When firewalls fail to thwart cyberattacks, former Israeli spies are coming to the rescue.
Their job: Befriend hackers to find out about attacks before they even happen.
Bigger, better-known cybersecurity firms, like Moscow-based Kaspersky Lab ZAO and IntelCorp.’s Intel Security Group, aren’t providing these services, spokesmen for the two firms say.
Black Cube and its competitors say they are offering a way to gauge vulnerabilities by making friends with potential enemies, before an attack. The biggest challenge, executives in the business say, is building enough credibility to be invited into a hacking network’s circle of trust.
Group-IB, for instance, has its undercover employees buy software that could be potentially used to commit cybercrime to build street cred online. The company says clients include Citigroup Inc.’s Citibank, NovartisAG, Microsoft Corp. and Russian bank Sberbank OAO. Novartis said it worked with Group-IB in the past but was no longer a client. Microsoft and Citigroup declined to comment, and Sberbank was unavailable for comment.
This year, Group-IB employees posed as hackers to gain access to a botnet—a network of infected computers that can be controlled remotely. This botnet, which was aimed at breaking into banks, had infected some of Group-IB’s clients. On a Russian-speaking forum, the owner of the botnet was seeking hackers interested in using this botnet to steal money.
But first, the botnet owner wanted to test whether forum members had the necessary technical skills to use it. He and the Group-IB researchers engaged in a technical dialogue.
“During the conversation it becomes clear if you’re aware [of the technical issues] or not,” said Dmitry Volkov, cybercrimes investigation division leader at Group-IB. “He then provided us limited access to the botnet’s control panel.”
The access allowed Group-IB to dig into the botnet and unearth valuable information, including the infected computers that made up the botnet and nicknames of other hackers using it. From there, they were able to come up with what they believed were the real identities of some of the hackers. Mr. Volkov said Group-IB contacted law enforcement, but he believes both the botnet owner and the hackers they identified were still at large.
Noam Ichner, a 13-year veteran of the Israel Security Agency—also known as the Shin Bet—now works as a senior researcher at Diskin. The cybersecurity firm was founded in 2011 by Yuval Diskin, a former Shin Bet chief.
Ms. Ichner often uses a male persona to better fit into the dark web’s culture, which is dominated by men. But she sometimes finds a female identity can be helpful. At one point, she was trying to engage a person online who was looking for hackers to exploit login credentials.
“I had to make [my] persona stand out, to get the other side to choose to engage with me over other possible parties,” she said. “There might have been a hint of flirtation.”
Just like undercover policemen, cyber spies have to navigate the fine line between protecting against a crime and committing one.
“The trick is to engage in deals that would be aborted in the end,” says Ms. Ichner. “In the agency I worked for it was about getting to a level of intimacy with terrorists without participating in terror attacks or triggering them.”
Employees at Fox-IT, a Dutch cybersecurity outfit, last year used one of the oldest spy tricks in the book: They played to a hacker’s ego.
The hacker was selling homemade malicious software he said could pilfer financial data like personal credentials from point-of-sale systems like credit-card readers. He came under attack by fellow hackers, who accused him of peddling old malware—the embarrassing mark of either a swindler or an amateur.
Fox-IT personas sympathized online with him. The hacker sent the cyber spies the source code to the malware he claimed to have authored. Fox-IT shared it with clients, who could use it to protect their systems from it.
Last year, Black Cube, an Israel-based firm that specializes in gathering intelligence online, asked one of its bank clients for access to some of its internal HR and payroll data—sensitive enough to look like the spoils of a real cyber theft, but not enough to affect operations.
When Black Cube accessed the information, it left a digital trail that made it look like it had broken into the bank’s networks and stolen the data. By dangling this bait, Black Cube operatives posing as hackers infiltrated a group of cyber thieves that had been circling the bank, according to a person familiar with the sting, helping thwart an attack.
With the pace and severity of corporate cyberattacks increasing, a growing number of small cybersecurity and business intelligence firms like Black Cube are deploying the same sort of cloak-and-dagger moves that governments and police have long used to penetrate spy rings or break up terrorist cells.
A big part of that push is old-fashioned human intelligence, or “humint” in military and intelligence parlance. These firms are using real people and traditional spycraft to foster interpersonal relationships and trust across a nebulous and often anonymous network of hackers, middlemen and those benefiting from purloined data.
The threat intelligence industry, which includes companies using humint but also automated research tools that look for criminal-related data, is still niche—accounting for just 0.4% of total spending on information security spending in 2013, according to technology consultancy Gartner. But Gartner research director Ruggero Contu said big organizations, “especially in the financial and government sectors,” are increasing spending on humint-based services.
Black Cube and peer Diskin Advanced Technologies Ltd. were both started by veterans of the Israeli intelligence services. Other threat-intelligence players include Dallas-based iSight Partners Inc., Fox-IT Group BV of the Netherlands, and Moscow-based Group-IB.
Founded in 2011, Black Cube recruits former Israeli intelligence personnel to conduct research, operations, and to troll through the dark web, the unindexed part of the Internet that is only accessible through specialist browsers. The company runs its own version of “agents,” who try to turn hackers into informants, work themselves into hacker communities and learn about the latest hacking techniques.