I hacked You

Two professional blackhats open up about how they work, who hires them and how they get paid.

Paul Furber
By Paul Furber, ITWeb contributor
Johannesburg, 21 Oct 2015

Clifford Stoll's classic 1980s' tale of computer security, The Cuckoo's Egg, tells how he stalked a hacker across the internet for ten months and watched him breaking in to research institutions and military websites, looking for sensitive information. The hacker used default passwords, security holes in operating systems and old-fashioned persistence to access systems and download classified material that he would then sell to the KGB. Stoll's story has little technical material in it. It's far more about how he nagged and cajoled the FBI, CIA and military to see what the hacker was doing as a threat to the US' national security.

There are different reasons why we do what we do as a group; sometimes it's financial, sometimes it's political and sometimes it's ethical.


But that was then. In 1986, an internet connection was an exclusive club limited mainly to the military and universities. Today, much of the world is connected to the internet, often using more than one device. And instead of lone programmers making money breaking into systems and networks for shadowy foreign government agencies, there are now armies of them.

Two of these individuals spoke to Brainstorm anonymously about their work. One is from somewhere in South America - we'll call him Roberto - the other is from Eastern Europe and calls himself Nikolai. Who have they hacked and why? Is it for financial gain? Is it ever personal?

"I've hacked into too many large corporates and governments to count," says Roberto. "There are different reasons why we do what we do as a group; sometimes it's financial, sometimes it's political and sometimes it's ethical - we find something that doesn't sit well with us or our values. It sounds hypocritical, but as an example, if we find a CEO browsing child porn, we don't agree with it."

Do hackers work in teams?

"Yes, quite often," Roberto admits. "There are well-known blackhats in the security industry who we've worked with, and sometimes we need a specific security exploit that another group or individual has and we give them our 'business' too."
Nikolai is a loner, but admits that's actually unusual.

"I'm a 'rare bird' because I work alone. Today, the blackhat community consists of many big teams. Many of them work for governments like the US, China and Korea and they pay well. The Duku malware was probably done by one of these teams. I don't write advanced exploits for OSs, but I know how to use them to get on your company network and watch what you're doing."

Both expressed the need to be very careful of the authorities.

"A few people we know of have been caught, sometimes due to greed or stupidity," says Roberto. "If you are very careful, there's no need to worry."

Nikolai says he is ultra-cautious.

"Not one of my friends knows that I do this work. My girlfriend knows I do programming, but she thinks it's legal. If a foreign country was looking at me, they might ask my friends whether I'm a hacker. But I'm not on the radar. I also take a lot of care to be anonymous. If I make a mistake, I could be caught. The Pirate Roberts (Ross Ulbricht, founder of the underground website Silk Road) was caught because he made a mistake. The Romanian hacker who read Bush and Colin Powell's e-mail was not a very good hacker, but all he did was keep trying until he found a way in. He was stupid by not covering his tracks and got caught by his own government."

Online vulnerabilities rapidly progressed from annoyances and the defacing of web pages in the late 1990s to a highly competitive underground market trading in security vulnerabilities, stolen credit card details and sensitive information as more of those commodities moved online. Roberto says the environment is competitive from a market point of view, but issues of ego, such as hackers hacking other hackers, are rare.

Code of conduct

"It all depends on whether the other hackers are professional or not. Ego shouldn't be a part of what you do, especially if there is an end goal. For example, if someone pays us EUR1 million or $1 million, egos should be left behind. There's not really a code of conduct these days: maybe in the '90s there was, but if someone offers the right amount of money, they will always find someone to do the job."

Thanks to Wikileaks and Edward Snowden, the security industry now knows for sure what it long suspected: the richest and most active customers are nation states and their intelligence agencies. Roberto confirms this is the case.

"We are hired by anyone, from government departments themselves in various countries to individuals looking for competitive information or databases, etc. The rates depend on the value of the data. It's not unusual to do certain jobs or create customised exploits for a few hundred thousand dollars upwards. In fact, we know of very prominent people in the security industry (some who even work for large security companies) who have been paid exorbitant amounts for mobile exploits in various countries, and in cash too.

Nikolai says he only gets paid in cash, not bank transfers and definitely not Bitcoin.

"Bitcoin is traceable if you have enough resources. The people looking for me have resources. I get paid in cash the old-fashioned way, like a 1970s' spy story. I don't know who my clients are most of the time. I get a task, and if I can do it, then I say yes. If the client is happy, then I get paid. If they're not, then I don't."

In some senses, it's a job like any other.

Catching the bad guys

Those who are tasked with protecting today's organisation against attackers could be forgiven for thinking they're in the same position as Scrat from Ice Age, hanging off the cliff desperately plugging leaks with whatever limb is available. Johann Van der Merwe is a security architect at Telic Consulting and has considerable experience in defending both his own and other people's security.

"I've worked for a global resources company and in the world of the high-value goods they needed to protect, it's a combination of physical and information security," he says. "Attackers use not only physical means to get to the products, but also electronic means. People have an inherent trust in physical and surveillance systems, but those can be manipulated and if they are, then your security falls apart. I was tasked with establishing an information security capability, integrating it with the physical security and also establishing physical security frameworks and functions." His opponents were organised crime.

"The mechanisms that organised crime used against us weren't advanced at all. They had a combination of external and internal access. They're not sitting there and doing an SQL injection on some vulnerable interface because they didn't have to. Some plant control systems, for instance, have completely broken systems, running old operating system versions. They can't upgrade because then they lose their support with the vendor. You could take control of the entire environment and run it remotely from the internet. And from then on, you can drive truckloads of stuff out of the place. The problem with organised crime is that you can think you're stepping up your game, but the next day, they will know what improvements you've made. If you do training, your manual will be out in the field the next day."

And like any business, Van der Merwe's opponents have an eye on the viability of their operations at all times.

"Organised crime runs a business and the key metric of a business is sustainability. So if they set up shop in your organisation through breaking controls, they won't disrupt operations or make themselves visible. They will deliberately take less so their revenue is sustainable."

Van der Merwe's colleague at Telic, Marinus Van Aswegen, says the methods of attack are much more low-tech than most realise.

"It's more using open WiFi or interfering with existing controls and equipment. You can go and drive around a major retailer here and find they have staff running scanners for doing stocktakes. Then you discover they're running such old equipment that they cannot upgrade it to secure protocols. And an attacker can piggyback on that to the CRM system or the procurement system."

And then there's the largest attack surface, the end-user.

"Many attacks target the end-user: compromising their end-points through social engineering and sending them e-mails," says Van der Merwe. "It's surprisingly effective. There's a massive asymmetry there. In a company of 30 000 people, you won't get people not to click on links. A previous boss of mine argued with me that this sort of attack wasn't a problem. I went out of that meeting, walked straight to my desk and immediately forged an e-mail from his boss. When he opened it, the message was, 'I told you so'."

The anonymity of the internet makes things a lot harder for the information security professional.

"In information security, how do you catch the bad guy?" asks Van der Merwe. "He operates across borders and hides behind multiple layers."

This article was first published in Brainstorm magazine. Click here to read the complete article at the Brainstorm website.