Project Management Techniques Used by Hackers

Security researchers single out three strongholds of any lucrative cybercrime campaign with innovation at its core. The first stronghold boils down to thinking outside the box in terms of tactics, techniques, and procedures (TTPs). The second one is a strategic level that introduces ingenious monetization mechanisms. Finally, there is an operational tier that hinges on clever resource management geared toward reaching strategic goals.

The operational piece of this puzzle is typically hidden from security analysts, and doesn’t get as much scrutiny as the remaining two. To pinpoint novel methods at this level, white hats have to stay consistently zoomed into subtle tweaks of major cybercrime trends — a tedious and lengthy exercise.

Nevertheless, project management plays a crucial role in the success of any hacking operation. It adds agility to threat actors’ modus operandi, and allows them to make the most of their foothold in victims’ digital environments.

In Cybercrime, Technical Innovation Isn’t Key

The threat landscape is a competitive territory where only forward-thinking and dexterous players survive. Outstanding operational practices are among the main prerequisites for staying afloat in these murky waters.

Believe it or not, technical sophistication isn’t necessarily a dominant trait of a successful attacker group.

In any modern cybercrime operation, these practices span the ability to compromise multiple well-protected targets within a small time frame, extract large amounts of sensitive data, provide high salaries to team members, continuously refine the offensive toolkit, and quickly master new technologies.

Believe it or not, technical sophistication isn’t necessarily a dominant trait of a successful attacker group. Slightly above-average phishing skills combined with monetization proficiency through “classic” means — such as stolen credit cards, cryptocurrency mixing services, and wire transfers — usually do the trick and allow hackers to earn plenty of money. However, their importance is eclipsed by well-thought-out team coordination and project management.

Read more on TechRepublic: How Phishing-as-a-Service Operations Pose a Threat to Organizations

Project Management for Hackers

Operational competence is one of the crucial things that sets advanced persistent threat (APT) groups apart from the rest of the dark web crowd. When it comes to hitting and exploiting dozens or even hundreds of victims, these cliques can easily take up the challenge.

Counterintuitively, many of these groups don’t excel at embracing the latest technology trends. What allows them to stay on track and get the most mileage out of what they do? It is, first and foremost, a combo of smooth business processes and proper human resource management underlying an effective long-term growth strategy. Today’s top-performing cybercrime gangs implement this by adhering to the following principles:

  • Business processes have to be battle-tested and easy to repeat
  • Stakeholders manage people, projects, the data retrieved, and financial assets

It’s important to note that technical innovation is beyond the management duties of stakeholders. In cybercrime, stakeholder responsibility is restricted to the permanent enhancement of the existing TTPs. Since all the fundamental processes are firmly established, regular team members needn’t bother adding innovation to the mix.

The Dark Side of HR Management

No matter how dynamically technologies are evolving, the human resources factor continues to define the efficiency of any major cybercrime organization. APT groups have a wide spectrum of job functions that run the gamut from managers and operators to coders and translators.

In some scenarios, hacking gangs recruit people via fake companies.

In some scenarios, hacking gangs recruit people via fake companies that serve as a curtain for foul play. The process takes place under the guise of hiring penetration testers or developers. Criminals may even use private online chat services to conduct interviews with candidates.

A Flexible Business Model

It is common knowledge that cybercrooks follow the money. To do this well, they need to leverage monetization methods that can be easily adjusted to different targets. The most successful groups don’t reinvent the wheel. They stick to the following well-trodden process that transforms unauthorized access to an organization’s digital infrastructure into a snowball of financial information that paves the way for illicit gain. The steps look like this:

  • Picking a company to be attacked
  • Reconnaissance aiming to discover the would-be victim’s valuable assets
  • Selecting a target employee and researching their pain points via open-source intelligence (OSINT) and other sources, including dark web databases obtained in past breaches
  • Sending a phishing (or spear-phishing) email to manipulate the individual into executing a remote access Trojan (RAT)
  • Lateral movement inside the compromised network to pinpoint valuable data, such as bank account details and credentials, to access financial transaction processing systems
  • Post-exploitation activity, which entails money transfers from the company’s business accounts and the exfiltration of harvested data
  • Selling the stolen data to interested parties

When viewed at scale, this business tactic doesn’t boil down to squeezing a maximum value out of a specific victim. Instead, it implies constant growth in the number of infiltrated organizations the gang can exploit. This is about executing new attacks and making the most of current victims in parallel.

Read more on Datamation: Cybersecurity Training Trends 2021

Managing the Victim Base

Keeping an accurate record of all victims and the statuses of their exploitation is another important link in the project management chain of a cybercrime operation. This is actually a kind of portfolio management for hackers. In this framework, every project corresponds to a breached company. It includes in-depth information about the victim’s business model, the data exfiltrated from its network, and the resources allocated to monetizing the unauthorized access — including the team of assigned “employees.”

The use of project management software ensures seamless implementation of all these workflows. Meanwhile, coordination between hacking developers, operators, translators, and “stakeholders” fits the context of DevOps best practices.

How Hackers Use Project Management Tools

Advanced technical skills won’t go amiss, but as previously mentioned, they aren’t decisive in a paradigm where effective offensive tactics are already in place. There is a saying: “If it ain’t broke, don’t fix it.” This principle is probably in a cybercrook’s handbook, and for good reason. Even if these existing TTPs are vanilla and not very innovative, they can still work wonders.

What makes a difference is progressive project management. Criminals use specially crafted applications to track their victims, along with the progress of every attack — not unlike how a legitimate enterprise might use CRM tools. Collaboration tools are also important; hackers leverage group chat utilities to manage workers, interview wannabe accomplices, and sell pilfered information. They also maintain a separate secure chat system to discuss salaries with personnel.

Criminals use specially crafted applications to track their victims, along with the progress of every attack — not unlike how a legitimate enterprise might use CRM tools.

As part of agile project management, some perpetrators take advantage of the legitimate Jira solution by adding an issue ticket for every hacked company. As the raid moves on, they update this record with comments adding fresh details reflecting the status of exploitation.

Jira is also the tool of choice among high-profile cybercriminal crews for storing sign-in credentials, screen captures, keystroke logs, and other data that might allow them to expand the attack surface. Essentially, this software’s ticketing feature is mishandled to keep all the relevant attack information in one place, and streamline dodgy collaboration within teams of black hats.

Some researchers argue that Jira could also serve as a smokescreen for the rogue front organization that pretends to hire security professionals for legitimate, well-paid job positions. However, any pentester worth their salt would quickly notice discrepancies indicating that they are on a slippery slope. Legitimate penetration testing differentiates itself from hacking attempts in several ways:

  • Ethical penetration tests are fulfilled within specific time frames.
  • Customers actively interact with pentesters and provide them with requested information in an incident simulation scenario.
  • White hat hackers aren’t supposed to use malware for post-exploitation. Nor should they zero in on point-of-sale systems, or amass credit card information.
  • A benign penetration test always ends with a detailed report in which the undercover “intruder” describes every stage of the attack, and lists the tools they used to get in.

None of the above holds true for real cyberattacks.

The Bottom Line

Even if a cybercriminal gang uses unsophisticated TTPs, the effort can prosper as long as its activities are backed by effective project management. This includes clever recruitment workflows, frictionless DevOps coordination between teams, unambiguous distribution of roles, attack monetization templates for different types of target companies, and the use of special software to track many victims concurrently.

Ultimately, groups that get the hang of these areas perform surprisingly well and exhibit operational longevity. It’s a shame they stream their project management skills in the wrong direction.

Read next: Best Cybersecurity Software for 2021

David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity and Privacy PC projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.