Imagine having a front-row seat to observe hackers in action as they take control of computers and navigate through their malicious activities. Thanks to an extensive network of honeypot computers set up to attract hackers, this scenario turned into reality for two cybersecurity researchers. In a remarkable experiment, the researchers deployed a series of deliberately exposed Windows servers equipped with Remote Desktop Protocol (RDP), providing hackers with remote access to these machines.

The honeypot setup allowed the researchers to capture a staggering 190 million events and record over 100 hours of video footage. Within this treasure trove of data, they witnessed hackers engaging in various activities, providing unprecedented insights into the world of cyber intrusions.

The hackers’ actions ranged from reconnaissance and installing cryptocurrency mining malware to using Android emulators for click fraud, attempting password brute-forcing attacks on other computers, concealing their identities through the honeypot for subsequent attacks, and even engaging in unrelated activities like watching explicit content.

Andréanne Bergeron, a cybersecurity professional from GoSecure, explained that the honeypot acted as a surveillance camera for the RDP system, granting them unparalleled visibility into hackers’ tactics and behaviors.

The researchers classified hackers into different categories based on Dungeons and Dragons character archetypes, adding an intriguing layer to their analysis:

1. Rangers: These hackers carefully explored the compromised computers, assessing vulnerabilities and sometimes altering passwords. The researchers believed they were evaluating the system for future, more impactful attacks.
2. Barbarians: These hackers attempted to brute-force their way into other computers using known lists of compromised usernames and passwords. They used tools like Masscan for large-scale port scanning.
3. Wizards: Wizards utilized the honeypot as a springboard to connect to other computers, obscuring their attack origins and trails. This allowed defensive teams to gather valuable threat intelligence.
4. Thieves: This category of hackers aimed to monetize their access. They deployed tactics like installing cryptocurrency miners, executing click fraud, and even selling honeypot access to other hackers.
5. Bards: The least skilled group, often using cell phones instead of computers, were more interested in casual browsing, including watching explicit content. They may exploit compromised systems to access content restricted in their home countries.

The researchers highlighted the potential value of observing hackers’ interactions with honeypots. Law enforcement could lawfully intercept these environments to gather intelligence for investigations, while cybersecurity defensive teams could use the data to enhance their own protection measures. Additionally, the mere existence of honeypots could force hackers to reconsider their strategies, potentially leading to a slowdown in cyberattacks—a benefit for the broader digital community.

This groundbreaking study sheds light on the intricate world of hackers, offering a unique perspective that has the potential to drive advancements in cybersecurity strategies and practices.