ALPS blog

by Richard Werner, Business Consultant







Dark marketing is a phenomenon that occurs in the context of IT security attacks and is underestimated by many. The publication and description of attack methods and procedures not only supports the defense side but also unintentionally serves to market the attack to other potential perpetrators. How can this be prevented and how should the consequences be dealt with?

Dealing with attacks in the public perception

The attacks by the hacker group known as “Hafnium“ could serve as a current example. When these attacks on Exchange servers became known in March 2021, there was talk of seven zero-day vulnerabilities and that it was political actors who were exploiting them for attacks. Due to the enormous number of affected systems, the BSI issued a “red” level alert and asked companies to immediately apply the fixes published by Microsoft. The purpose of the measure: to generate attention, build up pressure to act and help free up resources (financial and time) at affected companies. If you look at the number of systems that are already protected just one month later, this calculation has worked. Since attacks were already taking place in Germany, the BSI simply had no choice but to take this approach.

Unwanted side effect

However, anyone working in IT is probably also aware that such information is not recorded by the “defenders” alone. When it comes to technical methods, as in this case, they are analyzed by many experts, descriptions of indicators are created, and details of the procedures of observed actors are summarized. But this also produces blueprints for attack procedures – quasi-best practice recommendations for exploiting the vulnerabilities, and even YouTube tutorials on the subject. And these blueprints and instructions lead to offers on the dark web that refer to these vulnerabilities to promote their service. If it is said today that hafnium attackers encrypt data (i.e., use ransomware), then it can be assumed that the attack, which may have originally actually been politically motivated, has now been replicated by ordinary cybercriminals!

Different perceptions of a “politically motivated” attack

Furthermore, it should be clear that saying that political actors are behind the attacks has a different impact on defenders than on cybercriminals. Corporate security professionals will consider whether their own organization is even suitable as a target for political actors. After all, that “the rogue state of your choice” has an interest in crippling the IT of a country like the Federal Republic in peacetime seems rather unusual. If a company does not have any really valuable data, those responsible are more inclined to take a calmer approach to the warning.

The situation is quite different for criminals. A state-prepared attack is seen as a seal of approval, and a “Made in…” is a sign of quality, because the criminals assume that such an attack has been professionally prepared. Interest in this “commodity” is correspondingly high. The criminals’ short-term goal is to spread their attacks as quickly and as widely as possible and to lay access points because they know that their window of opportunity is closing. That means they need to place backdoors. They stay in the system even if the original security holes are closed. Once peace has returned, these backdoors can be used to infect the system at their leisure.

Dark Marketing for Advanced

This is where the second stage of “dark marketing” kicks in, playing into the hands of the perpetrators. It involves news such as “Hacking group X announces it has stolen data from company Y”. News of this type is very popular in the press, as it demonstrates the vulnerability of companies and is also always embarrassing for the victims. The better known the name of the victim, the more confidently it will be talked about. The perpetrators have thus achieved their purpose as soon as they are reported on. The pressure on the victims to somehow get the “thing” out of the world is built up. And at the same time, the next victim is already influenced when hacker X uses his “good name” to now also convince the next one to pay quickly.

The mention of special techniques also serves to trigger reflex actions. In the case of Wannacry, only a small area of mostly outdated Windows systems was affected and the resulting damage was generally minor. But as ransomware attacks were all over the media at the time (2016/17), companies and consumers worldwide transferred a total of several hundred thousand dollars to the perpetrators’ accounts – even before it was made public within a few hours that, from a purely technical point of view, no decryption option ever existed. A direct hit for the blackmailers!

Lessons learned

First, cyberattacks that are reported globally must be taken seriously. If entry points are mentioned there (such as software vulnerabilities), these must be closed. It is completely irrelevant who is allegedly behind these attacks. As soon as the attack is discussed in public, there are imitators within a very short time. But despite this involuntary “publicity,” it is also important to report on attacks in more detail so that companies understand where the problems lie, how such attacks occur and how they take place, and can prepare for them.

Second, just because someone claims to have data or can decrypt data doesn’t mean that’s the case. Potential victims should ask for proof of this when in doubt. Inform law enforcement agencies and coordinate your actions with them!

Thirdly and at the same time the most important insight: Assume the possibility that someone is trying to blackmail you. Such a situation can be planned for in advance. In the event of an incident, it is important to find out whether data could actually be stolen, how far a perpetrator has already penetrated a system, whether there were/are backdoors through which the attacker could enter or exit. Only then can it be assessed whether there was actually a data loss or whether the extortion attempt is just a fake after all.

These techniques to be used by companies belong to the category of detection & response. When used correctly, they help to detect an actual attack as it is happening and to identify backdoors and other gateways. In the worst case, they can at least provide information about what has been stolen and the extent of the attack.

In order to act successfully here, it is not enough to only check one-dimensional systems such as Windows endpoints. Communications over the network and in other areas of the company must also be monitored. This is why the technology is called XDR (comprehensive detection and response), and Trend Micro combines all these technologies in the Trend Micro Vision One platform.