1

Understanding the Social Behaviors of Cyberattackers Online and Offline

Tom Holt, Ph.D.Assistant Professor

Michigan State UniversitySpartan Devils Honeynet Chapter

Max Kilger, Ph.D.Profiler

The Honeynet Project

Annual Honeynet Project WorkshopPublic Day Presentation

March, 2011

2

Agenda• Honeynet Project Multi-Disciplinary Approach

• Flashtalk #1: Russian Hacking Gangs

• Flashtalk #2: Economics of the Cybercrime Market

• Flashtalk #3: Malicious Motivations and Future Emerging Threats

• Coming attractions: Nationalism and the link between cyberterror and physical terror a “sneak peek” at our new study

• Summary

3

Honeynet Project

Multi-Disciplinary Approach

Multidisciplinary Approach• Honeynet Project Members

• Strong technical experts in many areas

• Social Scientists with technical backgrounds• Criminologist – Tom Holt• Social Psychologist – Max Kilger

Multi-Disciplinary Approach• With a multi-Disciplinary approach you can explore

important questions like:

• What motivates malicious acts on the web• It’s not as simple as you might think• How different motivations trigger different malicious behaviors

• The role of social networks• In exploit diffusion• In identifying malicious actors and attribution

• Predicting emerging threat scenarios

6

Flashtalk #1:

Russian Hacking Gangs

Malware and Hackers

• How do we identify the hackers who have the ability to build the new tools and materials, relative to the larger population of semi-skilled users?• Where and how do they sit in larger social

networks?

• Few systematic unclassified examinations of the malware and hacker community have examined social ties and interests

On-line Resources• The malware and hacking community utilize on-line

resources that can be actively mined for information to explore these questions.

• This study will examine the social networks of the malware and hacking community in Russia and Eastern Europe using data generated from social networking blogs• Blogs provide important information on:

• Current and emerging threats• The relationships and behavior of attackers• Locations, attitudes, beliefs

Self-Report Information• Each LJ profile allows users to provide information on their:

• Location • Education • Biographies sometimes provide useful information on psychological

status of the user or whether the journal is friends-only • Interests can include political affiliation, geographical location as well

as nonsense • Friends

• people whom the users read and who can have access to ‘friends-only’ entries

• Also friend of• people who read this journal and do not have access to protected entries

• Mutual friends • both users added each other

• Communities• LJ groups that the individual belongs to

Physical and e-mail address

Team Associations

Interests

Associations

Data SetNumber

of Number of Number ofTotal

NumberBasic Paid Plus of

Accounts Accounts Accounts MembersBH Crew 71 3 27 104CUP 12 0 4 16Damage Lab 10 0 17 27Hell Nights 1 0 1 2Hack Zona 55 0 58 117MazaFaka 13 0 1 14RU Hack 5 0 4 9Zloy 64 0 10 75

BH Crew 3 Missing account information.  HackZona 4 missing account information  Zloy 1 missing account information.  

Country LocationsCountry Frequency PercentBelarus 3 2%China 1 1%Estonia 1 1%Germany 3 2%Jamaica 2 2%Kyrgyzstan 1 1%Laos 2 2%Moldova 1 1%Puerto Rico 1 1%Russian Federation 100 78%USA 1 1%Ukraine 13 10%

Number of Missing Entries = 235 (64.5%)

Extrapolating Data: Risk• Risk scores were created and assigned based

on open searches on the handle or forum name provided, along with additional detail• 0: no risk• 1: computer security blogger• 2: low level hacker• 3: high level hacker

Network Actors

Strength of Group Ties

Popularity – Risk Level

17

Flashtalk #2:

Economics of the Cybercrime Market

This study was funded by the National Institute of JusticeGrant No. 2007-IJ-CX-0018

The Cybercrime Market: Purchasing

• Individuals interested in purchasing products from a seller must contact them privately• ICQ• E-mail• Private messages in forum

• Buyers place orders and pay for services electronically• Web money (WM)• Yandex• Escrow payments

The Process of Sales

“You know me [contact me] in ICQ and obviously explain what I need to do. . . After that, as soon as I complete your order, you transfer money into my WebMoney purse. After that, you receive the product. . . To familiars (at least exchange couple of words in ICQ) I will give the product first. For all the rest, we work based on the scheme: money first, and then chairs after.”

