The aim of a Threat Intelligence– type approach is to obtain intelligence (contextualised information) on the threats that could affect an organisation and use this to guard against an attack. These threats are identified as individual or collective entities that have the intention and capacity to cause harm.
Studying only the various components of a computer attack does not allow for an attacker’s entire operating chain to be covered. It is imperative to also observe the events upstream and downstream of the operation to obtain a complete view of the potential and proven threats. This Cyber Threat Intelligence-type approach allows us, in particular, to observe the way in which hackers equip themselves with skills and materials, as shown in the following diagram:
The various elements of analysis presented later in this article are based on the study of Arabic-speaking attackers motivated by profit (cybercrime). The phenomenon of hacktivism (ideology), traditionally expressed through defacements carried out using technical training acquired primarily through tutorials available on YouTube, is not addressed. The same goes for cyber-espionage, the nature of which allows for only very limited room to manoeuvre in terms of anticipation.
Learning platforms dedicated to the Arabic-speaking community
The forum is a platform type favoured by anyone who wishes to broaden their knowledge. Arabic-speaking hacking communities are not immune to this phenomenon and have their own spaces in Arabic.
The most widely used of these, Dev-point, has around 165,000 members who exchange a massive amount of information on two themes: bypassing antivirus software and IT system security. The first theme is essential for hackers who create and/or make use of malware. They usually opt for a method of encrypting their malicious files in order to make them undetectable by the greatest possible number of antiviruses. In addition, the forum has a large ‘competition’ section which provides cryptographic, programming and even encryption-cracking challenges. Access to the different sections of the forum is conditioned by prior registration. However, registration is now impossible and has been blocked by administrators.
The Aljyyosh forum (which translates as “armies of hackers’ forum”) has around 150,000 members and specialises in the art of website intrusion. It is structured around different sections such as: flaws/vulnerabilities, hacking techniques, hacking tools or indeed hacking of a network/equipment/email addresses. Registration is not obligatory to access the various sections but is required for members wishing to interact with each other.
There are many Arabic-speaking forums dedicated to the theme of hacking, but Dev-point and Aljyyosh stand out due to the topics discussed and traffic generated. It is also interesting to mention the VBspiders forum, the contents of which are similar and the number of members significant (around 160,000).
Another commonality shared by these 3 main forums is that their administrators formally prohibit commercial activities, such as carding or the sale of technical elements, on their platforms.
The Arabic forums are thus very much focused on learning through hacking training and the presentation of offensive tools. The acquisition of exploits or malware is carried out via general and often multilingual platforms.
Sources common to the various communities
The Exploit-db website, which is massively used by the Arabic-speaking community, is an excellent source of information for anyone interested in so-called offensive security.
This website is a database that archives the exploits corresponding to software vulnerabilities. It was developed to serve people performing penetration testing and vulnerability researchers. The aim is to create the largest collection of exploits gathered through voluntary submissions, mailing lists and other public sources. This database is freely accessible and claims to be a repository of exploits and proof-of-concept rather than a source of advice. Approximately 35,000 exploits have been listed in this database so far.
The Inj3ct0r website is very widely used by hackers who wish to buy exploits (private – remote – local – web applications – dos/poc – shellcode) or share new vulnerabilities.
Most Arabic-speaking hackers use malware that is freely distributed on multilingual open sources or sources that can be accessed following a series of search-engine requests. Some develop their own malware and mostly sell it locally to people they trust. This malware does not pose a significant threat because it is often badly programmed and easily detected by antivirus companies.
The black markets found on the Dark Web are also important sources of skills acquisition for the entire hacker community. The three largest platforms (Agora, AlphaBay and Nucleus) offer 65,000 advertisements every day, the majority of which are for products related to more ‘traditional’ crime: around 60% concern drug trafficking. The exchanges carried out on these black markets also reflect the rapid rise in the skills of hackers: digital products (software, malware) and their associated user guides allow anyone to acquire a certain level of knowledge and sell on the fruit of their illegal activities (stolen data) on these same black markets. This phenomenon accounts for around 30% of the activity of the three major platforms.
We can thus conclude that the Arabic-speaking community conducts the theoretical part of their grounding, or acquisition of computer hacking skills, via different media. The Arabic-language forums are an ideal learning environment because of the many exchanges between registered members. The practical side of things, i.e. arming themselves with exploits and malware, takes place on a very diversified panel of websites accessible by all hacking-orientated communities.