Through observation and analysis of open source information and behavior on multiple closed forums, Intel 471 found actors adopting the use of legitimate big data technology for cybercrime and monetizing the data they obtain on the Chinese-language underground.

The behavior Intel 471 has analyzed points to a cycle that involves several different layers of cybercriminals, the use of insider information, and unwitting victims in order to earn ill-gotten gains. The schemes themselves, says Intel 471, "proliferate partly due to China’s desire to be a global epicenter in big data analytics, especially as it pushes to become synonymous with new technology sectors like the Internet of Things (IoT). With China injecting big data into every economic sector, the environment has become ripe for criminals to create and execute schemes that hide in the noise brought on by the amount of data at hand."

They observed the data underground monetization chain within the Chinese-language underground consisting of the following groups or individuals with a clear division of labor, responsibilities and a delineated chain of command that includes:

  • A boss or requester who requires data for illegal use or commands a group or syndicate dealing with illegal products or services.
  • Insiders or hackers who receive instructions directly from a boss and can gain access to raw data and extract the information from a service provider. These individuals profit from the information they provide to the main boss or requester.
  • Middlemen who act as intermediaries for the boss and any other individuals requesting to purchase such data products. The middlemen profit by taking a cut of the commission from product sales.
  • Escrow and underground platforms which serve as an avenue for the syndicate or middlemen to advertise their products. End users, such as scammers, multiple types of threat actors and even direct marketers can purchase the data or engage the services of such syndicates directly on these platforms.

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), a Naples, Florida-based provider of cybersecurity and compliance software, says, "It comes as no surprise to read that cyber criminals are employing the same principles as some of the large social media companies. That’s the back side of the big data coin. The report also underlines the relevance of the latest reports about data breaches or accumulated data vaults stemming from previous breaches of social media sites. The more the bad actor know about a target, the better becomes their craft. It will become even harder for a regular user to recognize a phishing email, or for the employee in corporate finance to identify a BEC attempt. For them, those potential targets, it will become crucial to control their exposures, the data shared by the company, by employees. In addition, having change control embedded in a given infrastructure will become the last line of defense, as the likelihood of a successful phish is increasing."

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, explains, "Many of the scenarios emphasized in Intel 471’s research highlight an insider threat that is willing to leak large amounts of sensitive data. Many organizations’ cloud-based infrastructure has gotten so large that they lack visibility into who is accessing what sensitive data. Understanding data access is even more difficult when the biggest threat comes from people on the inside who are less likely to trip any alarms when accessing sensitive company data." 

Schless adds, "It’s important to secure access to all cloud infrastructure and resources by implementing a cloud access security broker (CASB) and Zero Trust Network Access (ZTNA) solution that enables you to create context-aware access policies.  These solutions should be able to parse out device behavior and user behavior to understand if the person attempting to access resources is who they say they are. This is a core principle of the Zero Trust model. Continuous monitoring and analysis of user behaviors enables you to detect and respond to insider threats like the ones described by Intel 471. With your employees accessing cloud-based infrastructure and resources from so many different devices and locations, intelligent access policies help mitigate the risk of data loss."