The Cybercrime Market: MaterialsResources Number of % of Buy % of Sell % of

Posts Total Posts Total Post TotalCybercrime 219 30 39 17.8 180 82.2Services

ICQ Numbers 73 10 9 12.3 64 87.7 Malware 246 34 103 41.9 143 58.1Services 

Other 92 13 22 23.9 70 76.1 Stolen Personal 92 13 21 22.8 71 77.2InformationTotal 722 100 194 26.9 528 73.1

Pricing Information For Cybercrime Services* (from Chu et al. 2010) Minimum Maximum Average Count Count

Product Price Price Price With Price No Price DDoS** 0.41 25.00 14.26 22 7

Proxy 0.50 200.00 42.53 9 11

Spam Services

Databases 0.50 100.00 45.43 10 23

Services 0.50 700.00 50.91 12 11   Tools 2.00 180.00 59.11 9 6 Webhosting and Services Hosting 0.85 300.00 48.89 14 16

Registration 9.00 150.00 50.17 6 4• *Due to significant missing data, hacking services, domain sales, and VPN service pricing are not included here• ** Due to variation in pricing, DDoS estimates are based on the stated hourly rate or an average hourly rate based on prices

for 24 hour attacks.

The Cybercrime Market: Social Dynamics

• Three normative orders shaped relationships and actions in these cybercrime markets

• Low prices

• Customer service

• Trust

23

Flashtalk #3:

Malicious Motivations and Future Emerging

Threats

24

Motivations in the Community - MEECES

• A play off the old FBI counter-intelligence term MICE

• MEECES • Money• Ego• Entertainment• Cause• Entry to social group• Status

25

Motivations: Money• No news to anyone - now by far the most common

motivator for blackhats

• Individuals motivated by money still often are found mostly within groups that share this motivation

• Emergence of “currencies” in use in the black hat community • Stolen credit cards• Stolen bank accounts• Root ownership of compromised machines• Exploits• Virtual assets (QQ coins)• “Secret” data

26

Motivations: Money• Money has a powerful effect on social structure and

social relations

• Money is fundamentally changing many elements within the hacking community

• Money also acts as a force to attract individuals who are outside the community

• Money as a social object gives these outsiders opportunities for power and prestige inside the hacking community that were formerly not available to them

27

Motivations: Ego

• Derived from the satisfaction that comes from overcoming technical obstacles and creating code that is elegant and innovative

• Idea of mastery over the machine – getting it to do what you want, often in spite of numerous security obstacles

• The community at large shares this common and very powerful motivation

• This core motivation still present and remains a strong social motivation within the community

28

Motivations: Entertainment• This motivation arises from the consequences of an

exploit

• Getting a device to do something unusual or novel• Bluejack bluetooth devices like phones and get

them to call porn lines

• Originally an uncommon motivation, it has gained momentum over the past years due in part to:• Infusion of less technical individuals into the digital space• Expanded social environment in the digital space

29

Motivations: Cause• A rapidly evolving motivation in the hacking

community

• Most common instance of this motivation – hacktivism:• the use of the Internet to promote a particular political, scientific or

social cause

• Original seed – “information should be free”

30

Motivations: Cause• Recent examples of hacktivism

• Beginning in 2008 - project chanology, an attack on Scientology by Anonymous group

• 2008 – Chinese attacks on CNN in response to Western protests during Olympic Torch relay + accusations of biased media reports in the West

• 2009 – Efforts by groups to facilitate forums for online public protest by Iranians angered by Iranian election results

• 2009 -2010– Attacks on Australian government websites protesting the proposed filtering of Australian ISP traffic for “unsafe” materials on the Internet

• 2010 – current – Wikileaks disclosure of thousands of classified documents and diplomatic cables

31

Motivations: Cause• There have been a significant increase in the

instances of cause-motivated hacks over the past few years

• The seriousness and consequences of cause-motivated attacks has grown significantly

• Remember the phrase “civilian cyber warrior” – a special case of Cause we will return to a bit later…

32

Motivations: Entrance to a Social Group

• Hacking groups tend to be status homogeneous in nature

• This implies there is a certain level of expertise necessary for induction into the group

• Elegant code/exploits are one method for gaining acceptance into the group

• Seeing more of this motivation given shifts in traditional society’s perspective on hacking

