Mercenary hackers: an elusive, challenging foe
For-hire criminal hackers are a plentiful resource for nation-states and militant groups to carry out digital attacks. They are also expert at covering up their tracks, making it difficult to pinpoint true culprits.
Illustration by Erick Montes
The soldier of fortune has been a constant in most conflicts throughout history, known for being willing to travel long distances to fight for a paycheck.
But as nations and militant groups increasingly battle over networks and via the Internet, today's most valuable mercenaries fight battles from behind a keyboard.
The modern mercenary is now a criminal hacker willing to sell technical skills to the highest bidder looking to attack rival nations or infect a global corporation with malware. In fact, a growing and competitive marketplace has emerged over the past few years that involves hackers from around the globe offering services to aid everything from stealing confidential data to taking down rivals' networks.
One reason it's so difficult to attribute breaches such as the Office of Personnel Management or the Anthem hacks to a particular country – China being suspect in both of those cases – is because freelance hackers are skilled at carrying out attacks that leave behind little direct evidence connecting them to their sponsors.
It's gotten to the point where the talent is so plentiful online that many nation-states, militant groups, and organized crime syndicates don't actually need to train or develop their own teams of skilled hackers. The "talent" can be outsourced from around the world.
"North Korea doesn't need to use hackers that even set foot in North Korea," says Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University. "Bright young talent can be contracted online, and this attack vector can be fully conducted remotely and paid by the operation."
Criminal hacking remains a low-cost way for today's so-called rogue nation-states – such as Iran or North Korea – or even non-nation state players such as Islamic State to target American and other interests around the globe. What makes these types of attacks so worrisome is that it further increases the chances of not knowing who is actually responsible when an attack occurs.
"The barrier to entry continues to be low," adds Ben FitzGerald, director of the technology and national security program at the Center for a New American Security. "More actors will likely get into this space, and conditions are thus ripe for more activity. There is a lot of talent out there and nations can source a ... hacker from criminal groups as easily as training their own cyberwarriors. You can easily contract groups located anywhere in the world."
Thanks to the Dark Web, the portion of the Internet not indexed by standard search engines, hackers can further hone their skills and even trade in the software that can be commonly used in a cyberattack.
"It isn't that hard to obtain software that can be used in a rootkit attack online," Mr. Cate explains. "These can be purchased and easily modified by a hacker with rudimentary skills."
One thing that does set these high-tech mercenaries apart from their historical counterparts is that these groups don't exist as entities – certainly not like No. 5 Commando ANC, the mercenary force led by Major Mike Hoare in the Congo crisis of the 1960s, which eventually became a force reporting directly to Congolese military forces.
"Mercenary hacker groups are out there, and have been for many years, but at the same time these aren't actually organized in the traditional ways," says Jeffrey Carr, chief executive officer of the security firm Taia Global.
Unlike No. 5 or the newer Executive Outcomes, the South African private military company founded in 1989 that worked with the governments of Sierra Leone and Angola, most hackers for hire don't use some notable monikers.
"These hacker groups have been assigned these names for technical indicators by security researchers, but we don't actually know who or what they go by," says Mr. Carr. For instance, they called the group of Russian hackers that targeted energy companies "The Dragonfly Gang" or "Energetic Bear." These names stuck in media reports.
Carr says he doubts the mercenaries even have a name for themselves. "These are often criminal groups and it is only the media and security experts who attempt to label them."
While these groups may not actually go by formal names, they can be found if you know where to look. Even on the Dark Web, hackers openly offer their services.
"There are several sites where people place information and services for sale including forums such as exploit.in and cn-hack.cn," says Stephen Coty, chief security evangelist for Alert Logic.
But getting hired isn't as easy as posting a resume of past exploits. In this way, again, hackers are like mercenaries where reputations often precede them; and this has created an issue of trust for all involved parties.
"There are people that are dropping new information and tools [on the Dark Web] on a daily basis," says Mr. Coty. "Most people don't advertise and just post data there for sale. Advertising lets too many people outside of their control know about the code being sold. Most communities exchange between known coders and buyers. That's why you need to be vetted and granted access to most of these sites. You are either a buyer or a seller."
And the goods seem to be plentiful. Hackers can find ways to obtain botnets and software for distributed denial-of-service (DDoS) attacks, which overload websites with traffic. In fact, fixers help connect hackers to clients, and more importantly do what even the most talented hackers cannot do.
"There are people who develop tools, people who penetrate organizations, and people who can turn information into cash," says Libicki. "The best hackers don't know how to turn stolen credit card information into cash, so there are levels of intermediaries."
Even nations with dedicated efforts to cyberwarfare can add to their digital arsenal by connecting with freelance hackers who have sympathies to their particular cause.
"You don't need a department, just a bright person or two," adds Cate of Indiana University. "This is part of asymmetric warfare; we have billion dollar resources trying to protect our interests, but the biggest risk right now might be from these small groups or individuals who are working alone."
In essence, says Cate, when it comes to fighting digital battles, hackers turned mercenaries give both traditional armies and militant groups more firepower to attack their adversaries. Or, as he says, "More bang for the buck."