• Redirecting Opportunistic Operators as a Service (ROOaaS)

    by  • May 28, 2013 • Uncategorized


    This theory is going to be a little out there, but go with me for a moment. It seems that you can almost get a job doing anything these days. Most people choose the high road, they pick a decent profession and try to make an honest living, but of course, alongside those same folks are those who cause harm, annoyance and fill the niche black markets. I have yet to see it, but I’m wondering if there are security “professionals” who offer to send incoming spear phishing emails off to the would-be victim companies’s competitors. In other words, save the company who pays and send all the risk to whomever they wish.

    This might sound far-fetched, but between this year and last year, I have ran into my share of digital operators tasked with collecting information off systems and I’ve noticed that some were more opportunistic than others. The skilled operators would collect data or install more tools only if they were on the intended target whereas poorly-skilled operators would steal everything without care of what system they were on before killing all communications or coming back later. You could argue that the ones who steal everything are more skilled, but that discussion is for another day.

    This sort of opportunistic operator behavior, while not always predictable, does create a market for the service I outlined above. Imagine Company A and B both have recipes to produce beverages using a secret recipe. Company A would like to ensure they are out of the digital cross hairs by having criminals and state enterprises focus on Company B. Company A hires the “redirect service” who collects emails, files and other data known to be associated with cyber espionage who then forwards them over to Company B. While there is no guarantee Company B will be compromised, their risk level is certainly increased by more incoming chances to becoming infected. If we assume Company B was infected and completely raided at the digital level, then Company A would have achieved their mission while never picking up any risk.

    I agree that this sort of situation sounds strange and unlikely, but it’s most certainly possible. Why spend the time developing your own malware, hosting command and control servers and picking up all the risk of conducting an operation when you could just redirect someone else’s attack over to your intended target? Time will tell if this ever comes to market, but it would be difficult to prove either way and that’s scary.