We’ve all been socialized since childhood to the concept of teamwork. As we progress through life, we see the value collaboration brings. Its benefits are a no-brainer–with more hands on deck, a gargantuan task is less daunting. We can tap into each other’s strengths to break new grounds. And let’s not forget the psychological benefits of fostering an atmosphere of togetherness and belonging. This is no different in Photon. We are a small group of diverse individuals–threat intelligence nerds if you will–hailing from different backgrounds, experiences, and cultures.

But teamwork does not always bring success. A clash of different personalities can also cause a group’s downfall, especially when members are unproductive or have exhibited dysfunctional behavior. Too often, we hear of characters like the brilliant jerk, the micromanager, the social loafer, and the tightly wound. 

We see the same dynamics play out among different cybercriminal communities. Having observed how users and groups interact with each other, we’ve found that these communities function very much as we do in many ways. 

Recruiting right

It is no surprise that having people with the appropriate skills and expertise is essential in ensuring team success. It is what detailed job descriptions on career pages and job interview processes are for. These can often be lengthy, but for a good reason–making sure that the potential new teammate is someone who knows how to do the task and can assimilate with the rest of the team. 

Recruitment ad for “developers” on cybercriminal forum
Recruitment ad for “developers” on cybercriminal forum

 

And this is no different among cybercriminals seeking affiliates to join their programs. Across several ransomware-as-a-service (RaaS) programs, skilled candidates are wanted: DarkSide used to make potential affiliates go through interviews and prove their technical capability before being brought into the program. 

Cybercriminal forum post advertising Darkside RaaS program
Cybercriminal forum post advertising Darkside RaaS program

 

Hiring the right fit is easier said than done. People with the appropriate skills are all well and good, but it’s a huge bonus when your prospects also have the right attitude. To overcome this challenge, we often use employee referral programs to incentivize existing employees into bringing the right people to work for the company. On underground forums, this is also practiced. Users vouch or testify for the reliability of others on these forums. In other instances, users recommend those they know on posts seeking “reliable” partners.

Recruiting for reliable partners to join a project 
Recruiting for reliable partners to join a project 

 

Conversely, those finding it hard to assimilate with the wider team will probably find themselves leaving the organization. On the cybercriminal underground, this type of user will probably be banned.

Fix that toxic work environment

Having like-minded people work together seems like a formula for success. But let’s not overlook the role that a work environment plays in fostering camaraderie. It is not easy to make everyone happy, but dissatisfaction at the workplace, if not correctly dealt with and left to fester, will only cause more problems. 

With nothing done to turn the frown upside down, a team risks creating disgruntled members, who can turn out to be immensely destructive. Disgruntled insiders at this point have little to no loyalty towards their teams. They are willing to leak, expose, or steal proprietary corporate secrets to make a quick buck elsewhere or for sheer schadenfreude. TL;DR: it’s just not worth it. 

This behavior is not exclusive to legitimate businesses either. Over supposed discrepancies in remuneration, a user leaked the training manuals and IP addresses used by the Conti ransomware group. 

User leaks Conti training materials on a cybercriminal forum
User leaks Conti training materials on a cybercriminal forum

 

This is, no doubt, a blow to Conti. The ransomware group will probably continue its extortion operations, but having its proprietary information published for everyone else to see is akin to having its secrets exposed.

Coach your juniors

For the average worker, finding a job often involves a lot of rejection from prospective employers. Common reasons include the candidate’s lack of relevant experience. But when we get hired, where do we go from here?

It is very confusing

 

When we first started out, fresh-faced and eager to make our mark in society, one of the priorities in this marathon that we call a career is to gain as much knowledge and understanding of our job and industry as possible. How we apply our knowledge and skills to our job then forms our experience in the industry. But this journey is often a long, winding, and bendy road…

To get started on this journey, we often find that attending training and taking courses is perhaps the most straightforward way to become more insightful. 

Tutorials for upgrading yourself

 

The hallmark of good teams is that they spare no effort mentoring their juniors. Rather than abusing the more junior members and limiting their responsibilities to fetching coffee, good teams often dedicate effort to leveling these members up. Similarly, on underground forums, the knowledge-sharing mentality is typical within the community. On some platforms, users freely extend their knowledge, offering classes to those who want to better grasp their “hacking” skills.

Technical courses available exclusively on forums for interested users
Technical courses available exclusively on forums for interested users

 

In this aspect, a well-respected English-language technical forum has even introduced a new section for users interested in applying for forum access. In the past, this forum only accepted members after they had passed a rigorous application and interview process. This process was revamped in late 2019, giving those who have previously failed the forum application process a “safe space” to enhance their skills and providing an opportunity to learn from other more established members. 

And in the spirit of learning, there truly are no dumb questions. Asking and learning are undeniably good ways to deepen knowledge.

On some forums, all questions are legitimate question, no matter how elementary they seem
On some forums, all questions are legitimate question, no matter how elementary they seem

 

Find your tribe

There is bound to be friction at the workplace. This manifests in different forms–it could be the dilemma faced when approaching a task or a divergence in professional opinion. That doesn’t mean your career is doomed for failure. 

Find people who support you. Equally, if not more, important is finding the right group of people who will not judge you but will instead guide you into becoming a better person/worker. Ideally, these people should reflect qualities to emulate.

Even the aspiring threat actor understands this. In specific communities, validation is actively sought and given. Some have even set up dedicated sections for others to flaunt what they’ve done. Truly a safe, no judgment zone for learning and building confidence.

Members, regardless of seniority, offering praises to others for successful conduct of “hacking”
Members, regardless of seniority, offering praises to others for successful conduct of “hacking”

 

Humans after all

At the end of the day, we’re only human after all. Malicious threat actors or not, we all want to be the best possible version of ourselves. At work (crime or not), we want a conducive environment to help us achieve more. Even though malicious threat actors will not be asking for benefits like an annual leave plan or health insurance, we’re confident that they, too, want an excellent team to work with. 

At Digital Shadows (now ReliaQuest), besides recognizing how teams work on the malicious underground, we also look at the discussions between these actors and understand their attack methods and techniques. If you’d like to know more about the state of threat actors, get a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. You can additionally get a 7-day free trial of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here and receive actionable alerts regarding cyber threat activity.