Someone of a cynical persuasion may think it was only a matter of time until ‘outsourcing’ came to the cybercrime business. While this inevitability may be debatable, the early success of the model certainly isn’t. Ransomware-as-a-Service (RaaS), for instance, has been such a boom that there are expansive studies into the trends and changes solely impacting RaaS transactions.
In fact, in late January the Department of Justice unveiled a campaign — and charges — against the NetWalker ransomware group, which were operating as a RaaS offering. The case, in which healthcare organizations were targeted and the first defendant was seized with $500,000 in cryptocurrency, shows the success and maliciousness of this outsourced economy.
With the undeniable success of Ransomware-as-a-Service (RaaS), it isn’t surprising the cybercriminal market would look to expand the list of illicit services on offer. Until recently, however, cybersecurity professionals could sleep a little safer knowing that true APT style attacks remained within the realm of nation-state actors.
In December, the BlackBerry Research and Intelligence team unveiled a sophisticated cyber-espionage campaign targeting disparate victims around the globe. The campaign — which was dubbed CostaRicto by the research team — appears to be operated by the same “hackers-for-hire” model.
The reality of the findings is as stark as it is concerning. The CostaRicto campaign was executed by a highly talented band of APT mercenaries who possess bespoke malware tooling, complex VPN proxy and SSH tunneling capabilities.
The techniques unearthed by the BlackBerry research team certainly point to an adversary with a significant skillset. In fact, the backdoor used as a foothold was a completely new — never before seen — strain of malware, revealing an operation both skillful and well-funded enough to develop a custom-built malware tool with both well-structured code and detailed versioning system.
The other techniques used also reveal a level of care and sophistication. The command-and-control (C2) servers were managed via Tor and through a layer of proxies. After this, a complex network of SSH tunnels were established in the victim’s environment.
However, the most important finding, in my mind, is the ongoing nature of this project. The ‘futureproofing’ and constant development put into this architecture — from the detailed versioning system to the well-structured code which allowed for easy expansion — all suggest that the toolset is part of a long-term campaign.
This skill and forethought also was clearly apparent in the cyber-espionage-for-hire group unearthed in BlackBerry’s BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps report. The research uncovered not only a web of elaborate disinformation entities and mouthpieces, but also a web of extremely targeted and elaborate phishing and credential harvesting, hundreds of new Windows malware samples, as well as the use of zero-day exploits and anti-forensic techniques.
These two campaigns are a clear sign that mercenary groups offering APT-style attacks are becoming more and more popular. Why? Because outsourcing an espionage campaign to a mercenary group allows nation-states, businesses and individuals who do not have the required tooling, infrastructure or experience to conduct an attack and gain information using the tactics, techniques and procedures (TTPs) used more commonly by highly sophisticated state-sponsored campaigns. Plausible deniability also enters as a factor, making this tactic appealing.
But perhaps most dangerously, the profile and geography of potential victims has diversified exponentially. And these victims will become increasingly ‘random’ or illogical when analyzed for any commonality. This means that attribution for some of the most seismic cyberattacks is going to become even more difficult. It also means that more targets — and more outsourced entities — are likely to be in play. It’s important that we remain vigilant in our security postures, and that as a profession we continue the work in identifying these, and future, ‘hack-for-hire’ groups. Because as these bad actors become more brazen and skillful, it will be on us as security professionals to ensure we’re equipped with the right skills and technologies to fight these threats.