Cybercriminals Hire White Hat Hackers Disguised as Cybersecurity Firms

According to experts, since late 2020, this type of attack has been targeting American companies, but it may soon spread to Russia as well. Cybercriminals have started hiring “white hat hackers” under the guise of legitimate cybersecurity companies such as Check Point Software Technologies and Forcepoint, reports Kommersant. The “white hat hackers” are unaware that they are actually working for malicious actors.

The first group to use this tactic was FIN7, which developed a program disguised as a penetration testing tool—software used to analyze the security of operating system networks. Experts say that these attacks have been ongoing against American companies since late 2020, but Russian organizations could be targeted next.

Check Point representatives in Russia and the CIS believe that scammers are taking advantage of the trust of companies seeking to save money on penetration testing services. Using a well-known brand name helps criminals gain credibility. During penetration tests, specialists often receive high-level privileges to access systems, which can be exploited by attackers.

According to Positive Technologies, until 2021, there were no known cases of scammers involving penetration testers in such schemes. Previously, attackers targeted them differently and for other purposes. For example, in the first quarter of 2021, members of the North Korean Lazarus group contacted cybersecurity specialists via social networks and messengers, pretending to be colleagues and then inviting them to read an article on a personal blog. If the victim used Google Chrome, their computer would become infected. The goal of these attacks was to steal confidential information from devices.

Now, however, “white hat hackers” are unknowingly becoming part of the attack, helping cybercriminals address their staffing shortages. FIN7, founded in 2013, is known for attacks aimed at financial gain or espionage. In 2020, the group was actively involved in “Big Game Hunting”—attacks on large companies to extort ransom for decrypting data.

Group-IB reports that there have already been cases where Russian organizations received malicious emails from FIN7. However, so far, these have only been test runs, not actual attacks.