As medium to large cyber crime groups grow and “corporatize,” they find themselves under pressure to keep up with wages. A Trend Micro study finds that the operating expenses of these groups are largely devoted to paying employees and contractors for their work, with 80% a typical number.
It is increasingly common for small cyber crime groups too, with those that do over $100,000 in annual turnover also tending to spend about 78% of their operating expenses budget on paying their labor force.
Hacker operating expenses dominated by the need to pay talent, labor
While the report notes that there is not a formal definition of how cyber crime groups should be labeled in terms of size, it defines “small” groups as those with no more than five members and annual revenue under half a million, “medium” as having up to 49 members with up to $50 million in turnover, and anything bigger as a “large” group.
The “small” cyber crime groups are a micro version of the basic core structure of larger groups, usually with just one person playing the role an entire team would. A gang of five of this sort will generally have at least one specialist for coding, network administration, and general support tasks in addition to a team leader, but each will also take on multiple additional tasks (such as recruiting and advertising).
Even with these small numbers, the most basic criminal groups still tend to devote 78% of operating expenses to paying their people. The report cites “Scan4You” as a real world example of this type of business, run by only a few people but nevertheless one of the primary underground “counter antivirus” services from 2012 to 2017.
As cyber crime groups grow out of the “small” designation, they add more management layers; usually two for medium-size outfits and three for the larger ones. While one person in the medium outfits is still sitting at the head of the pyramid and calling the shots for all of the operations, there is more delegation of responsibility for everyday tasks to “middle management” figures who in turn require a larger proportion of operating expenses to keep on salary (in arrangements more resembling typical employment). An example of this type of group provided by the report is MaxiDed, an established “bulletproof hosting” provider that actively seeks out and caters to criminal clients.
The large cyber crime groups are where you start seeing corporate-style departments forming, such as customer contact and human resources. You also now see both middle and upper management figures, the latter of which may independently direct specific aspects of the operation. Groups in this tier also tend to operate physical facilities and seek out partnerships with other criminal enterprises. An example of this is the Conti ransomware group, one of the biggest operators before folding under internal strife and law enforcement attention in 2022.
The report notes that cyber crime groups also tend to become more unstable as they grow, due to a confluence of factors. Sprawling operating expenses become harder to manage, and there are few of the social or career bonds present that help to hold legitimate businesses together. And as large groups increasingly turn to temporary contractors for various functions, the risk of leaks of internal information multiplies. At even the medium-sized groups, regular employees are expected to put in a stressful eight-hour day of work most days, if not more.
Cyber crime groups juggle corporate problems without corporate protections
Conti is also used as an example of exactly how operating expenses for the larger cyber crime groups break down. Payroll is estimated at about $165,000 per month, just for the roughly 350 regular employees the group had at its peak. There was unknown additional expense for a substantial amount of temporary contractors. Developers were paid about $2,000 per month, around what they would get locally in a legitimate corporate job with similar IT responsibilities. Internal chat leaks also reveal that “bonuses” of up to 50% of an employee’s regular pay were sometimes given out.
The group also maintained two physical office facilities in Russia for regular employees to work out of, which cost it about $26,000 per month in rent. The group also engaged in its own sort of mergers and acquisitions, such as buying out the TrickBot group. Other items that took a piece of operating expenses include remote servers, software licenses, and internal record-keeping and administration.
Zane Bond, Head of Product at Keeper Security, notes that though these operating expenses are mounting, cyber crime groups are raking in more than enough money to make them worthwhile and see returns on their investments: “Like any business, criminal organizations exist to make money. By adopting traditional business models, they are able to operate more efficiently by reducing costs and increasing revenue. This is especially true in cybercrime where organizations may be operating in a typical office setting or with a remote workforce that requires some sort of formal organization. Less organized groups or solo threat actors are less likely to have all the resources needed for sophisticated or complicated attacks. It has been more difficult in the past for adversaries to organize because local law enforcement could be tapped to shut them down. However, now, with nation-states sponsoring teams and safe harbor countries intentionally turning a blind eye, many cybercriminal enterprises don’t have to operate in the shadows.”
“Large enterprises have the resources for dedicated security teams that can focus on these nuances of cyber threats, however, average companies probably do not have the resources to fund an adversary analysis project and need to protect themselves the best they can. If this is your company’s situation, the priority must always be to shore up the basics,” added Bond.
Andrew Barratt, Vice President at Coalfire, observes that defense teams must take these organizations structures into account as they inform how target selection and attacks will unfold:
“Structure and scale. Most criminal organisations take the path of least resistance to getting a cash out. There is a lot that can be learned by modern e-commerce businesses, in particular. They get all of the upside, with no legal restrictions. “The most important thing a security team needs to be aware of are the tools, tactics and procedures in use by a group – size and scale are often delivered via automation for a high level of return with minimal risk of incursion by state actors such as law enforcement or intelligence. Larger groups are more likely to have been traditional organised crime syndicates that spread the full spectrum of criminality and have been ‘cyber-enabling’ their existing businesses to take advantage of the leverage and scale that technology can bring. The most fascinating trend I am seeing is the speed at which criminal organization adopt cutting edge technology, a couple of years ago we were aware of criminals making use of AI and machine learning to do language processing (all pre-chat GPT) to mimic the language used in emails used by their targets. They a cloud friendly, globally diverse and in a lot of cases willing to take risks with new technology because the pay offs can be so high.”
