Researchers from Cyberint detailed a relatively new advanced persistent threat group (APT) that has compromised major organizations and APTs in Russia, China, Iran and North Korea.
Dubbed BlueHornet, which is also known as AgainstTheWest, APT49 seemed like a daring hacktivist group at first, but the Cyberint Research Team wrote on its blog that it is “one of the more interesting groups currently in play.”
As some APTs have taken sides in the Russia-Ukraine conflict, BlueHornet actors set their sights on groups that backed Russia, first taking down a French group called the CoomingProject.
BlueHornet has also published sensitive information of at least five individuals associated with various nation-state sponsored groups, including email accounts, social media profiles, family members and bank accounts. It has leaked information of individuals of at least two China-based groups, Gothic Panda and Kryptonite Panda, as well as North Korea’s Lazarus Group.
Cyberint noted that BlueHornet has leaked information of at least two hackers on the FBI’s most-wanted list and is particularly proud of leaking information of an officer in Russia’s FancyBear group, which is linked to the country’s military intelligence agency. Dmitriy Sergeyevich Badin’s mostly private details, including information about his relatives, were revealed.
Besides state-sponsored groups, BlueHornet has also targeted large organizations in Russia, Iran and North Korea, including China’s Alibaba, WeChat, MyBank and Amazon China.
The Cyberint researchers note that the assumption is that BlueHornet originated in North America or another NATO country, and it has stated that it will never target Western countries, hospitals and schools. The group claims its members are former intelligence figures who hold several certificates and degrees in cybersecurity and computer science.
The researchers said they observed that BlueHornet started out as hacktivists and seemed to have attempted to become state-sponsored themselves, but ultimately decided to lay low and deleted most of its leaks on its Telegram channel.