How the FIN7 Cybercrime Gang Operates
The Grugq has written an excellent essay on how the Russian cybercriminal gang FIN7 operates. An excerpt:
The secret of FIN7’s success is their operational art of cyber crime. They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of victim organizations. FIN7 was not the most elite hacker group, but they developed a number of fascinating innovations. Looking at the process triangle (people, process, technology), their technology wasn’t sophisticated, but their people management and business processes were.
Their business… is crime! And every business needs business goals, so I wrote a mock FIN7 mission statement:
Our mission is to proactively leverage existing long-term, high-impact growth strategies so that we may deliver the kind of results on the bottom line that our investors expect and deserve.
How does FIN7 actualize this vision? This is CrimeOps:
- Repeatable business process
- CrimeBosses manage workers, projects, data and money.
- CrimeBosses don’t manage technical innovation. They use incremental improvement to TTP to remain effective, but no more
- Frontline workers don’t need to innovate (because the process is repeatable)
Clive Robinson • September 16, 2020 8:47 AM
@ All,
As the Grugq notes,
But it’s not just “project managment” but managment in general.
From back in the 1980’s when cracking first started to move from “ego food” to “crime” few at the sharp end had even the slightest idea on how to monetize their activities.
A decade or so later academic researchers talking about bot nets did not appear to realise that the operators were not effectively monetizing. When I pointed this out on a well known sectuity blog[1], it got a grumpy response.
But realisticly even as little as a decade ago cyber monetization was still realy not very good at all. More money was being taken in the US on creditcard fraud of the traditional style.
My viewpoint has been for several decades and still is that cyber criminals are realy quite bad at monetization, though they are slowly getting better.
One of the reasons I have advised for many years and still do advice tech people to study Business Managment is that not only does it help you “speak business to the man that cuts your cheques” it also broadens your outlook and thus your perspectives.
If you think about it what works for you in the commercial world will also work for you in the criminal world, they are at the end of the day little different.
So yes which ever colour hat you chose to wear a good knowledge of business is very much going to improve your bottom line.
[1] It was not this blog but another one I mention from time to time. As for the academic concerned, I think from his later progress he took the idea on board.