Security researchers conducted an experiment involving a network of honeypot computers that allowed them to observe hackers in action. These honeypots were deliberately exposed on the internet and set up with Remote Desktop Protocol (RDP), enabling hackers to remotely control the compromised servers. Through this experiment, the researchers recorded 190 million events and 100 hours of video footage, capturing hackers engaging in various activities.

The researchers observed hackers carrying out reconnaissance, installing malware for cryptocurrency mining, using Android emulators for click fraud, brute-forcing passwords, hiding their identities by using the honeypot as a starting point for other attacks, and even browsing pornographic content. In fact, a single successful login by a hacker into a honeypot could generate multiple events.

Andréanne Bergeron, a criminology Ph.D. holder from the University of Montreal who also works at cybersecurity firm GoSecure, explained that the experiment was like having a surveillance camera for RDP systems, providing a comprehensive view of the hackers’ actions.

The researchers classified the hackers based on Dungeons and Dragons character types. The “Rangers” conducted careful exploration of the compromised computers. The “Barbarians” attempted to brute-force their way into other computers using known lists of hacked usernames and passwords. The “Wizards” used the honeypot to connect to other computers, intending to hide their trails and the origins of their attacks. The “Thieves” sought to monetize their access to the honeypots by installing crypto miners, performing click fraud, or selling access to other hackers. Lastly, the “Bards” were less skilled hackers who used the honeypots for simple tasks like searching for malware or browsing porn.

The researchers believe that observing hackers in action through honeypots can be useful not only for research purposes but also for law enforcement and cybersecurity teams. Law enforcement agencies can lawfully intercept RDP environments used by ransomware groups and gather intelligence from recorded sessions. Cybersecurity defensive teams, or blue teams, can utilize this information to protect their organizations better. By revealing the tradecraft of opportunistic attackers, this type of observation may lead to a slowdown in hacker activities and benefit everyone involved.

In conclusion, the honeypot experiment provided valuable insights into the behaviors and strategies of hackers. It highlighted the importance of observing hackers’ actions and how it can help strengthen cybersecurity defenses.