33

Motivations: Status• A powerful motivation within the hacking community

• Community as meritocracy• Skills and expertise in networks, operating systems, hardware,

security, etc. used as status characteristics• Your position in the status hierarchy – locally and globally –

depends in great part on these characteristics

• The decline of the hacking meritocracy• Non-trivial decreases in basing status upon skills and expertise –

probably due to the rise of money as a motivation

Near-Term Emerging Threats• Civilian Cyber Warrior

• Hacking Groups Aggregating Different Forms of Power

• Loose Coupling of Virtual and Violent Criminal Activity

• Large Scale Collection of Information by Nation States for CI

35

Emerging Threat Example:

Civilian Cyber Warrior

36

The Special Case of the Civilian Cyber Warrior

• Traditional forms of aggression• Personal costs

• Economic• Probability of getting caught• Legal consequences

• Historical and social significance of emergence of civilian cyber warrior• Key point – the social psychological significance of the event

• First time in history that an individual could cost-effectively attack a nation state

• The reassessment of the usual assumptions of the inequalities of the levels of power between nation states and citizens – establishes new relationships between institutions of society, government and individuals

37

Different Social Dimensions Under Investigation as Related to Civilian

Cyber Warrior Behavior• Civilian Cyber Warrior study is concentrating on..

• Dependent variables• Willingness to commit acts of cyberterror against another

country• Willingness to commit acts of cyber terror against their own

country• Willingness to commit acts of physical terror against another

country• Willingness to commit acts of physical terror against their own

country

38

Different Social Dimensions Under Investigation as Related to Civilian

Cyber Warrior Behavior• Civilian Cyber Warrior study is concentrating on..

• Independent predictor variables including• Level of skill• Hours per week using computer• Prior minor malicious acts using a computer• Level of nationalism• Level of ethnocentrism• Country of orign• Demographics

39

10) Imagine that the country of Bagaria has recently promoted national policies and taken physical actions that have had negative consequences to the country that you most closely associate as your home country or homeland. These policies and actions have also resulted in significant hardships for the people in your home country. What actions do you think would be appropriate for you to take against Bagaria given their policies and physical actions against your home country? You may choose as many actions as you think the situation warrants. In this scenario, you may assume that you have the necessary skills to carry out any of the actions below.

Option # Responses Response %Total responses 235 100.00%

Do nothing: let your country work it out on its own 89 37.87%

Write a letter to government of Bagaria protesting their actions 126 53.62%

Participate in a protest at an anti-Bagaria rally 133 56.60%

Travel to Bagaria and protest at their country’s capitol building 56 23.83%

Travel to Bagaria and confront a Bagarian senior government official about their policies

47 20.00%

Travel to Bagaria and sneak into a military base to write slogans on buildings and vehicles

3 1.28%

Travel to Bagaria and physically damage an electrical power substation 6 2.55%

Travel to Bagaria and damage a government building with an explosive device

2 0.85%

     Graph this question

Sneak peak at preliminary data – more data is coming …

40

11) Aside from physical activity, what on-line activities do you think would be appropriate for you to take against Bagaria given their policies and physical actions against your home country? You may choose as many actions as you think the situation warrants. In this scenario, you may assume that you have the necessary skills to carry out any of the actions below. Option # Responses Response %

Total responses 235 100.00%Do nothing : let your country work it out on its own 85 36.17%

Post a comment on a social networking website like Facebook or Twitter that criticizes the Bagarian government

177 75.32%

Deface the personal website of an important Bagarian government official 26 11.06%

Deface an important official Bagarian government website 24 10.21%

Compromise the server of a Bagarian bank and withdraw money to give to the victims of their policies and actions

12 5.11%

Search Bagarian government servers for secret papers that you might be able to use to embarrass the Bagarian government

20 8.51%

Compromise one or more Bagarian military servers and make changes that might temporarily affect their military readiness

15 6.38%

Compromise one of Bagaria’s regional power grids which results in a temporary power blackout in parts of Bagaria

6 2.55%

Compromise a nuclear power plant system that results in a small release of radioactivity in Bagaria

1 0.43%

Sneak peak at preliminary data – more data is coming …

41

Summary

42

Points to Hopefully Take Away…

• Understanding the nature of the relationship between people and technology may help you predict where the next threat vectors are going to emerge

• The elements of the hacking community social structure are still there, but in different form and distribution

• The motivations of the hacking community are still there but their form, shape and consequences have changed, often dramatically

• Constructing scenarios of emerging threats can help you anticipate and plan in a fast evolutionary threat environment

43

Contact Information

Tom Holt, Ph.D.holtt@msu.edu

Max Kilger, Ph.D.Maxk@smrb.com