of cybersecurity publisher Tehtris. Bringing poorly secured systems to market benefits cybercriminals. Most computer attacks are based on known but uncorrected vulnerabilities, tracked down automatically by hackers.

Large defense groups affected

These astronomical profits have allowed cybercriminals to build a complex ecosystem. “Everyone does their job, with real service offers”, summarizes Jean-Jacques Latour, the expertise manager at the Cybermalveillance public interest group. Some computer scientists develop stealers, stealth spyware that others spread, for example, using phishing – a technique to get you to click on a link or enter sensitive information. Those who have managed to gain fraudulent access to a network will then resell it, for example to an affiliate of a ransomware gang, who gains access to the infrastructure in return for a commission on their earnings. This kind of mishap happens to large groups, like Thales, victim of a data leak in November. Afterwards, the defense electronics manufacturer thus understood that this computer attack had started in mid-August with the sale on a black market of three user accounts. One of them allowed hackers to steal data, which was later sold to the LockBit ransomware gang, which tried to cash Thales out. In vain.

If the most effective ransomware groups are of Russian origin, they need relays beyond borders. A lucrative business that was in the background of the trial of a computer scientist sentenced to six months in prison suspended in December in Paris. His employer, a pension organization, had caught him installing the classic paraphernalia of the perfect hacker on the network. Was he acting on command? Criminal associations are ready to pay the price for this kind of skill. By sifting through 200,000 advertisements on underground forums, the Russian publisher Kaspersky observed monthly salaries of 1,300 to 4,000 dollars, even reaching 20,000 dollars. Cybercrime still has a bright future ahead of it.

The main targets

Critical infrastructure. As a series of attacks that brought Costa Rica to its knees in 2022 showed, cybercrime is so thriving that it no longer hesitates to jeopardize the national security of certain countries. This threat must be qualified. In France, critical infrastructure operators are subject to a number of obligations that make them tougher targets, and therefore less profitable. “On the other hand, attacking a service provider, such as the canteen, can prove to be simpler and provide an entry point: there will necessarily be digital gateways between the two entities”, explains François Deruty, the former director of the operations of the National Agency for the Security of Information Systems (Anssi), currently in post at Sekoia.io. Pinning a state administration or a hospital to its hunting board also allows cybercriminals to create buzz if they do not receive a ransom. “This kind of target puts pressure and, indirectly, can push other victims to pay,” adds François Deruty.

Companies and communities. According to the latest Anssi report, the cyber threat remains at a high level and tends to move towards the least well-protected organizations. Behind the large groups and the more solid central administrations, mid-sized companies, SMEs and local authorities are subject to an incessant flood of attacks. At Orange Cyberdefense, one of the market leaders, there is approximately one major intervention per week to assist customers who can no longer continue their normal activities. In November, the company, for example, went to the bedside of the Alpes-Maritimes department, victim of a large data leak of 282 gigabytes. A modus operandi revealing the moult of ransomware gangs, which are abandoning their former core business, encryption. “We are seeing more and more attacks by exfiltration of data: it is both simpler and it is a stronger blackmail lever”, analyzes Laurent Célérier, one of the executives of Orange Cyberdefense.

Individuals. Unlike the first ransomware of the 2010s, Internet users are no longer directly targeted in this way. Which does not mean that they are spared, far from it. “False invoice scams, which affected businesses two or three years ago, now affect individuals,” notes Jean-Jacques Latour. The French are first targeted by phishing attacks, for example fake parcel or carte vitale scams, or are victims of data leaks or account hacking. Operating modes that are not reserved for experts. It is enough to buy the malicious service from the hackers who offer their offers. With consequences that can be dramatic: a 77-year-old retiree reported to Cybermalveillance that he had lost 17,000 euros. He had received a message explaining to him that he had to update his vital card. The septuagenarian had not smelled the scam and had communicated his credit card number, before being then called by a fake bank adviser who had emptied his accounts.

lep-general-02