On November 10, 2015, the Justice Department announced the indictment of four men for a “hacking,” securities fraud, and other crimes. In announcing the indictments, Manhattan U.S. Attorney Preet Bharara said, “The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate. This was hacking as a business model.”
The indictment alleges that the conspirators used servers in Egypt, the Czech Republic, South Africa, Brazil and other countries as a launchpad to attack some of the largest financial firms based in the U.S. The indictment alleges that the defendants “hacked” networks, stole customer data about tens of millions of people and used the stolen data to run a massive stock manipulation scheme. But making millions of dollars from stock fraud wasn’t enough — so, it is alleged, they also ran other criminal businesses including Internet gambling, malware distribution, bogus online products businesses, and an illegal Bitcoin exchange.
One of the challenges faced by criminals running long-term criminal enterprises is that the good guys have tools to find criminals. One of these tools is intelligence. Realizing that the good guys use credit cards to run transactions to find fraudulent vendors, paragraph 34 of the indictment details how these criminals “hacked” into an intelligence vendor and used this access to determine the credit cards used in the intelligence investigations. By knowing which credit cards were used by investigators, the bad guys simply blacklisted these credit cards to deprive investigators of the evidence they needed. The Justice Department posted the indictment.
Good guys have their forensic big data tools. Bad guys counter this using anti-forensics in which the bad guys manipulate the data that feeds these forensic tools. In this indictment, the bad guys shut off the data. In the Neiman Marcus breach the bad guys intentionally triggered alarms that looked like normal event traffic, correctly anticipating that the defenders would treat their alarms as normal events — hiding in plain sight. This is merely the cyber-equivalent of stolen licence plates, blending into the crowd, ski-masks, and fake ID’s. Knowing what data is used by investigators, bad guys manipulate that data to evade detection.