Does knowing hackers’ career perks and organizational structures help cyber investigators track them down faster? Read on to find out

Have you ever wondered how cybercriminals of small, medium, and large criminal groups operate, and how their setups are increasingly similar to that of established business organizations?

According to new research by Trend Micro, small cybercrime groups typically consist of a few members (most of whom usually have day jobs on top of their role in the group) operating under a partnership model, while those belonging to larger threat groups tend to lead lives similar to that of corporate workers of ordinary firms.

The largest threat groups could even have departments of people specializing in human resources and IT, and benefits may even include “employee-of-the-month” and performance bonuses.

Characteristics by organization size

Using examples where Trend Micro researchers had collected the most data from law enforcement and insider information sources, we can make out the traits of the three types of cybercrime organizations based on size.

    • Small cybercriminal businesses (e.g., Counter Anti-Virus service Scan4You):

      1. Members often handle multiple tasks within the group and also have a day job on top of this work
      2. Typically, there is only one management layer, one to five staff members, and under US$500K in annual turnover
      3. This threat group size comprises the majority of criminal businesses that often partner with other criminal entities
    • Medium-sized criminal businesses (e.g., bulletproof hoster MaxDedi):

      1. Members work full-time for the group, managing various tasks within an eight-hour shift
      2. The organization typically has two management layers, six to 49 employees, and up to US$50m in annual turnover
      3. The group usually has a pyramid-style hierarchical structure with a single person in charge
    • Large criminal business (e.g., ransomware group Conti):

      1. Members work from home based on a rigid, predictable schedule, and communicate frequently with their line manager about productivity and performance — similar to how employees in legitimate corporations work remotely
      2. The groups typically have three management layers, 50+ staff, and over US$50m in annual turnover
      3. They implement effective operational security measures and partner with other criminal organizations
      4. Those in charge are seasoned cybercriminals and hire multiple developers, administrators, and penetration testers — including short-term contractors
      5. The groups may have specialized departments for IT and HR, and they may even run employee development programs including performance reviews

Advanced Persistent Threat groups

While APTs vary in size just like any cybercriminal group, imagine the vast range of resources, targets, objectives, global contact network and the risks associated with failure and/or capture.

Some of the unique traits of people and organizations sponsored by national agencies include:

    • Having a ‘Licence to Hack’, which confers a measure of immunity and officiality within a hacker’s own nation (but not when he or she is arrested outside of it)
    • Extra authority and imperatives to operate covertly and protecting the identity of the hiring nation. State sponsored threat actors are expected to go to extreme lengths to cover their tracks, and to evade scrutiny by threat researchers unless the intention is to mislead them
    • Extra secrecy and anonymity in the organization to prevent members from “knowing too much” beyond what they need to know — that could result in a faceless, nameless and ultra impersonal working regime compensated with big payouts but equally huge personal and social risks

By knowing the size, traits and complexity of cybercriminal organizations, investigators can sharpen their instincts when deciding what types of data and profiles to hunt for. Understanding the size of targeted criminal organizations can also allow law enforcers to prioritize resource allocation for maximum impact.