Organised Cyber Gangs and how they operate.

By Euan Henderson

Cyber Security Apprentice

For most people, the word ‘hacker’ conjures images of hooded loners sitting in darkened rooms focused on lines of codes on a computer screen.

You may be surprised to learn that many hackers form part of an Organised Criminal Group (OCG) or ‘Cyber Gang’ with designated roles and even a benefits package!

Such roles include:

  • Team Leader

Within any OCG there will always be several criminals who are essential to its success. The most successful are ahead of (and in certain cases in the pocket of) local and international law enforcement organisations.

  • Coders

Also known as malware developers, their primary role within the OCG is to write and update new code for malware and plagiarise and/or modify publicly available malware. As a result, cyber-crime malware has progressed significantly within the past decade, advancing from providing basic access to a network or system to executing a wide array of commands on hosts, hiding from anti-virus software, remotely controlling victim’s machines (zombifying them) and wiping Master Boot Records. There is also a form of malware capable of hiding within memory so when the victim believes they have removed the malware, it can re-establish itself when the machine is rebooted. Most malware developers are increasingly deploying their malware with configuration files to search for systems such as payment systems to maximise their access to machines that can provide big opportunities to steal money.

  • Network Administrator (AKA “Bot Herder”)

Not every group has a network administrator. They are responsible for compromising hundreds of online servers and devices which, when linked together are referred to as a ‘botnet’. Eventually a bot herder has a massive network of machines that they can use to create a global presence to compromise more systems or to launch powerful DDOS attacks. They tend to target devices that are constantly on and have a decent internet bandwidth.

  • Intrusion Specialist

If an OCG managed to install malware onto a business network or another major target than an intrusion specialist will step in with their own toolkit to try and ensure that the presence of the malware is enduring and that they are able to exploit the network, often trying to gain access to administrator privileges to be able to access the most valuable applications and databases.

With some sophisticated groups, such as those that made variants of Financial Trojans like Dridex, they could spend weeks and months navigating the network to find the precise machines that they need to access to initiate and validate a large payment, even hijacking valid administrative tools to masquerade as normal activity.

  • Data Miner

This person ensures that the data stolen by a group is ‘clean’, categorizing it and presenting it in a way that can then be used to either make money or sell it to other criminal groups for them to exploit.

  • Money Specialist

Once the OCG has stolen the data, they need to monetise it. To do this they employ a money specialist who is able to identify the best way to make money from each type of data set. This can be done by selling to trusted criminal contacts or by the OCG using specialist online services.

Most cyber gangs do not make much money. The ones that do have been able to access large amounts of very valuable data, however for most cyber gangs to make money from data after expenses, they have to be running almost constantly.

For more information please visit the NCSC website at the link below: