The fact that state actors are forced to use criminal, mercenary hackers in their cyber espionage and attack campaigns is a silver lining to law enforcement looking to identify and catch the perpetrators, according to Adam Hickey, deputy assistant attorney general for national asset protection at the Department of Justice.
“It’s an advantage to us because those are individuals who are more likely to travel, they are more likely to be less OPSEC [operations security] savvy in certain respects than intelligence officers,” said Hickey. “And that matters because apprehending them […] can give us that human intelligence into the state-sponsored hacking that can be very, very valuable. “
Hickey described a case in which Chinese People’s Liberation Army hackers relied on aerospace expert Su Bin to tell them which files would be useful to steal from foreign aerospace companies. Su then traveled abroad and was arrested in Canada for his participation in the hacks.
Hickey also said that the criminal motivations of the mercenary hackers can leave traces for law enforcement agencies to follow, as was the case in the allegedly Russian-sponsored hack of Yahoo emails.
The Department of Justice recently indicted two Russian Federal Security Service agents in the case, along with criminal hackers Alexsey Belan and Karim Baratov, one of whom was arrested in his native Canada.
“It appeared that the group was targeting information that would be of predictable interest to the FSB, but at the same time, Belan was using his access to Yahoo email accounts, allegedly, to search for gift card numbers and credit card numbers and redirecting Web traffic to try to earn commission on hits,” said Hickey. “So that’s an example of a state actor, with its predictable interests, using someone who has his own agenda, apparently, to make money on the side.”
Hickey said that a lack of “purity” in motivation and methods means that those responsible are vulnerable to a wider range of attribution tools than they would otherwise be.
“For an adversary to remain obscure all throughout the life of the operation, they have to be perfect every time. And that standard of perfection to stay undetected is as difficult for an attacker as it is for defenders to be perfect all the time,” said Toni Gidwani, director of research operations at ThreatConnect.
Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab, said that criminal hackers for hire can also muddy the waters when it comes to discovering who is actually responsible for a hack, because their motivations can change depending on who has hired them at the time.
“There’s an issue of multiple actors on a network, but then there’s also an issue of multiple organizations acting through a single actor. So this is not a simple space,” said Guerrero-Saade.
However, Guerrero-Saade also said that a seasoned security researcher’s gut instincts about an attack and who is behind it often lead to valuable investigation avenues that the pure data doesn’t provide.
“You get a feel for your attacker,” Guerrero-Saade said, characterizing the attribution of these cases as sometimes more of an art than a science.
“I still come out believing that you leave yourself more vulnerable working with criminal actors than not,” said Hickey.