CrimeOps: The Operational Art of Cyber Crime
sec.okta.comI don't understand how they can keep people in line. It takes one to talk, and the whole organization is at risk.
Online "reputation management" is easy work, it's a very grey area, and it would take a lot of investigation to reveal that someone has actually been targeted and attacked.
But take medication sellers, the covers are great, but it only takes one customer to brag about it and then it's a matter of time until you're done. Anything said online will come under the review of authorities sooner or later.
If we are do delve deeper, real world hits are even riskier. And they don't pay enough! Sure, I guess the people at the top of these organizations make serious dough, but the ones doing the work are paid peanuts.
I guess it takes a special kind of person to do that, someone with a death wish, nothing to lose, and probably a massive hate boner for something.
I've always been fascinated by the criminal "underworld", even though I would never participate in anything, too much risk for too little reward.
depends on where they operate, and who they're paying-off.
In the case of Russia; they might be doing informant work for SVR or GRU. In which case, they can pretty much operate with impunity, as long as they don't attack the wrong Oligarch's operations.
Being state-sponsored is a whole different league, though.
Definitely. As the author wrote, there are some similarities in organizational structure, but:
>An APT is literally the instantiation of a nation state’s will. It is not a toolchain.
At that point you can't really think in terms of cybercrime or law enforcement. You're basically up against one or more of a nation's military units (whether or not the particular actors are technically civilian or military personnel).
By "reputation management", what do you mean exactly? Black hat SEO / framing competitors for black hat SEO?
Negative SEO, planting illegal content and fake evidence, blackmail, smear campaigns, fake reports to the authorities, cutting off income from advertisers by said means, etc.
It's only too much risk if you live in a country that investigates, arrests, and prosecutes the cyber criminal. If you live in a country that does not, there's no risk.
Fascinating take on a different, darker side of tech innovation. Makes complete sense that criminal gangs use the same agile approaches to innovation that a start-up would use. Of course this is thegruqg writing here, so I expected nothing less. It somehow makes criminal activity seem so much more mundane when I imagine guys at desks writing code against support tickets and user stories.
Meta: It's nice to see an opsec company get smart and publish some of the better thinkers/communicators (like thegrugq) over writing product-tailored in-house content. Maybe security is an easier field to do this for, as being scared (justifiably or otherwise) is generally good for business.
EDIT: expanded comment
Thank you, I appreciate it.
It is very unlikely that FIN7 are aware of their successful exploitation of the golden triangle. They almost certainly just pursued what worked best for them, creating a lean mean cybercriming machine along the way. (And isn’t that the real treasure?)
Financially motivated crimes are essentially businesses, and so sometimes it can be useful to use business frameworks to understand the criminal enterprise. Fortunately FIN7 happen to be a particularly well documented, making such analysis possible.
I don’t really know what to say re: your meta comment. I wrote some posts for them under contract. I had complete editorial control. I have no idea if it is easier than in other fields. None of the other posts (not posted yet) are about “scary” topics, so I’m not sure if the observation is correct.
Off-topic nitpick: is the way to get people interested in what your software company is doing about %thing% to slap the suffix -"Ops" to whatever %thing% is? I've noticed it in some curious and interesting uses lately. CrimeOps being the most recent one via this very post.
Maybe not a nitpick, I don't mean to dismiss Okta's endeavors; but it's certainly something that's caused a flutter of the eyebrow and an almost automatic reaching of the hand to ponderously scratch the beard.
I think "CrimeOps" is somewhat tongue-in-cheek here and is making fun of the trend you're referring to. But, yes, it's started becoming a meme and marketing term since "DevOps".
Author here, and yes, that is correct.
I saw the title at the homepage, and immediately my first thought was "Well, perhaps this article is a business whitepaper and it's not as good as those hacker opsec articles by the grupq, a true expert on this topic..."
And guess who is the author here... Glad to meet you here, the grugq!
hi.
Damn, didn't know the grugq was reading hacker news, mind you, even have an account here! :-)
yup. I've been here for years. Only comment when it is relevant, so maybe once every couple years.
Subtle! Well done, hah
Out of curiosity: if FIN7 was using JIRA's cloud version, can Atlassian be held responsible for FIN7's activities (or in general for ensuring compliance on their platform)?
JIRA! I suppose that's why they call it "organized crime".
Hopefully JIRA can be placed on a list of banned software now.
I’d call it dual use, but I’m not actually aware of a benign use case for JIRA! ;)