Take a fresh look at your lifestyle.

My boss is a cyberterrorist: a group of crackers offered legitimate jobs on employment websites to recruit unwitting accomplices

The job offer seemed legitimate. Labor contract, office hours and completely remote. The company that launched it also had a website showing its professional services, linked to cybersecurity. Everything appeared to be in order, but the supposed computer security company was the cover of a group of cybercriminals to attract technological talent with the aim of recruiting new members for their criminal organization, according to research by cybersecurity firm Recorded Future in collaboration with Microsoft.

The intent of the criminals it was to form a large group of “involuntary accomplices” who would help them pave the way for their attacks without knowing exactly what they were doing, with a double purpose: to get workers who, if they knew the truth, would not want to collaborate with criminals, and to pay them as employees and not as co-perpetrators of millionaire crimes, thereby saving a lot of money. However, as will be seen later, any ICT professional had elements to spare to, at least, suspect from the first moment.

The group of cybercriminals behind this company would be Fin7, the same that Microsoft links to the attack on the US pipeline company Colonial Pipeline last May, a fact that caused a huge shortage of supplies in part of the country. That same organization, presumably Russian, would also be behind other crimes such as large-scale theft of bank data or ransomware attacks on different institutions and companies.

The shell company in question is called Bastion Secure. Recorded Future research indicates that cybercriminals, using real and public information from other legitimate cybersecurity companies – phone numbers or office locations – they would have built a semblance of reality in front of the public of the supposed organization. They even included on the web that they had won several real security awards, something that the researchers denied with a simple Google search.

Bastion Secure job offers were intended for programmers, sysadmins, and reverse engineering professionals in C ++, Python, and PHP. One of them, which can be seen below in a screenshot shared by Recorded Future, offered a position of Windows systems administrator in Russia, Monday through Friday and with a 9-12 hour shift. Cybercriminals and also exploiters.


Screenshot of Bastion Secure job posting provided by Recorded Future.

In fact, the investigation also delves into the working conditions offered, and indicates that salaries for ICT specialist positions ranged from $ 800 to $ 1,200 per monthVery low amounts for Western countries but which, according to the document, are acceptable for the standard of living of the former Soviet republics.

Operational technology cyberattacks will enable remote killings by 2025, according to Gartner: the Colonial Pipeline attack is the best indication

The selection process

To start making these inquiries, Recorded Future Collaborated with a person who underwent the Fin7 front company screening process. At first, they note, everything was normal: Someone from Bastion Secure human resources contacted the candidate and arranged an interview with him. And from there things started to get weird.

First, the job interview was conducted entirely in writing via Telegram. After successfully completing this step, the candidate performed some practical tasks related to the position, for which he had to install tools that can be used for both legitimate cybersecurity testing and malicious activity. Once this phase was also solved, they assigned a supposed real client to do a definitive test.

Kaseya and her creepy ransomware attack - this is all we know so far

“The task was to use a script to collect information on domain administrators, domain trust relationships, file shares, backups and hypervisors,” says the report, which also specifies that during the process the candidate detected that the company will “provided access to the company network without any documentation or legal explanation, suggesting that the access may have been acquired through social engineering or purchased on the dark webto; I was only interested in file systems and backups; required the employee to use specific tools to avoid detection; and warned him about a hefty fine if he installed antivirus software on the virtual machine they were using. “

Recorded Future analyzed the files that were sent to this person and found post-exploit tools Carbanak and Lizar / Tirion, which are part of any ransomware attackas they are the ones that allow criminals to control infected devices after having gained initial access to the victim organization’s network.