Google LLC’s Threat Analysis Group said today it has blocked more than 30 malicious domains linked to hack-for-hire groups from Russia, India and the United Arab Emirates.
The hack-for-hire firms have been actively targeting Gmail and Amazon Web Services Inc. accounts, among others, to carry out corporate espionage attacks against companies, human rights activists and journalists. The groups are said to take advantage of known security flaws when undertaking campaigns opportunistically.
Unlike commercial surveillance vendors who generally sell a capability to hack accounts to an end user to operate, hack-for-hire groups conduct the attacks themselves. Some hack-for-hire groups openly advertise their products and services to anyone willing to pay, while others work more discreetly, selling to a limited audience.
In one example, the researchers observed Indian hack-for-hire groups working with third-party private investigative services to provide data exfiltrated from a successful operation. The breadth of targets in hack-for-hire campaigns is said to stand in contrast to government-backed operations, which often have a more precise delineation of a mission and marks.
As a result of the research, all identified websites being used by the hack-for-hire groups have been added to Google’s Safe Browsing feature to protect users from further harm. The researchers also encourage users to enable Advance Protection and Google Account Level Enhance Safe Browsing to ensure that all devices are updated.
Google’s CyberCrime Investigation Group also shared the relevant details and indicators with law enforcement.
“We applaud Google’s Threat Analysis Group for taking action on these malicious domains used by hacker-for-hire groups,” Sean McNee, chief technology officer at cyber threat intelligence company DomainTools LLC, told SiliconANGLE. “These domains are a part of a larger concerted effort by APTs or other well-funded adversaries to achieve their desired outcomes via outsourced malicious activity.”
McNee explained that because hiding domain registration and infrastructure creation is becoming easier, network defenders need to move faster and be more nimble to track newly registered or active domains, as well as monitor internet infrastructure changes to resources connecting to their networks or sending them an email or other messages.
“It is a lesson that there is an ever-changing asymmetry between attackers and defenders — now defenders need to consider advanced and coordinated attack strategies from mercenaries hired to achieve a financial, economic, or even political end,” McNee said.