When Hackers Hack Hackers
Notable cases of internecine cyber squabbles.
February 9, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc1a500435e128309/64f0d9046d7cd0789046645b/01-hackers.jpeg?width=700&auto=webp&quality=80&disable=upscale)
While most cybercriminals tend to set their sights on siphoning valuable data from poorly protected enterprises, there's no limit to the kinds of targets they'll seek out. There's no honor among thieves, so it shouldn't be a surprise that with the right kind of motivation, malicious hackers will happily attack other black hat and grey hat hackers.
Sometimes the attacks are purely mercenary: rivals know they can hit pay dirt very quickly if they find an easy way to tap into data stores of already vetted stolen identities or financial information. Similarly, certain kinds of cyber skirmishes are initiated to take competitors out. And then there are the attacks that are a little more personal: to show someone up, settle a score, or otherwise make a philosophical stand.
Regardless of the motives, these kind of squabbles offer up a satisfying dose of schadenfreude for cybersecurity pros beleaguered by the bad guys. It's nice to watch them fight amongst themselves every once in a while. So, pull up a chair, grab some popcorn and read on.
Thieves make the best targets for theft, because who are they going to take their complaints to? One enterprising hacker, w0rm, took this principle to heart by raiding the user database of a Dark Web forum called Monopoly, which facilitated in connecting the bad guys to talk shop about running botnets, pushing phishing campaigns, and committing credit card fraud. Just as with any other database breach, w0rm offered up the goods on Monopoly for about $500, in a similar tack. The difference here being that security pros were playing the world's tiniest violins for the victims of this breach.
Well known in Dark Web marketplaces, a cybercriminal by the handle of Peace_of_Mind got fed up with w0rm's antics. Apparently the Monopoly attack was far from an outlier. Peace claimed that w0rm had been stealing zero-days from certain forums and posting them as his own. What's more, he was irritated at w0rm for blowing the lid off vulnerabilities Peace was using to maintain access to compromised websites and for scamming people Peace knew. In retribution, Peace engaged in some good ol' fashioned cybervandalism, taking the digital spray paint to the website w0rm used to publish proof-of-concept codes and dump data breached from high profile attacks against targets like Wall Street Journal, Vice, and CNET.
Cyber gang-on-cyber gang attacks are pretty common and date back far into hacking history. One example in the not-too-distant past - 2011 - saw a hacking group called d33ds bust into the online black market store of a rival called Srblche, who sold admin access to military education and government sites, along with website vulnerabilities. d33ds dumped data from the marketplace's server, including customer password hashes and administrative passwords.
In 2015, Kaspersky Lab explained a phenomenon it was calling advanced persistent threat (APT) wars, where two APT groups target one other with the same kind of techniques they use against their typical government and corporate victims. Their example anecdote told a Spy vs. Spy story of two groups called Hellsing and Naikon who duked it out with a back-and-forth battle of spearphishing emails and intelligence-gathering through customized backdoor payloads.
The d33ds example smelled more of spite than of business, but security researchers are also running into competitive spats where attackers essentially bare their teeth over the same piece of meat. Last year a researcher with Shadowserver detailed how the organization is often able to carry out takedowns of command-and-control servers and domains based on tips from rival hackers. Attackers hoping to push competitors from the market dox one other, giving Shadowserver the information it needs to take them out.
Perhaps one of the most well-known hacker-on-hacker attacks over the last two years, the Hacking Team breach of July 2015 was pure hacktivism. The Italian surveillance company was doxed by a hacker by the handle of Phineas Fisher to shed light on the company's ties with governments with poor human rights records. A purveyor of Remote Control System (RCS) software and zero-day exploit codes, Hacking Team had source code, internal documents, and client lists all exposed in the attack. Included in the exposure was evidence that the firm helped oppressive regimes to better spy on their citizens. Phineas Fisher later wrote a how-to guide that showed his methods, though even early on the exposed documents showed how bad the company's defenses were for a firm that specializes in hacking - in many cases key accounts used "Passw0rd" and "P4ssword" as shared secrets.
Phineas Fisher didn't come out of thin air. The hacker actually had a warm-up act the previous year when it leaked some 40GB of data about another surveillance company called Gamma International. Known for its FinFisher spyware technology, Gamma had previously been called an "Enemy of the Internet" by Reporters Without Borders for similar ties as Hacking Team to governments in Turkey, Egypt, and Oman.
Other hackers are continuing the work of Phineas Fisher. Just last month, an Israeli firm that makes mobile phone hacking devices was hit with a 900 GB breach that included customer information and technical data about the company's product. In this instance, the attacker didn't go public, but had been exchanging information in IRC chat rooms and with the media. Similar to the other hacking firms, Cellebrite's breached information suggested relationships with governments that have less than sterling human-rights records.
Other hackers are continuing the work of Phineas Fisher. Just last month, an Israeli firm that makes mobile phone hacking devices was hit with a 900 GB breach that included customer information and technical data about the company's product. In this instance, the attacker didn't go public, but had been exchanging information in IRC chat rooms and with the media. Similar to the other hacking firms, Cellebrite's breached information suggested relationships with governments that have less than sterling human-rights records.
While most cybercriminals tend to set their sights on siphoning valuable data from poorly protected enterprises, there's no limit to the kinds of targets they'll seek out. There's no honor among thieves, so it shouldn't be a surprise that with the right kind of motivation, malicious hackers will happily attack other black hat and grey hat hackers.
Sometimes the attacks are purely mercenary: rivals know they can hit pay dirt very quickly if they find an easy way to tap into data stores of already vetted stolen identities or financial information. Similarly, certain kinds of cyber skirmishes are initiated to take competitors out. And then there are the attacks that are a little more personal: to show someone up, settle a score, or otherwise make a philosophical stand.
Regardless of the motives, these kind of squabbles offer up a satisfying dose of schadenfreude for cybersecurity pros beleaguered by the bad guys. It's nice to watch them fight amongst themselves every once in a while. So, pull up a chair, grab some popcorn and read on.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024