Aatish Pattni, Regional Director of UK and Ireland for Link11, highlights the parallels between today’s organised cybercriminal gangs and their historic predecessors, the Mafia.
When many of us hear the term ‘Mafia’, we instantly conjure up the thought of ’wise guys’ in pinstripe suits of the 1920s and 30s personified by Al Capone, or those immortalised in movies like The Godfather or Goodfellas. Over the years, the media, folklore and legend has glorified what was clearly a highly-organised and profit-driven group of criminals. So what’s this got to do with cybercrime, I hear you ask?
The prevalent image of a cybercriminal is often one of a lone ‘geek’ hiding away in a dark room with little interest in power or money. Contrary to this image, many law enforcement agencies believe that most cybercrime is in fact run by organised criminals who are diversifying from their traditional revenue streams (human trafficking, drugs, guns etc). These criminals are attracted by the high profit and lower risk potential of cybercrime. Through the Internet, criminals have evolved their malicious practices.
The three principles of criminal systems: secrecy, organisation and extortion
I’m a bit of a history buff when it comes to organised crime and when I look at the roots of the American, Italian and Sicilian Mafia (yes, they’re all different) there are a lot of common traits. Like most criminal systems, the Mafia is built on three founding principles – organisation, secrecy and extortion. Today’s cybercriminals share a remarkable resemblance to those groups.
Within the Mafia, there has always been a veil of secrecy that ensures business was never discussed outside the family. Within the family, the organisational structure that we will discuss shortly ensured that vital information sat near the top, and orders were carried out in a military fashion without question.
Today, we hear about the dark or deep web and it’s clear to see that cybercriminals are communicating together and operating more like a collective than as individuals. Through websites like the Silk Road and through encrypted communication channels, cybercriminals are able to conduct their business in secrecy just like the Mafia did before it. It can be argued that it is now even easier for them to operate in the shadows thanks to the evolution in communication technology that the Internet has created.
The Mafia clearly deployed a hierarchy based on a military structure with the basic foot soldiers at the bottom through to Lieutenants, Capos (Captains) and Bosses (the Don/Head of a Mafia family).
At the very top, the American Mafia was eventually led by a board of directors known as ‘The Commission’ whilst their Mediterranean counterparts appointed a single leader known as the ‘Capo di Tutti Capi’ (The boss of all bosses). This organisational structure put particular emphasis on specialist skills sets, each Lieutenant would build a crew of foot soldiers based on their particular skill set (robbery or rackeetering.).
While modern cybercriminals don’t appear to have the same organisational structure as the Mafia, given the veil of secrecy we can be sure that there is a collusion and there are clear team structures. In particular, we see that cybercriminal teams work towards a common goal and play to each other’s strengths (e.g. networking, code compilation, vulnerability exploitation, victim identification). With the advent of Cybercrime-as-a-Service (CaaS), attackers are able to combine their skill sets with other groups and thus create larger and more profitable attacks.
Demand for digital data – the new ‘lime groves’
Before bootlegging, racketeering or even drug trafficking, the Mafia was built on a single criminal enterprise – extortion. The origins of the Sicilian mafia can be traced back to the lime groves outside Palermo where farmers were extorted for protection money to safeguard their fruit trees (as described in John Dickie’s book, ‘Cosa Nostra’). The key to the success of this extortion racket was the extremely high demand for product created by the British Navy, which was buying limes in large quantities to protect its sailors from the disease, scurvy. Later, the American Mafia expanded this enterprise in cities like New York and Chicago by preying on new growth industries – the retail outlets and small businesses within the immigrant communities.
The real similarity between the two entities though is in their chosen attack method. Today’s highest-profile attack vector is clearly ransomware; with attacks like WannaCry, NotPetya and others. Ransomware achieved this status over conventional data theft for a simple reason: monetisation of the attacks was easy due to our dependence on digital data and organisations’ need to recover their scrambled systems quickly. Wherever there is strong demand for a service or product, there’s also the strong possibility this will stimulate extortion and other criminal activity.
So it’s no surprise that we are seeing the ‘Cyber Mafia’ shifting their focus to other types of extortion, namely distributed denial of service (DDoS) attacks, alongside ransomware. In the past, it was mainly e-commerce organisations such as gambling and retail sites which were the targets of DDoS attacks. But researchers at the Link11 Security Operation Centre (LSOC) have seen that the attackers are shifting targets from websites to corporate networks, to overwhelm systems and bring business processes to a halt.
The average DDoS attack costs as little as US$10 per hour and can be easily purchased on the dark web with no IT expert knowledge necessary. The impact to victim businesses from such an attack amounts to US$610,300 on average, according to Ponemon Institute´s Cost of Cyber Crime Study. We are at a point where this type of attack is proving to be a more profitable form of extortion for attackers than any other type of cybercriminal activity.
The American Mafia was ultimately brought to justice by the FBI in the late 1980s through the newly formed RICO act, which allowed the prosecutors to link order-givers and order executors. The ‘Cyber Mafia’ is veiled in secrecy, highly organised and has built its revenue streams on extortion – ransomware in particular – and DDoS. Earlier this year, the UK National Crime Agency (NCA) and National Cyber Security Centre (NCSC) highlighted that both ransomware and DDoS were the biggest cyber-risks facing UK businesses.
Defending an organisation against these threats requires an understanding of them and of the defensive options available. In the past 12 months, tremendous strides have been made to prevent ransomware from crippling businesses: however, the attackers have switched to a more profitable wave of cyber extortion – DDoS attacks. To stay ahead of these new attacks, organisations need to actively build defences to mitigate and block advanced DDoS attacks too.