How Cybercriminals Recruit and Look for Skilled Developers

Certain programming skills are always in demand—even among cybercriminals.

Recently, an underground Russian forum known as XXS held a competition that sought to give away $15,000 in cash prizes to cybercriminal developers who could write an article or develop a proof-of-concept video on different topics, including searching for zero-day and one-day vulnerabilities and exploiting them, developing crypto algorithms, and how best to conduct an advanced persistent threat attack, according to an analysis conducted by security firm Digital Shadows.

The contest even had a sponsor: The Sodinokibi (also known as REvil) ransomware gang, which currently produces one of the most widespread and destructive crypto-locking malware strains circulating, according to an analysis of cybercriminals’ attacks conducted by Coveware.

While these types of underground forums and contests are not new—some even date back a decade or more—the Digital Shadows analysis found that, much like in everyday business, certain developer skills are in demand among society’s darker elements, and cybercriminals are willing to pay for them.

And while $15,000 in cash prizes is a small reward compared to what Google and Microsoftpass out in bug bounties each year, it is a significant increase over competitions held only a few years prior, suggested Alex Guirakhoo, a strategy and research analyst at Digital Shadows who helped write the report on this underground contest.

“The XSS competition sponsored by Sodinokibi is characterized by several interesting or new features,” Guirakhoo told Dice. 

“It is the first time in some years that an individual threat actor or group has become involved in the organization of a competition on a prominent Russian-language forum; the accepted list of topics is very specific; the competition received mixed reactions from the forum community; the competition occurred just a few weeks after the previous XSS forum-wide competition; the media have widely covered ransomware—and particularly Sodinokibi—over the past few months,” Guirakhoo added.

The Dark Arts of Cybercriminals

A deeper look into these underground forums, whether originating in Russia or elsewhere, shows that, much like mainstream programming, certain skills are a must among cybercriminals.

For instance, Guirakhoo and his fellow researchers at Digital Shadows found that underground developers who are proficient with Python and C/C++ are currently in demand. These programming languages are needed in order to continue to develop and refine certain malware strains, even as crimeware that is rented out as a service grows in popularity with cybercriminals.

“The accepted consensus is that aspiring cybercriminals need a good basic understanding of coding to be able to progress, even with the increasing popularity of ‘as-a-service’ models that reduce the technical skill needed to carry out tasks like deploying malware or sending phishing emails,” Guirakhoo said.

In other areas, cybercriminals who have achieved a certain level of success and who see themselves as entrepreneurs or business owners are actively recruiting and searching out new talent. In an underground economy that is largely freelance-driven, it’s these bad actors who are offering money and other benefits to developers who can help them drive their interests.

“Often these advertisements state that the successful applicant will be well-paid; others go into detail about desirable working conditions and holiday allowances,” Guirakhoo said. “Many threat actors choose to specialize in one area of cybercrime, such as carding or hacking. Often threat actors become experts in one or two programming languages, dependent on the language that most suits the projects they are involved in. There is a large freelance economy in which users offer themselves for hire, listing their specific skills.”

There’s also an educational element to these forums and contests. Again, it reflects what is commonplace in the above-ground economy.

“Most Russian-language forums have news sections in which members post links to articles from publications focused on cybersecurity,” Guirakhoo said. “In this sense, competitions will change each time they are run to reflect the topics that cybercriminals are most interested in—the techniques that will be most likely to lead to a profitable crime.”

‘Black Mirror’

Other security experts also see the underground (whether it’s Russia, China or somewhere else) as a reflection of above-ground society, where certain skills and attitudes are prized and employers are willing to pay a bit more for those types of workers.

In particular, highly portable programming languages such as C++ and Go (Golang) remain popular in the underground criminal world, suggested Thomas Hatch, CTO and co-founder of security firm SaltStack. Developers who know how to deliver a project on-time are also highly coveted. 

“I would look at this as a bit of a black mirror. In the underworld, skills are still paid for, results still matter,” Hatch told Dice.

“Hacking operations that occur at a larger scale typically are backed by organized crime or governments,” Hatch continued. “They want to bring in talent in the same way that a corporation typically would. The way that they look for talent has to shift slightly, but many factors still apply. These groups still look for people with proven skills, and these competitions and articles allow individuals to prove themselves to those running larger-scale operations.”