In the span of just over three months, researchers have exposed three mercenary, “hacker-for-hire” groups engaging in industrial espionage and stealing corporate secrets for profit.
Despite using tactics, techniques and procedures that are more typical of a nation-state ATP group, these threat actors – Dark Basin, DeathStalker and an unnamed third entity group detailed late last month by Bitdefender – appear to have no government sponsor. Instead, they offer their cyber spying services to the highest bidder, in the form of organizations or individuals who seek intelligence on their business competition or their perceived enemies.
Such mercenary groups have long existed, but this rapid-fire set of discoveries at the very least suggests a possible trend. Might we be witnessing the first wave in a new influx of APT-for-hire groups entering the dark web market, ready to prey on businesses?
In a recent white paper, Bitdefender said it this “commoditization of APT groups” is “likely to become the new normal.”
“The fact that more security vendors have started seeing these APT-style tactics and techniques being used suggests that this could be the latest trend and a natural evolution towards APTs-as-a-service,” said white paper co-author Liviu Arsene, global cybersecurity analyst at Bitdefender, in an interview with SC Media. “Just as traditional malware evolved into malware-as-a-service or ransomware evolved into ransomware-as-a-service, it was only a matter of time – and a somewhat natural evolution – before APT hackers would start offering their contract-based services and skills to the highest bidder.”
And if that’s true, companies may not be ready for it – especially smaller ones.
“The real risk is that APT hackers-for-hire will change the way small and mid-sized companies approach security,” said Arsene. “For example, if a small company in real estate or architectural design did not have APTs in their threat model, now there’s a high probability they could be facing APT-style attacks simply because they’re contractors in large projects. The same holds true for any small and mid-sized business, which means that this new APT-as-a-service threat could trigger a wave of changes into how these companies plan and implement security from now on.”
Brandon Hoffman, CISO at at Netenrich, believes several factors may be behind the emergence of these latest mercenary hacking entities.
“Most notably is the success these groups have. The more success mercenary groups have the more skilled people will turn to this type of operation,” said Hoffman.
The increased availability of APT-style tools may be another factor. In some cases, the mercenaries might even be state-sponsored actors looking to make an extra buck during their spare time. “We have seen repurposed malware from nation-state activity appear in financially motivated cybercrime, which indicates this moonlighting behavior,” said Hoffman. Others actors, meanwhile, are “strictly financially motivated cybercriminals” who are “simply looking for a new or cleaner way to monetize their skills beyond the traditional methods. This is possibly related to the increased success of anti-fraud and limited cash-out mechanisms available to cybercriminals.”
And finally, we might be encountering more of these mercenary groups for the simple fact that researchers and analysts are getting better at spotting them. “There is a definite level of effort happening in the research world as identification techniques improve and researcher skill increases to expose these groups,” Hoffman added.
Stephen Boyce, principal consultant at the Crypsis Group, agreed, noting that “over the past few years, there has been an increase in open-source intelligence and cyber threati training & certifications, which has given security practitioners new tactics, techniques, & procedures for tracking them down, making their activities more apparent.”
A Trio of Trouble
Dark Basin, DeathStalker and the group exposed by Bitdefender each exhibits its own unique targeting and attack behavior.
Most recently, Bitdefender exposed a hackers-for-hire group using South Korean-based command-and-control infrastructure to conduct cyber espionage operations against an unidentified international architectural and video production company that engages with billion-dollar real-estate developers in New York and elsewhere around the world.
The leads to one of the most intriguing questions when it comes to these hacking-for-hire groups: Who is actually contracting them?
And that’s where the trail sometimes goes cold, as these type of services shroud the paying party in anonymity. Indeed, “It is exceedingly difficult to identify the hiring entity unless the result of the mercenary group becomes exposed or the TTP is unique to specific industry,” said Hoffman.
“Since the motives behind these attacks can’t usually be tied to global economic or political events, but rather to specific interests, it’s only a matter of speculation as to who could have backed the operation,” said Arsene. “For example, in real estate, it could be anyone from a direct competitor in real-estate investment or in services related to real estate, such as construction, advertising, or architecture.
Bitdefender echoed this sentiment in its white paper, stating: “The commoditization of APT-level hackers-for-hire could potentially entice rival luxury real-estate investors involved in multi-billion-dollar contracts to seek these services to spy on their competition by infiltrating their contractors. Industrial espionage is nothing new and, since the real-estate industry is highly competitive, with contracts valued at billions of dollars, the stakes are high for winning contracts for luxury projects and could justify turning to mercenary APT groups for gaining a negotiation advantage.”
Bitdefender said the attackers were familiar with the victim company’s security systems and software applications, allowing them to compromise the network using a trojanized plugin for 3ds Max computer graphics software from Autodesk.
The plugin, named PhysXPluginMfx, was designed to abuse the software's built-in scripting language MAXscript (see Autodesk advisory here) and then infect victims with a binary that lists, compresses and uploads a list of specific files, and an infostealer that can perform screen capture and collect user machine data.
Earlier in August, Kaspersky published a profile of the DeathStalker (aka Deceptikons) a group accused of targeting law firms; financial sector organizations, including SMBs; and other verticals. Researchers at Kaspersky say the group performs espionage through three families of malware Powersing, Evilnum, and Janicab.”
The actors behind this group “don’t deploy ransomware, steal payment information to resell it, or engage in any type of activity commonly associated with the cybercrime underworld. Their interest in gathering sensitive business information leads us to believe that DeathStalker is a group of mercenaries offering hacking-for-hire services, or acting as some sort of information broker in financial circles,” Kasperksy reported.
"The tooling was indicative of a small team that favored tried and true methods over innovation, with very short development cycles," Ivan Kwiatkowski, senior security researcher at Kaspersky’s Global Research & Analysis Team (GReAT), told SC Media. And the targeting "appeared to be all over the place, which we interpret as being dictated by outside factors (i.e. client requests) instead of a long-term strategy."
Exposed last June by The Citizen Lab, DarkBasin was found to target thousands of individuals – including journalists and government officials – and hundreds of institutions such as advocacy groups, hedge funds and businesses in multiple industries. It appears the group at one point was hired to keep digital tabs on advocates of net neutrality as well as organizations of the cause #ExxonKnew, who allege the oil company hid climate change evidence.