When we’re on the subject of malware and cyber attacks, we usually focus our attention on cybercrime as a totally unknown, uniform entity. Nevertheless, cybersecurity specialists, such as buguroo’s team, are always mindful not only of the codes used to develop computer viruses, but also of the processes adopted to implement campaigns and the targets they were aimed at. It is these three elements that provide a lot of clues as to who may be behind them.
However strange it may seem to people, we can draw parallels between malware and works of art, which have their own style and author’s signature. In the same way as we refer to art forms, such as pop art, impressionism, cubism, surrealism, etc., some distinctive styles can also be recognized in the malware produced by hacker schools in different countries.
These schools have developed their own way of launching attacks, mainly in the wake of the broad spectrum of security measures that have gradually been implemented in the same geographical areas they hack.
This ongoing environmental adaptation is one of the reasons why they are so dangerous, since, as we already know, they invest large amounts of time and funds into discovering how to steal citizens’ money and they never give up until they succeed, taking advantage of the slightest technological or human weakness.
Although it is true that nowadays cybercrime is lurking in almost all countries across the globe, we can pinpoint a series of countries who have undoubtedly created the main schools and who have been the most deviceful at any given time.
Getting to know who they are enables us to predict how they will evolve and what we can expect from them. In fact, some of the hackers most wanted by the FBI come from these countries.
These cybercriminals’ favourite victims are located mainly in Europe and the US, so they have had to adapt to their security measures. These measures mainly comprise banking credentials and two-factor authentication, whether via SMS, coordinate cards, etc.
In this respect, in order to bypass these types of protection measures, the cybercriminals manipulate users so that they look at what they want by resorting to WebInject techniques.
The school of Russian hackers is one of the most well known thanks to the hard-hitting cyberattacks they usually carry out, several of them politically motivated, which are more typical of a cyberwar than of cybercrime in the proper sense of the word.
One of the foremost Russian cybercriminal groups to be profiled is APT28, which has been involved in numerous incidents where cyber attacks have been used as a weapon of war and has had a good deal of literature written about it.
Without a shadow of a doubt, the fact that they have ranked at the top of the list for years makes researchers wonder what the keys to this “success” are.
One of the most widely debated factors is related to the country’s educational system, which, since Soviet Union times, has been driving the study of science and mathematics as well as inquisitiveness with respect to scientific knowledge.
This same education system currently awakens the curiosity of small children through subjects closely related to IT and programming, and this knowledge gains traction through participation programs in governmental projects that seek young people in order to build up a reserve.
Others decide to support sporadic processes in the cybercriminal value chain, assisting in basic questions in exchange for money, sometimes without even knowing so.
Be that as it may, young Russians make inroads into the market boasting skills and know-how that are light years ahead of young people from other countries, as is acknowledged by two of the most well-known hackers across the globe in the Russian newspaper RT (Russia Today).
As regards personality, the sophisticated, creative intensity of the attacks also has a lot to do with restless minds and an unremitting zeal to overcome apparently impossible challenges.
Every time a new security system is built or vulnerabilities are corrected, they seek new ways; even if it means resorting to the use of new technology trends, such as Artificial Intelligence, to commit crimes.
Incidentally, it is worth mentioning that a kind of hacker’s “code of conduct” seems to have been in existence among individuals engaged in this business for some time now.
The code contains three basic principles, which may continue to define these cybercriminals’ personality:
Cybercrime feeds on itself, in other words, the cybercriminals who steal banking credentials and do not use them will sell them to cybercriminals in their geographical areas.
The Brazilian hacker school is climbing the global ranks in terms of the impact of its actions, which makes it a player that is equally as dangerous and important as Russian cybercriminals.
Once again, the school’s style changes according to the protection measures that organizations install.
In this respect, aside from credentials, the banks in Latin America have developed protection systems that focus on device identity verification systems, which customers use to log on to their online banking websites.
This protection philosophy forces cybercriminals to develop remote access control techniques, such as RATs, in order to steal from the user. This is something that the Brazilian school has been developing with great success and spreading across the whole of Latin America; the most recent being CannibalRAT (February 2018).
On the whole, Brazilian cybercriminals, who usually take their inspiration from the Russians and turn to the black market in search of new trends and fresh developments ripe for the picking, are the instructors of other cybercriminals in Latin America.
Furthermore, although Latin America’s quantum digital leap is relatively recent, it is also very fast, forcing organizations to develop strategic anti-cybercrime plans much more dynamically. They are, therefore, under greater pressure, which, on occasions, facilitates the work of cybercriminals who continue to exploit old vulnerabilities.
So, in this respect, the criminals from this school generally seek to prepare theft formulas that are easy-to-use and offer little exposure to risk.
On the other hand, investigators believe that other measures more closely related to politics and governmental strategies on rules and regulations, the criminal code, felony processing, etc. are necessary to order the criminal ecosystem and manage it more effectively.
These cybercriminals’ favourite victims are mainly located in Asia, the Pacific and Australia. The banks in these geographical areas implement security measures that are very similar to Europe’s; hence, Chinese cybercriminals have successfully incorporated the techniques used by the Russians, which run along similar lines.
The most typical thefts entail the mass mailing of false SMS to victims to get them to make fraudulent bank transfers.
Ironically, one of the aspects that can be regarded as the most eye-catching is that a large share of Chinese cybercriminal infrastructures are located outside the country. This may be closely related to the tough legislation in the country, where communications are intercepted and the intelligence services are high profile.
We must not let ourselves be duped by the fact that, at the beginning of the century, its cyberattacks were unsophisticated and frequently based on off-the-shelf malware, phishing, etc. packages that could be bought on the black market.
The rapid adoption of technology undertaken by the Chinese has also impacted cybercrime, which, year-on-year, has become increasingly sophisticated, until they were able, for example, to steal millions of dollars thanks to the development of magnificent social engineering tactics.
It is worth highlighting a pattern that they share with the Russians insofar as their investment in creating an official pool of budding hackers among young people is very much present and forms part of a well-established strategy for the next 10 years. This shows that the country believes that digital progress is unstoppable, giving rise to fresh threats.
As is to be expected, other schools are cropping up that take their inspiration from these three, combining them and creating new threats. In this way, they raise the risk level of new threats appearing more frequently, threats that the old solutions are unable to detect.
Here, at buguroo, we believe that the only way to face the threats and risks of now and the future is by implementing a holistic, protection approach, which protects users over the course of their sessions and serves to assess their behavior thanks to all the information they supply.