Rise of a new breed of hackers: Initial access brokers break into company networks for other crooks

The number of hackers who offer such services - known as initial access brokers - has grown in recent years. PHOTO: ST FILE

SINGAPORE - In the digital world, hackers are more than just thieves - they can also be pathfinders.

A hacker might choose not to steal a company's data after breaching its network or system, but instead sell the illegal access gained to cybercriminals such as ransomware gangs.

The number of hackers who offer such services - known as initial access brokers - has grown in recent years, according to findings by Singapore-based cybersecurity firm Group-IB earlier this month.

There were 262 brokers operating globally between the second half of last year and the first half of this year. This is more than three times of those operating between the second half of 2019 and the first half of last year .

Singapore's share of the market for access services in the Asia-Pacific region increased between the two periods, from nearly 3 per cent to 4 per cent.

This market share is based on the number of illegal access offers to networks of Singapore companies.

Initial access brokers focus on getting long-term access to information technology services and networks of organisations in both the public and private sector.

Such access is usually obtained by using stolen log-in details to online accounts, such as usernames and passwords, as well as discovering and exploiting security vulnerabilities in corporate networks.

The compromised accounts are usually virtual private network ones, or those for software that allows employees to access company networks or their computer desktops remotely.

The access sold by brokers allows cybercriminals to wreak havoc in a compromised network, such as stealing data, locking it up with ransomware, or sending phishing e-mails to the victim company's clients.

Initial access brokers usually sell access to a compromised network on the Dark Web and hacker forums. But some of them only sell to private clients, such as cybercriminals which they had established partnerships with.

Between the second half of last year and the first half of this year, the average price offered by a broker was US$7,000 (S$9,560), said Mr Vladimir Timofeev, head of Group-IB's underground research and monitoring group.

The prices, which are set by the brokers, are based on several factors, such as the victim company's industry and its revenue.

The brokers also consider how far they have got into the compromised network, such as having access to the company's back-up and sensitive data.

"The most valuable asset for the brokers' customers is access with domain administrator rights that gives the threat actors all existing privileges, including all information in the network and the right to manage other accounts," said Mr Timofeev.

Initial access brokers are a recent phenomenon in the cybercrime scene, with a hacker known as Fxmsp pioneering the trend in October 2017.

The demand for access grew further in 2019, when ransomware attacks around the world increased significantly.

"Initial access brokers remove the need for ransomware operators to break into corporate networks on their own," said Mr Timofeev.

He also said the low threshold to become a broker contributed to the rise of the initial access market.

"The fact that tools for conducting full-fledged attacks against corporate networks are widely available means that underground actors can make money with little effort," he said.

The rise of the market was also furthered by the Covid-19 pandemic, where remote working practices became common.

This generally lowered the security posture of companies, said Mr Timofeev.

"For example, people started to use remote access software more often, giving attackers more opportunities to penetrate corporate networks by compromising employees' personal devices (which are usually more vulnerable to cyberattacks)."

Join ST's Telegram channel and get the latest breaking news delivered to you.