Wages Dominate Cybercriminal Groups’ Operating Expenses
The larger they grow, the more criminal organizations resemble legitimate businesses, with small criminal organizations allocating nearly 80% of their operating expenses to wages, while larger organizations mirror their legitimate counterparts with corporate structures.
A Trend Micro study outlined three types of cybercrime organizations based on size, starting with small criminal businesses like counter-antivirus service Scan4You, which typically has one management layer, between one and five staff members and less than $500,000 in annual turnover.
A large criminal enterprise like the ransomware group Conti, is likely to boast relatively large numbers of lower management and supervisors, three management layers, a staff of more than 50 and more than $50 million in annual turnover.
Cybercriminals’ Performance Reviews
They may have corporate-like departments, including IT and HR, and run performance reviews and other employee programs.
Larger criminal entities may store employee lists, financial statements, company guides/tutorials, M&A documents, employee cryptocurrency wallet details and even shared calendars, offering investigators critical operational insights.
The report also compared various groups to conventional businesses that approximate their respective sizes to gain further insights into criminal organizations.
John Bambenek, principal threat hunter at Netenrich, explained that criminal organizations aren’t that different from for-profit corporations in that they need to organize people and processes to accomplish the mission of making money.
“They simply are willing to use criminal tools to achieve that. But in the end, for complicated attacks, you need several people and their work needs to be organized,” he said. “Criminals adopt organizational principles to limit the risk of law enforcement.”
He pointed out that humans are creatures of habit, and the same organization will use similar techniques and patterns for multiple otherwise-unrelated parts of the attack absent exceptional effort.
“Having different teams or organizations handle different parts [of an attack] will give more diversity of behavior that may make it harder to connect A and B events,” he noted.
Andrew Barratt, vice president at Coalfire, added that smaller groups have consistently been able to get massive leverage and commit huge amounts of fraud or data compromise.
“The all-digital nature of their crime means that some smaller investment in malware and customization has huge potential payoffs downstream,” he said.
He explained that, typically, better organization allows for coordination between multiple jurisdictions, with a blend of overseas and domestic locations that makes law enforcement response incredibly complex and bureaucratic.
“Being more organized typically means they are more likely to be campaigning against targets with the lowest security footprint,” he explained.
Rather than focusing on besting security teams, it’s more likely that cybercriminals will focus instead on a very broad and diverse target selection–they can target a specific demographic, even buying sponsored ads that focus on those specific targets.
Cybercriminals on a Budget
Zane Bond, head of product at Keeper Security, pointed out that by adopting traditional business models, criminal organizations can operate more efficiently by reducing costs and increasing revenue.
“This is especially true in cybercrime, where organizations may be operating in a typical office setting or with a remote workforce that requires some sort of formal organization,” he said.
He noted that less organized groups or solo threat actors are less likely to have all the resources needed for sophisticated or complicated attacks.
“It has been more difficult in the past for adversaries to organize because local law enforcement could be tapped to shut them down,” Bond said. “However, now, with nation-states sponsoring teams and safe harbor countries intentionally turning a blind eye, many cybercriminal enterprises don’t have to operate in the shadows.”
From Barratt’s perspective, the most important thing a security team needs to be aware of is the tools, tactics and procedures (TTPs) in use by a group.
“Size and scale are often delivered via automation for a high level of return with minimal risk of incursion by state actors such as law enforcement or intelligence,” he said.
He added that larger groups are more likely to have been traditional organized crime syndicates that spread the full spectrum of criminality and have been “cyber-enabling” their existing businesses to take advantage of the leverage and scale that technology can bring.
“The most fascinating trend I am seeing is the speed at which criminal organizations adopt cutting-edge technology,” Barratt noted. “A couple of years ago, we were aware of criminals making use of AI and machine learning to do language processing—all pre-chat GPT—to mimic the language used in emails used by their targets.”
