BLOG: Infamous Threat Actors – Where Are They Now?

Many threat groups either disband, go dark, or remerge under a new alias after the discovery of their cyber crimes. Groups such as REvil, DarkSide/BlackMatter (notably responsible for one of the largest incidents in cyber history, the Colonial Pipeline supply chain attack), AstraLocker, Conti, and Avaddon are examples of this.

Occasionally threat actor groups are faced with pressure from law enforcement agencies and then dissolve as a result. There have been several cases that involve law enforcement controlling the threat actors’ servers, effectively halting them and their plans.

In other instances, the groups get intimidated and abandon their rouse, potentially from heightened attention, or the fear they may be caught and criminally prosecuted. Others simply can’t follow through and decrypt the data. Those groups hope victims will pay before they discover the ruse.

The threat of being caught by law enforcement isn’t always enough to scare off some threat actor groups. For some threat actors, once they receive the ransom money, they disappear without giving back the data. Many organizations dealt with this after REvil and DarkSide disappeared overnight. This year we’ve seen the reemergence of a few threat actor groups, but where are the other threat actor groups that have seemingly gone after causing media frenzies?

Fancy Bear (a.k.a. APT28, Sofacy, Sednit, Strontium)

Fancy Bear aka APT28 is a group operating from the GRU (Glavnoye Razvedyvatel’noye Upravleniye or Main Intelligence Directorate), Russia’s main military intelligence unit. The group has been conducting espionage operations in line with Russia’s foreign policy objectives since at least 2007.

Fancy Bear focuses primarily on foreign governments, military bodies, defense agencies, and research institutions of NATO member states. The countries they target are typically located in Eastern Europe and the /APT28 has also conducted campaigns against the aerospace, media, and energy sectors.

The GRU’s background also led to APT28’s involvement in more disruptive operations, such as the breach and release of sensitive material from the US Democratic National Committee and the World Anti-Doping Agency in 2015-2016. In 2018 and 2019 we saw attempts at disrupting elections within the US and Europe. As a result, few threat actors attracted widespread media coverage. This worldwide coverage mostly failed to deter its behavior, following backlash and the public identification of its personnel, APT28 repressed its activity, moving towards more covert operations.

Typically, the group sends its targets carefully tailored spear-phishing emails and leverages spoofed domains to appear legitimate. While the group may not be as ‘sophisticated’ as other Russian state actors, APT28’s a wide range of tools, including tailored malware for Mac OS X, Linux, iOS, and Android. The group also has frequently used zero-day exploits, indicating its capability and resources.

Fancy Bear has been responsible for several infiltrations of systems. A notable attack was the incident that began in 2014 and ended in 2016, Fancy Bear attacked the German Bundestag’s (Germany’s parliament) IT infrastructure, leading the system to be shut down for many days in 2015. Investigators learned that Fancy Bear first infiltrated the Bundestag’s systems in December 2014 and spent six months dismantling the infrastructure and stealing around 16 gigabytes of data. Fancy Bear is also behind attacks on German parliamentary and political leaders in 2016. German authorities believe these attacks were an attempt to manipulate the country’s 2017 federal elections.

Fancy Bear, posing as ISIL under the alias CyberCaliphate, hacked a French TV network TV5Monde in 2015. The group also took over TV5Monde’s social media accounts to post personal information for French soldiers’ families and criticized then-president François Hollande and breached several TV5Monde entry points, including a Dutch-based remote control camera supplier. The motive for the TV5Monde attack is still unclear, but French authorities suspect it was to test cyber-weaponry and tactics

In 2016, Fancy Bear breached WADA’s systems by sending spoofed WADA communications to staff requesting their login details. The hackers stole records for athletes whom WADA had granted testing exemptions and then attempted to fabricate the data to discredit them. Most athletes were from the United States, but attackers also released records for competitors from other nations. The WADA attack appears to be a petty attempt to discredit other countries as a response to Russia’s ban from international sporting events, including the 2016 Rio Olympics.

Fancy Bear was also the APT group behind the DNC spear-phishing attack of 2016. The attack started on March 10 with an influx of phishing emails, mainly from the DNC’s 2008 campaign staffers. Hackers successfully hacked Hillary Clinton’s hillaryclinton.com addresses, but two-factor authentication prevented a full breach.

