Cybercrime :- Police Are Currently Just Trolling Cybercriminals

TFD – Learn how law enforcement agencies are using psychological operations to create mistrust among ransomware gangs and effectively deter cybercriminals. Discover the innovative tactics that are causing disruption within the cybercrime ecosystem and making it harder for hackers to operate.

Russian cybercriminals are almost untouchable. For years, hackers based in the country have launched devastating ransomware attacks against hospitals, critical infrastructure, and businesses, causing billions in losses. But they’re out of reach of Western law enforcement and largely ignored by the Russian authorities. When police do take the criminals’ servers and websites offline, they’re often back hacking within weeks.

These days, detectives are progressively including psychological manipulation into their disruptive strategy. Simply said, they’re making fun of the hackers.

Psychological tactics have been used by Western law enforcement agencies in recent months as an additional means of slowing down Russian hackers and getting to the core of the vast cybercrime ecosystem. These early psychological operations involve attempting to weaken the little faith that the hackers have in one another, carefully putting small wedges between their frail egos, and sending them tailored messages to let them know they’re being observed.

Vice president of threat research at security company Secureworks Don Smith says, “We’re never going to get to the core of these organized criminal gangs, but if we can minimize the impact they have by reducing their ability to scale, then that’s a good thing.” He states, “All of these little things add friction; they may not be a killer blow in and of themselves.” “You can find weaknesses, highlight them, and sow more division and mistrust to slow down the bad guys’ activities.

Consider Operation Cronos. A global law enforcement operation headed by the National Crime Agency (NCA) of the United Kingdom (UK) penetrated and offlined the LockBit ransomware group in February. According to authorities, the group has extracted over $500 million from victims. The NCA’s investigators revamped LockBit’s leak website, which was used to reveal the stolen data of its victims and to reveal LockBit’s internal operations.

Law enforcement released screenshots of LockBit’s administrative system and internal chats to show off their power and data. 194 LockBit “affiliate” members’ identities and login credentials were also made public by investigators. In May, the surnames of the members were added to this.

In addition, the police operation hinted to the identity of the group’s mastermind, “LockBitSupp,” and declared that they had been “engaging” with law enforcement. In May, after a bold image identifying him as the group’s organizer and a multiday countdown clock appeared on the confiscated LockBit website, Dmitry Yuryevich Khoroshev, a Russian native, was accused with operating LockBit.

“LockBit took great pride in its brand and anonymity, placing a high value on these attributes,” states Paul Foster, the NCA’s director of threat leadership. “We have completely destroyed the brand and shattered that anonymity, discouraging cybercriminals from using their services.” The NCA claims that although it gave the operation great thought, its attempts to reconstruct LockBit’s website caused the organization to become the target of widespread online ridicule and rendered its reputation “toxic” to hackers who had collaborated with it.

Our additional infiltration and control, along with arrests and sanctions in partnership with our international partners, has enhanced our impact on LockBit and created a platform for more law enforcement action in the future,” Foster says. “We recognized that a technical disruption in isolation wouldn’t necessarily destroy LockBit.”

Members of LockBit received a personalized notification when logging into the group’s administrative systems, informing them that their IP addresses, internal chats, cryptocurrency wallet details, and usernames had been collected by authorities. Researchers at the cybersecurity company Analyst1 observed that these “psychological tactics” focused on “interpersonal relationships among actors and brand reputation.”

The efforts go beyond the LockBit takedown. The LabHost service, which allowed con artists to develop phishing websites to fool people into giving up their emails and passwords, was interrupted in April by the Metropolitan Police in London. The police sent individualized video messages to approximately 800 illegal LabHost users, outlining “all the data we have about you.” Countries where they targeted victims were included, as well as IP addresses they had used. “We’ve been watching you every time you visited us,” the voiceover in the video says.

According to Smith of Secureworks, “these messages aren’t just for the existing participants in the criminal ecosystem.” “Those who may be debating whether or not to join should read these messages.” Although there is little trust amongst thieves who can defraud one another of millions of dollars in the vast cybercrime ecosystem, strengthening and enlarging the divisions may make it more difficult for organized crime groups to operate effectively.

It’s challenging to gauge the exact impact of psychological operations, but researchers claim that criminals are constantly on the lookout. According to the NCA, only 69 of the 194 LockBit affiliates have joined back on the site since the law enforcement action in February. According to analysts, the hackers discuss cybersecurity issues in Russian-language forums after reading news articles and studies on the subject. The XSS forum has one thread called “Juicy arrests” that has more than 1,000 posts since 2017, says Victoria Kivilevich, director of threat research at security firm KELA, which monitors the cybercriminal underground.

XSS users have differing opinions about the LockBit takedown, according to Kivilevich. According to Kivilevich, a cybercriminal asked why the group’s leader had not yet been identified or given permission in a post from February. A translated message says, “They must have at least something about him, given how much information they have.” “Or perhaps he is employed by them.” Someone else advised against making jokes or memes about the circumstance. “You understand that at some point this may affect you too,” they wrote.

Kivilevich cites other cases in which law enforcement targeting of certain forum members has left cybercriminals frustrated or disillusioned. When members of the Conti and Trickbot ransomware groups were sanctioned in February 2023, LockBitSupp asked where the sanctions were for the Trickbot leader “Stern” and other high-profile actor “Baddie.” As a further 11 members of Conti and Trickbot were sanctioned in September 2023, days after WIRED named one of the members, a cybercriminal complained that some of those sanctioned “never have had high profiles.” They went on to say there is a feeling of “injustice”: “What was the point of adding fucking managers who didn’t decide much in the business.”

Andréanne Bergeron, director of research at security firm GoSecure who specializes in criminal behavior and police intervention, says there may be two outcomes from naming some criminals and not others. Those that are named may “feel it is unjust to be punished while others go free” and may end up cooperating or working with law enforcement as a result.

Malicious hackers, according to Bergeron, frequently “crave recognition” for their deeds. “These anonymous individuals may feel pressured to come forward in order to receive recognition if their colleagues get all the “credit,” even if that means facing consequences,” according to Bergeron. “This desire for recognition can drive them to engage in risky behaviors, potentially exposing themselves to authorities in their pursuit of validation.”

Science is investigating how cyber psychology can deter illegal hackers, even though law enforcement may also employ some psychological strategies in addition to more conventional technological takedowns and sanctions. The Intelligence Advanced Research Projects Activity (Iarpa), the research arm of the US Intelligence Community, has begun work on a project to develop new cybersecurity defenses by taking advantage of attackers’ vulnerabilities.

In order to “understand, anticipate, and influence” cyberattackers’ behavior, psychology can be employed, according to Iarpa program manager Kimberly Ferguson-Walter. The goal of the early-stage research is to develop strategies and tools based on accepted psychological concepts that will allow cybercriminals to take advantage of their human shortcomings. For instance, if an attacker can be made to feel like they are safe when they are compromising a system, they may engage in riskier behavior and expose themselves.

“That’s about as good as it gets, if you can deter somebody from attacking your network,” claims Ferguson-Walter. “I believe your chances of succeeding are higher the more afraid or apprehensive they are about how the defenses operate.”