Cybercrime-as-a-Service opens up a realm of worrying new possibilities for opportunistic individuals and ideologically motivated groups, as well as a new front for law enforcement and security services to secure.
As early as 2013, cybersecurity experts noted that Cybercrime-as-a-Service (CaaS) was a burgeoning business. It is an industry as straightforward as it sounds – professional cybercriminals maintain and sell the means of committing cyberattacks to anyone with the motivation and money to do so.
In 2013, hiring a Distributed Denial of Service (DDoS) attack (a cyberattack that uses a network of subverted computers around the world to flood targets, such as websites and other infrastructure, with requests to impair or crash them) cost $535 for a month’s use. Today, a month’s rent for a DDoS can cost as little as $28.99. Falling prices are driven by competition in the CaaS market, enabled by the accessibility of the technologies.
Last week Europol and associates struck a blow against professional cybercriminals by taking down WebStresser – a website offering rental DDoS attacks, masquerading as a “stress tester.” The criminals behind the service were also arrested. Whilst it indicates the threat is being taken seriously and combated, it is little more than a proverbial drop in the ocean.
DDoS attacks are not the only service offered by professional cybercriminals. Ransomware is another, arguably more dangerous threat that is available. Ransomware is a type of software that stealthily makes its way onto PCs before encrypting the user’s files, or even the boot files for the machine itself, so when the computer is switched off, it refuses to start up again. In both cases, users are presented with a message demanding a ransom in order to de-crypt the files and restore ordinary usage.
These services are currently overwhelmingly used by opportunists seeking profits, and businesses seeking to disadvantage their competitors. However, with the increasing prominence and accessibility of these services, they will soon come to the attention of those with more nefarious intentions.
Prominent precedents
Britons in particular may be familiar with ransomware after it crippled the UK National Health Service in May 2017. The malware spread across NHS computers with outdated operating systems, locking out staff and directly leading to the cancellation of 6912 appointments, including operations. The attack has been attributed to the North Korean government, or state-sponsored groups in the country by senior figures across government and the tech industry.
Ransomware has also caused significant trouble across the Atlantic in the US city of Atlanta, where various IT systems used by the city administration were infected with ransomware in March 2018, costing the city millions of dollars in disruption.
However, the most prominent example of professional cybercrime must be the concerted Russian campaign against the United States in the build up to the 2016 Presidential election. The hacking of Clinton campaign emails, and the manipulation of individuals by professional cybercriminals via social media were just two of the prominent tactics employed by state-sponsored Russian groups.
The Russian attacks during the 2016 Presidential election are part of a wider Russian strategy of subverting US democracy. It is an ideologically motivated, targeted campaign against a predetermined enemy. At the other end of the spectrum, the more recent attacks against Atlanta city appear to be an opportunistic money-spinner by a group of professional cyber criminals.
The WannaCry attack highlights an interesting hybridization of ideological motivations and outright opportunism. Like the Russian campaign, the power of a nation-state is reflected in the virulence of the attack. However, it lacked the sophistication of previous state-sponsored attacks, as well as any sort of relevance to a longer-term plan. It was a cyberspace smash and grab, and it is in this niche, where ideology and opportunism intersect, that CaaS will come to find a great deal of traction in years to come.
Outsourcing IT
CaaS provides ideologically motivated groups with a means of carrying out ambitious cyberattacks like WannaCry even if they lack the manpower or technical means of doing so. Undoubtedly, these groups will begin to see the opportunities offered by professional cybercrime services.
The global jihadist movement is one such movement that could take steps towards purchasing CaaS programs to launch attacks on their enemies. The movement already possesses a number of organisations operating in cyberspace, such as the Caliphate Cyber Army and Islamic Cyber Army, demonstrating they are conscious of the potential of cyber-terrorism. However, experts have ridiculed their capabilities, with the groups incapable of making simple chat apps for themselves, let alone develop expansive campaigns of cyber-terrorism.
The jihadist movement and other terrorist groups will develop cyber capabilities, but for the time being, they will turn to existing services as they have done with sites like Twitter and Facebook, and apps like Telegram and WhatsApp. This is where CaaS vendors stand to benefit from increasing awareness of their services and the havoc they can wreak.
It will be a mutually beneficial partnership that will overcome any aversion that the parties may have to working together. In many cases, professional cyber criminals hold the West in similar contempt to the jihadist movement, overcoming any moral dilemmas they may feel about working with terrorists. On the other side, jihadists curse the West and much of modernity, yet have no issue with adopting technology when it serves their needs, which CaaS undoubtedly will.
International Terrorism and Information Technology
This presents a daunting picture of a future whereby terrorist groups extort funding from governments, businesses and civil society via ransomware, DDoS attacks and other capabilities that they have rented from professional cyber criminals. The precedent is clear in examples such as the WannaCry attack – disruption in cyberspace is increasingly felt in the offline world too, with severe financial and practical consequences. The good news is that with foresight and planning, Western nations can build up their deference before the threat reaches a critical mass.
