New research from Cisco Talos suggests a second tier of APT actors serving in a support role for government hacking campaigns, behaving more like cybercriminals. 

new analysis of the noisy pro-Russian hackers Gamaredon released Tuesday by Cisco Talos suggests that maybe it is time to start thinking of hacker groups as more than either advanced persistent threat or criminal attackers. 

It’s already well established that some APTs operate as criminals. Several international governments, including the United States, have identified North Korean state-sponsored hackers as stealing on behalf of the government, and other groups have been identified by vendors as state-sponsored groups with actors who occasionally freelance as criminals.

What Talos suggests is something else entirely: That there is a second tier of APT actors serving in a support role for government hacking campaigns who behave more like cyber criminals. 

“If I have to be targeted by an APT then it’s all over. It’s not something that I can defend against,” Victor Ventura, a co-author of the report, told SC Media. “The point is, with this kind of group, you can defend against them. You might be targeted just because you are there on the internet, not because you have a specific target of an APT, but because you are there.” 

Most APTs, said Ventura, keep a small infrastructure footprint on the internet, pick targets carefully, and either retooling or restructuring their infrastructure when they are exposed. They start quiet and disappear when they are heard. Gamaredon is the exact opposite. 

Gamaredon was first identified in 2013 and originally thought to target primarily Ukraine. But the new Cisco research shows that the group is willing to target anybody, unlike the traditional model of espionage focusing on a few defined regions or industries at a time. Gamaredon targeted U.S. educational institutions, European telecoms and hosting providers and a large African bank. While Ukraine is certainly a main target, many others are in the crosshairs. 

“We have a group who has a very specific interest in a particular nation. That’s well known, well documented and factually correct. What we’re saying is, they actually carry on a myriad of other campaigns that we don’t believe to be directly associated with this same APT element,” Warren Mercer, the report’s other co-author, told SC Media. 

The authors believe the broad base of attacks imply that the group is being used as a support team for other APTs. 

Gamaredon uses a gigantic infrastructure for attacks which it has not left behind, even after exposure. That is fairly similar to the operation of crimeware groups, and like crimeware groups, it leaves them easier to detect than other APTs.

A group that operates similarly, according to the report, is the Promethean group. 

“Just like with crimeware, where beyond the big sharks there are also the support guys who just sell harvesting credentials, tier two APTs would be the support for the APT world,” said Ventura.