CYBERSECURITY | From loyal employees to cybercriminals

A leading provider of cyber security solutions globally warns that it is not only hacking tools and threats or weapons, drugs and stolen personal information and login credentials that are traded in the dark corners of the internet, but also where various insiders and hacker groups are continuously offering their services and cybercriminals looking for collaborators to help them attack organizations from the inside.

The Darknet is attractive to cybercriminals, according to Check Point Research (CPR), the Threat Intelligence arm of Check Point Software Technologies Ltd., and because of its near-perfect anonymity, making it an ideal space for finding collaborators and offering illegal employment opportunities. Many offers are targeted at insiders, those with knowledge of and access to sensitive systems who can help cybercriminals penetrate protected networks. While we can imagine that with the advancement of cyber tools, insider business will diminish – we observe that during the last two years it continues to flourish in the darknet.

Job offers on the darknet

“Cybercriminals often use specialized forums and marketplaces on the darknet to post job offers,” said says Sergey Shykevich, Threat Intelligence group manager, Check Point Research. “These can attract tech-savvy users who are disenchanted with the traditional job market or are willing to go beyond the law for financial reward. Offers can range from hacking and data theft to malware deployment and ransomware campaigns. Hacker groups expect insiders to provide access to target systems, assist in overcoming security measures, and provide useful information for a successful attack. Or even attempt physical sabotage.”

Finding insiders

Insiders are valuable to cybercriminals because they have access to critical information and can weaken security measures from the inside. Cybercriminals often offer high financial rewards for cooperation and may even provide special training to maximize damage. For example, how to install malware or otherwise sabotage employers’ security systems. There are dozens of similar ads on the darknet. Often these are advertisements from Russia or the Commonwealth of Independent States (CIS).

Hiring an insider is expensive and dangerous, which is why cybercriminals target lucrative industries and large companies in these cases. For example, the financial, telecommunications or technology sectors are popular targets.

But it’s not just cybercriminals looking for collaborators on the darknet, insiders are also proactively offering their services. For example, an employee of a major mobile operator in Russia offered SIM card swapping and other illegal services. There are many similar advertisements also for the US telecommunication operators.

Insider service offers from the financial sector and the world of cryptocurrencies are also popular. And the technology sector has traditionally faced the threat of insiders.

But no sector is exempt from risk, as the advert relating to the shoe and fashion trade shows.
There are cybercrime organizations in Russia and Eastern Europe that monitor insider networks in various organizations. But some of them also offer their own insiders who provide illegal or at least dubious services in other countries. One such insider is a hacker with the nickname Videntis.

Videntis has a catalog of over 11 pages offering insider-related services. Some of the services are very common, such as finding a mobile number for 2,500 rubles within 48 hours, listing all calls and SMS within 72 hours for 25,000 rubles, or forwarding all calls from a specific number for 19,000 rubles.

Other services involve specific Russian banks. For 8,000 rubles it is possible to find out a secret word within 72 hours or get a statement from any account for 9,000 rubles. For US$900, a hacker promises to use his contacts to block any user’s WhatsApp, block a SIM card with any operator, or for US$850, block any personal Instagram or TikTok account within 7-30 days. Some services are more versatile, such as confirming vaccinations abroad or creating health documents for travel.

A profitable deal for both parties

For insiders, working with cybercriminals is high-risk; they can face criminal prosecution and loss of professional reputation. And there are rewards to match. Although for some, the main motivation may be revenge.

The reward may be in the form of a direct payment or a share of the profits from the stolen data. In some cases, rewards may be contingent on the success of the attack or the amount of data recovered.

The infamous hacker group LAPSUS$, for example, sought an insider inside telco companies and offered a reward and low risk for both the insider and the hackers. Another group, in turn, offered US$2,000 – US$5,000 to employees who had access to drivers at various food delivery services. But higher amounts, such as up to US$100,000 to insiders at technology companies, are no exception. The impact of attacks involving insiders can be devastating. The Ponemon Institute’s “Cost of Insider Threats Global Report” reports that in 2021, the average cost per incident associated with insider activity will climb to US$15.38 million.

Insiders can be employees, suppliers or employees of partner companies. In addition, their motives can vary from financial gain to revenge to political or ideological reasons.
Collaboration between cybercriminals and insiders on the darknet poses a serious threat to companies’ data security and infrastructure. This phenomenon requires the utmost attention and a proactive approach to security, including employee training, implementation of appropriate security policies, detection of suspicious behavior, monitoring of the entire environment and regular audits. It is important to understand that prevention is key in the fight against cybercrime.

WATCH: TECHSABADO and ‘TODAY IS TUESDAY’ LIVESTREAM on YOUTUBE