New Research Shows World’s Top Hacker Groups Hack Each Other

Sophisticated hacking groups are targeting competitors to steal techniques, data and tools

New findings show that highly sophisticated malicious actors regularly hack each other, stealing tools and techniques along with any victims’ data they can find. These well resourced groups also their steal competitors’ infrastructure whenever possible, letting them take advantage of pre-built networks to perform further hacks. In their analysis, Kaspersky Lab’s team stated their belief that most of these attacks come from nation-backed organizations. Their primary targets are groups in foreign nations or less-skilled organizations.

In addition to creating larger threat networks, these hacks also make it more difficult for researchers to accurately assess potential threats. Mapping out malicious networks is already a difficult task, and these hacks yield seemingly contradictory data as malicious actors often have differing goals and techniques. If a botnet changes hands, for example, it might mislead researchers into thinking the previous owner has changed tactics.


The team differentiated between passive and active attacks. Passive attacks typically involve monitoring data as it passes between malicious actors and those they’re targeting. These attacks are effectively impossible to detect in most situations, making them difficult to map and detect. Active approaches, on the other hand, involve attacking infrastructure to steal information or take control. Active attacks can yield more advantages for attackers. However, the risk of detection is much higher with active approaches. Furthermore, active attacks often require targets to make mistakes.

Command & Ctrl

One of the primary tools, especially in active attacks, involves installing backdoors in command-and-control interfaces. C&C interfaces are used by malicious actors to control botnets and other similar networks. This type of infiltration lets attackers gain a presence within the network, letting them utilize resources or steal information. Kaspersky Lab has detected at least two such attacks in the wild. The Chinese-language NetTraveler, a campaign that targets activists and other organization within Asia, was infiltrated in 2013. In 2014, a Russian-language entity in existence since 2010, was infiltrated as well. The attackers were not identified.

Some websites were also infiltrated by multiple malicious actors at the same time. One website was first hacked by a Korean-language group called DarkHotel. A group called ScarCruft, which primarily targets South Korean, Chinese, and Russian organizations, also had scripts on the affected website. Because the ScarCruft team’s script arrived just a month after the April, 2016, DarkHotel attack, researchers believe the ScarCruft team likely observed the DarkHotel attack.

The research also showed signs of cooperation between malicious actors, who would share resources with each other instead of focusing on theft. Kaspersky Lab found, in 2014, that English-, Russian-, Spanish, and French-language groups all had implants on a server in the Middle East called the Magnet of Threats. This approach, however, can be risky; if a less sophisticated group is detected, their presence can alert others of groups sharing the server.

Hackers and other malicious actors typically act in private, and unraveling their resources, techniques, and goals is difficult. However, research can go a long way to helping teach the public about the threats posed by these entities. Furthermore, research has shown just how sophisticated these organizations can be. As more and more governments support malicious actors for profit or to damage other nations and entities, the threat is only expected to increase. Find out more about the findings on Kaspersky Lab’s SecureList blog.