Discord and Telegram are the young hacker's platforms of choice, and companies and other enterprises should consider blocking network access to those platforms in order to lower the risk of cyberattack, a security expert said at the RSA Conference this week.
"Discord is the potential future of the dark net," said Brook Chelmo, a senior strategist for network-firewall maker SonicWall. He added that "Discord's wonderful scripting engine makes moderators' lives much easier, but it also gives both attackers and defenders powerful tools."
- Discord: Everything you need to know
- The best encrypted messaging apps
- Plus: We've not seen Xbox Series X's power 'fully embraced' yet
Echoing what other researchers have recently discovered, Chelmo said malicious hackers are using Discord's content-delivery network (CDN) to distribute spam, house malware command-and-control servers, run bots that shill for stocks or cryptocurrencies and launch distributed denial-of-service (DDoS) attacks to knock websites offline.
But, Chelmo said, the most important factor is that Discord lets young hackers, both good and bad, quickly and easily share code, communicate and form communities.
Because Discord is actively moderated by the people who run it, malicious hacking crews run the risk of being banned or having their group servers taken down. So they often take their most sensitive discussions to Telegram, which permits fully encrypted one-on-one discussions that even Telegram's operators can't view.
What are Discord and Telegram?
A quick primer if you're not familiar with Discord or Telegram: Both are communications platforms that run on Windows, Mac, iOS, Android and Linux alike.
Discord was originally set up in 2015 as a chat and voice-call platform for online gamers, but has since grown to include video streaming and software delivery. Users join for free, can set up virtual "servers" for their own groups, and can upload pretty much anything for other Discord users to view or download.
User-uploaded content is held in Discord's worldwide content-delivery network (CDN). Discord's administrators actively patrol the service to root out forbidden material such as child pornography or extremist or violent content, as well as prevent harassment of users. However, Discord's transparency reports show a huge surge in cybercrime and malware on the service since early 2019.
Telegram was created in 2013 as a free encrypted messaging app. Since then, it has added voice and video calling, groups chats and video calls, as well as broadcast "channels" that send one-way messages to an unlimited number of users.
One-on-one chats, voice calls and video calls can be end-to-end encrypted so that Telegram's administrators can't see the content. Group chats and calls cannot be, but that hasn't stopped all sorts of nefarious groups, from ISIS to malicious hackers, from using Telegram to communicate.
Who are these young hackers and why do they work so fast?
Chelmo said he gained entry into this world in 2019, when an article he had written about the HildaCrypt ransomware crew (named after the Netflix kids' cartoon) was retweeted by the ransomware crew itself.
"I reached out and we started talking," Chelmo recalled. "They introduced me to a whole new world of Generation-Z hackers working on Discord."
Older hackers taught themselves to code using secondhand manuals and a lot of trial-and-error tinkering, Chelmo said, but the kids these days get ahead much faster.
They meet on Discord, form groups and buy a lot of pre-existing malware modules online, which they can rapidly assemble into complex new malware. If they have trouble using the malware modules, many of the modules are sold with customer support.
As an example, Chelmo said that in 2008, it took a five-man crew nine to 12 months to create and distribute the Koobface worm, which stole data from Facebook, Gmail and other social-media and webmail platforms.
In 2020, a "similar-sized crew" took only three months to create very effective ransomware. It would have taken even less time, except that the crew wanted to make its malware the next-gen "fileless" variety to evade detection. What made the difference was the availability of Discord, Telegram and modular malware.
"Discord allows them to hack on the cheap," Chelmo said. "Discord can deactivate their server, but they can replicate it quickly."
The platform also lets them "ping" servers and test for vulnerabilities and exposed login credentials. If hackers are running ransomware, they can accept payments in Bitcoin, then "wash" it into alt-coins such as Monero, convert it back into Bitcoin and cash out using PayPal.
Common characteristics, plus a lot of anger
There were some interesting common characteristics that Chelmo observed among the young hackers he encountered online, whether they were involved in cybercrime or not. While they come from diverse backgrounds, many supported hacktivist groups and felt a desire to join a community.
The difference between the "good" and "bad" hackers was simple, Chelmo said. Those involved in cybercrime were pessimistic about the future and their own career prospects, and often had suffered betrayal or loss — one had bitcoin stolen by a friend, another learned to hack to get back at school bullies, a third hacked the workplace of his girlfriend's father after the man forbade the relationship.
The hackers defending against cybercrime were more optimistic about their careers, and some had crucially been rewarded for defensive hacking as teenagers. Chelmo said one hacker was encouraged when Red Bull sent him cases of its energy drink after he found a problem with the company's software.
But the Russian hackers were a bit different, he added. Russia and other Eastern European countries have a sense of isolation from the West dating back nearly a thousand years, Chelmo said. Young Russian hackers said that even today, they're taught that the West is evil. It's one reason Russian hackers will often go after German and American targets — and one reason the Russian government lets them.
"There's lots of anger at the West, and a desire for revenge," Chelmo said.
What is Discord doing about this?
Discord, to its credit, is very clear about how it handles abuses of its service. It now releases transparency reports twice a year, which show a increase in malware and especially cybercrime.
Cybercrime wasn't a category in the 2019 reports at all. In the first half of 2020, it was 5.2% of all reports. In the second half of 2020, it was 12%.
The biggest slice of the pie in all four transparency reports was harassment, which was reported more than 275,000 times to Discord administrators in 2019 and 2020. But it's spam, child sexual content and other exploitative content that is most likely to get a Discord user banned.
"Responding to malware and cybercrime takes a far back seat to this stuff," Chelmo said, although Discord admins did take action in 41% of reported cybercrime cases in the second half of 2020.
What can you do about this?
Because RSA Conference is focused on business security, Chelmo's advice mainly fell along those lines: Configure your company firewall to block Discord and Telegram, train your employees how to respond to cyberattacks, and so on.
But some of his advice applies to consumers as well. Use one of the best antivirus products — one that has a configurable firewall (or lets you configure the Windows one) and also performs heuristic monitoring to catch "fileless" malware that runs only in memory. Use strong, secure, unique passwords; one of the best password managers will go a long way to help with that.
Some of Chelmo's advice to companies was more long-term and geared to win over more young hackers to the good side.
"Consider hiring people without a college education," he said. "Look for certifications and skill sets. Look for more women seeking technical roles. Be more sensitive about human link to climate change," a huge issue for many people in their teens and 20s.
"Consider hiring from the former Soviet Union," where many young people who may turn into malicious hackers live, he added. "Give them the benefit of the doubt."