What Would a Collaborative Hackers’ Discussion Look Like?

By Gilad Israeli

Cyber-threat actors may plot against their targets by using secure, instant-messaging platforms and anonymous deep and dark web forums. By focusing on hacking-oriented forums and channels, actors can find  affiliates to help them successfully execute their attacks or perhaps to gain useful advice. But how would a conversation between plotting hackers look like? Would they openly say exactly what they wish to attack and how they plan on doing so? To answer these questions, one would need accessibility to such discussions likely taking place in underground forums.

Just like in the movies, the cybercriminal is usually not foolish enough to expose his/her intentions. Intuitively, one can assume that an attacker would never unnecessarily openly state when and where the attack will take place so that he/she can take advantage of the victim’s surprise and lack of preparation. Thus, it is likely the hacker wishing to attack organization X at a certain point in time using attack vector Y, would avoid mentioning the exact names of the victim and the intended attack vector or tool. Rather, it is more likely that the attacker will make use of code names and abbreviations, wishing to expose as little as possible, and share only information absolutely necessary in order to collaborate with fellow threat actors who can help in the execution of the attack.

Yet, the cyber threat dimension is not so simple, and the real world isn’t cinema, and sometimes reality forces the attacker to demonstrate skills and create an impression on fellow threat actors in order to gain their trust and cooperation. A good example of this is the sale of confidential databases. A cyber-criminal who is new to the underground or whose reputation is not that high will generally have to share a sample of the ‘loot’ when trying to sell what he/she claims to be an organization’s secret files. In such a case, the hacker or vendor is actually forced by the common practices of the underground community, to share some of their  exploits and secrets, if they wish to attract potential buyers.

In some cases, the hacker may actually state the exact target and attack vector. Hiding behind a username, some threat actors may not mind about revealing their hacking activity. For example, an attacker from a country which is less-cooperative in global law enforcement terms, would be much less hesitant to share such information when trying to recruit partners for a joint cyber-attack. Just several months ago, Sixgill’s deep and dark web threat intelligence platform detected a threat actor seeking collaborators prior to executing a cyber-attack against a web-based crypto-wallet.

A standard practice for a cyber threat discourse is hard to define due to its many potential faces. Nevertheless, it is clear that in the era of web, cloud and IoT, the importance of the need to comprehend the dialogue of cyber threat actors is unprecedented. As such, the ability of organizations to analyze real-time threat intelligence efficiently by having access to these underground discussions may be the number one cause for successfully preventing a devastating cyber-attack.