Imagine being able to sit behind a hacker and observe them take control of a computer and play around with it. That’s pretty much what two security researchers did thanks to a large network of computers set up as honeypots for hackers.
The Experiment
Andréanne Bergeron, who has a Ph.D. in criminology from the University of Montreal, and her colleague Olivier Bilodeau, worked together on this research. They deployed several Windows servers deliberately exposed on the internet, set up with Remote Desktop Protocol (RDP), meaning that hackers could remotely control the compromised servers as if they were regular users.
These honeypots allowed the researchers to record 190 million events and 100 hours of video footage of hackers taking control of the servers and performing a series of actions on them. These actions included:
- Reconnaissance
- Installing malware that mines cryptocurrencies
- Using Android emulators to conduct click fraud
- Brute-forcing passwords for other computers
- Hiding their identities by using the honeypot as a starting point for another attack
- Watching porn
The researchers said a hacker successfully logging into its honeypot can generate "tens of events" alone. Bergeron compared it to a surveillance camera for RDP systems because they see everything.
Classifying Hackers
The two researchers classified the type of hackers based on Dungeons and Dragons character types. They identified five types:
Rangers
These hackers carefully explored the hacked computers, doing reconnaissance, sometimes changing passwords, and mostly leaving it at that. The researchers’ hypothesis is that they are evaluating the system they compromised so that another profile of attacker can come back later.
Barbarians
The Barbarians use the compromised honeypot computers to try and brute-force into other computers using known lists of hacked usernames and passwords. They sometimes used tools such as Masscan, a legitimate tool that allows users to port-scan the whole internet.
Wizards
These hackers use the honeypot as a platform to connect to other computers in an attempt to hide their identities by using the honeypot as a starting point for another attack.
Paladins
The Paladins are the most advanced hackers. They use the compromised honeypots to carry out complex attacks, such as installing malware and conducting click fraud.
Conclusion
The researchers’ experiment provided valuable insights into the behavior of different types of hackers. By setting up honeypots and observing hacker activity, they were able to classify hackers based on their characteristics and behaviors. This information can be used by security professionals to improve their defenses against these attacks.
Related Stories
- Spyware maker LetMeSpy shuts down after hacker deletes server data
- Electoral Commission hack exposed data of 40 million UK voters
- Researchers jailbreak a Tesla to get free in-car feature upgrades
About the Author
Lorenzo Franceschi-Bicchierai is a Senior Writer at TechCrunch, where he covers hacking, cybersecurity, surveillance, and privacy.