The Origin of Threat Groups: Setting the Foundation

“A handful of groups ushered in this new era of a really organized concept around running a cybercrime business that parallels a real business or startup.”

The Conti leaks also shed light on the intricate web of roles and responsibilities needed to carry out various tasks, with Intel 471 researchers estimating that the group had 150 members at one point making up different departments and teams working on various projects. In some cases, members have also met in person: The group has several physical offices, with a head of office operations to boot.

The roles and responsibilities for threat groups vary, with some roles being built out in-house and others outsourced, depending on the resources that a group has. While Intel 471 researchers said the development team makes up Conti’s core operations, the group also has subdivisions that build malware, test functionality, as well as roles for recruiting and onboarding new employees. Conti leaders have also set up upper and middle management: While in some cases the top-level member, known in the leaked chat messages as “Stern,” would send direct broadcast messages to the group, other times middle management would be involved. The leaks showed some team leaders even engaging in Performance Reviews where they discuss how members have done over the past year, any training opportunities and upcoming Conti plans.

Beyond these responsibilities, ransomware groups are also known to have several specialized roles, including ones that concentrate on understanding the victim’s business – the industry, what type of data is important to them, what type of ransom to ask for based on how much money the target has – as well as roles for storing and backing up exfiltrated files, updating ransom victim shaming sites, and managing payments and negotiations. Internally, groups also have roles for members who recruit, vet candidates and ensure the status of operations, as well as split payments with the affiliates that are potentially involved and those that manage the entire operation. Within UNC2840, which distributed the Ryuk ransomware, teams existed that exclusively took the role of ransomware deployment, for instance.

“Someone would first open the door with the understanding of this environment, and would then hand off the job to this team, which just deploys the ransomware,” said Kennelly.

The mature cybercriminal underground economy, where both tools and services can be found, has also allowed these roles and processes to “become very easy.” Kennelly said that the core elements of a cybercrime group include the attack infrastructure (the systems from which groups control malware), the communication infrastructure (a covert or encrypted chat medium, like Telegram or Discord) and various malware families and tools – and many of these are available for purchase instead of groups needing to build them from the ground up. Bulletproof hosting services can be found on the underground or even in online messenger platforms like TK and Telegram, researchers have found, including dedicated and virtual hosting providers, service protection like anonymization services, reverse proxy services and VPNs, and additional infrastructure provisions like IoT hosting services or telecom-related services like SMS spamming. So, while the Trickbot group might maintain its own team of developers – including the infrastructure, design documents and internal processes – a smaller operation might decide to go buy something off-the-shelf instead, such as initial access to an environment.

“It’s so easy to set up a Telegram channel and set up low-level attacks,” said Warnick. “Using these platforms, they can share information about cyberattacks, ideas, breach data and more.”