The group’s extensive attacks and motivations have been exposed, but it will probably be business-as-usual for legions of malicious wannabes.

A hackers-for-hire group, known as “Dark Basin”, has reportedly targeted thousands of individuals and hundreds of institutions around the world, including the Rockefeller Family Fund, Climate Investigations Center, Greenpeace Center for International Environmental Law, Oil Change International, Public Citizen Conservation Law Foundation and the Union of Concerned Scientists.

The targets seemed to have been specially selected, and almost 28,000 web pages created for personalized “spear phishing” attacks designed to steal passwords, according the report by Citizen Lab, part of the University of Toronto.

Citizen Lab had said: “Dark Basin’s targeting was widespread and implicated multiple industries,” and that a prominent example was the targeting of “hedge funds, short sellers, journalists and investigators working on topics related to accounting irregularities at German payment processor Wirecard.”

What defenders for hire know

Citizen Lab claims that the campaign has involved an Indian-based company that had previously advertised ‘ethical hacking’ services via its website. The internet watchdog also noted that similar operations had previously been hired via intermediaries such as law firms and private investigators, in order to distance such work from clients.

It therefore seems that cyber defenders—professionals hired to defence against cyberattacks— implicitly know that it is the attackers who define the rules for their attacks and that cybercriminal activity is fundamentally a business. Hacking for hire, or cyber-mercenaries, are part of that business landscape and one where targeted attacks are likely to only increase.

While Dark Basin is reported to have engaged in spear-phishing attacks, it is important to recognize that organizations engaging in hacking for hire will use whatever combination of techniques to meet the scope of the customer contract. “It is also equally likely that such groups will implant latent command-and-control systems within their victims’ infrastructures to facilitate either long-running intelligence gathering or to reduce the time taken any future targeted attacks,” said Tim Mackey, Principal Security Strategist, at Synopsys Software Integrity Group.

“From a defensive cybersecurity posture, minimizing the threat from implanted control systems starts with a robust inventory of what ‘normal’ looks like for all deployed software within the organization. This includes the mundane—such as software asset inventories—but also a thorough understanding of what data is collected, processed and retained by the business. This is then coupled with a clear understanding of which systems have access to the data and who is authorized to both read and modify it. These are the relationships which all cybercriminals attempt to recognize and exploit. They are also the relationships that governance, risk and compliance teams need to know in order to best protect the business from attack.”