It’s Not New To Us

A Turkish hacking group is reportedly attempting to extort Apple over a compromised cache of iCloud account data.

This activity is on the heels of last week’s Turkish related Twitter account hacks via a service called Twitter Counter.

And that brings to mind this article (by Andy)…


OVER THE PAST FEW YEARS, you’ve probably heard phrases such as “the tactics, techniques, and procedures crafted by highly resourced threat actors are falling into the hands of less skilled adversaries”. That’s long speak for “expect a lot more script kiddies to start pwning your systems”. As Dr. Ian Levy from GCHQ recently pointed out, a lot of the attacks we’re seeing nowadays aren’t “Advanced Persistent Threats”, they’re simple hacks performed by “Adequate Pernicious Toerags”.

Nothing illustrates this phenomenon better than the group we’ve dubbed “The Romanian Underground”. This is a group that our Cyber Security Services colleagues have had first-hand experience with on a number of occasions while performing incident response and forensics work.

The Romanian Underground are, simply put, a bunch of IRC chatroom buddies who decided it would be cool to take up the hobby of “hacking”. Most of these kids, upon joining the collective, have little to no Unix skills to speak of. They probably know about five commands in total. Newcomers are taken under the wing of a mentor who provides them with simple tools and training to get them started on their new hobby. These mentors are almost as unskilled as the newcomers – they probably know about five more Unix commands than their apprentices. But they’ve been in the game for a few weeks already, and have a wealth of experience.

As newcomers learn the ropes (which usually implies that they’ve learned to configure the tools they’ve been provided), they’re promoted to mentors, and take on their own set of apprentices. This hierarchical model closely resembles the popular pyramid selling schemes you might have had the misfortune to come across. Of course, the guys involved in The Romanian Underground aren’t looking to become millionaires by selling soap – the pyramid scheme is a form of gamification, where the goal is to collect as many owned systems as possible and move up the ranks.
Of course, it’s the guys at the top of the pyramid who are truly benefitting from all of this. They’re the ones providing the tools, and by pushing all their manual work downstream, they get access to thousands of compromised systems. Meanwhile, the newcomers are happy to proudly identify themselves as “hackers” on their Facebook pages (alongside other random hobbies such as windsurfing or snowboarding).

The toolkits being pushed down the pyramid are usually designed to exploit or brute force common services such as SSH and webmail servers. What might surprise you (or not) is that these toolkits, in the hands of completely unskilled noobs, are being used to compromise even PCI-DSS compliant organizations across the globe.

While this hierarchical method of operations is new to Romania, it’s not new to us. We’ve been aware of Turkish website defacement groups such as Akıncılar (who surfaced in 1999 and appear to have still been active in 2016) for quite some time. Those guys also operate under a hierarchy, albeit a more military-style one. In fact, one of our own web sites was defaced by a Turkish group back in 2007. It turns out they abused a vacation notification plugin to perform the attack (pro-tip: plugins will burn you!). Funnily enough, the popularity of our forums actually increased after the attack due to the publicity we received. Go figure.

These structured groups differ from the also rather prevalent “herd of cats” approach to hacking collectives such as anon or 4chan, where members scratch and claw their way up the pile only to get pulled back down the next day.

Gamification seems to be a growing trend amongst unskilled hacker groups. In 2016, Turkish hackers set up a DDoS-for-points game designed to be played by noobs. Players were provided with a custom tool designed to carry out DDoS attacks against specific, mostly politically motivated targets. Participants earned points for every 10 minutes’ worth of DDoS achieved. Those points could be redeemed to purchase various clickfraud tools. The grand prize was an “unlocked” version of the DDoS tool that allowed its owner to target any site of their choosing.
At the end of the day, we feel that boxes being owned is a lot scarier than website defacements and DDoS attacks, especially when you consider that this is the first time we’ve encountered it being done on such a large scale, and by script kiddies.

We’re not surprised that the majority of cyber attacks that happened during 2016, from the San Francisco MUNI to the Dyn outage, were carried out using simple, scriptable techniques against badly maintained infrastructure. The fact that folks with very little skill or know-how can carry out successful attacks against PCI-DSS compliant organizations paints a grim picture of the state of our global computing infrastructure going into 2017.


This article was originally published in our State of Cyber Security 2017 report.

A stand-alone version is also available: The Romanian Underground.



Articles with similar Tags