Fancy Bear also targeted DNC official’s personal Gmail, breaching John Podesta’s account and stealing 50,000 emails. The 2016 Fancy Bear attack coincided with another attack on the DNC from Cozy Bear, a threat actor group believed to be a Russian intelligence cyber espionage group. Investigators believe the two groups worked independently, as they duplicated a lot of their hacking efforts and stole the same data.

During Russia’s annexation of Crimea from 2014 to 2016, Fancy Bear used Android malware to hack Ukrainian Rocket Forces and Artillery. The malware destroyed a significant number of Ukraine’s D-30 Howitzer artillery. 

LuckyMouse (a.k.a. Emissary Panda, Iron Tiger, APT27)

LuckyMouse is the next threat actor group we will be looking at. This group originated in 2009 and is a Chinese threat group known for spear-phishing attacks to target victims. The threat group, which has been active for over a decade, uses multiple malware and exploits numerous vulnerabilities to meet its espionage goals. 

This group consistently alters its strategies and ploys to avoid detection while spying on victims. The group seems to have started working on a new type of espionage, along with financially motivated attacks, by including ransomware in its attack campaigns.

LuckyMouse can deploy a variety of tools and tactics for its cyberespionage missions. Between 2015 and 2017, the threat group compromised victims’ networks using watering hole attacks via nearly 100 compromised legitimate websites. 

Despite public disclosures of its activities in 2017, the gang’s cyberespionage operations continued with evolution in its methods. In February 2019, the group attempted ‘living-off-the-land’ cyber attacks to steal information on cutting-edge weapons technologies and spy on dissidents and other civilian groups. For reference, a living-off-the-land attack refers to the use of dual-use tools, which are either already installed in the targets’ environment or are admin, forensic or system tools used maliciously.

In 2011, a honeypot computer discovered the exploitation of vulnerabilities in Microsoft products, in which APT27 dropped Gh0st RAT. In 2013, the group was discovered using various PlugX malware strains. The same year, they deployed a web shell, known as ‘China Chopper’, during attacks on SharePoint Servers belonging to the Middle East Government. In June 2016, a malware variant of HttpBrowser was discovered, which researchers linked to the APT27 group. It targeted a consumer drone company in Europe.

By February 2018, the group had launched an attack campaign named PZChao, using two versions of the Mimikatz password-scraping utility to collect passwords and upload them to the C2 server. The threat actor tried its hand at crypto mining attacks using ZombieBoy malware, which abused multiple vulnerabilities to compromise targeted networks. In September 2018, multiple infections from a previously unknown trojan were discovered in an attack that used a malicious NDISProxy driver with a certificate from a Chinese IT company.

In March 2020 during the height of the COVID-19 pandemic, the APT group lured people by sending thematic email campaigns or thematic messages with phishing/malware links. In April 2020, it carried out cross-platform attacks on back-end servers to steal business data. 

It was only in January of this year that cybersecurity experts discovered APT27 relying again on HyperBro RAT to backdoor targets in Germany. There was also an incident regarding file less and socketless backdoor malware, dubbed SockDetour, which was used against U.S. defense contractors in February, which researchers suspected to be linked to the APT27 group.

APT27 is currently active and has already shown advanced capabilities in targeting victims using different malware and methods. Further, the group takes advantage of every possible vector to get access inside targeted organizations, by continuously updating its methods.

August of this year saw cybersecurity researchers releasing news detailing the activities of Lucky Mouse and its use of a trojanized version of the MiMi chat application to attack systems. The group has found its way back into headlines through its targeting of the US.

UNC2452/ NOBELIUM (a.k.a Dark Halo, Nobelium, SilverFish, StellarParticle)

This threat actor group is notorious for the SolarWinds supply chain attack. Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. 

NOBELIUM is a highly sophisticated group that has continued to evolve and refine its operational and behavioral tactics, techniques, and procedures to better obfuscate activity and limit its digital footprint to avoid detection. The merge expands APT29 and the group has been steadily advancing its TTPs and adopting new measures as new technologies emerge.

NOBELIUM made its way back into the news late last year and early this year. Late last year the group was discovered to be similarly targeting numerous IT supply chains, this is in the hopes of being able to embed itself once again deep inside IT networks, however, had a low rate of success. During February of this year, the group was also found to have begun targeting embassies.

While these attacks may not impact the average Windows computer user, they do have potentially larger political ramifications. Cyber researchers found proof that the Nobelium group is impersonating someone associated with the Turkish embassy in targeted email-based attacks. 

Equation Group (a.k.a. EQGRP, Housefly, Remsec)

Equation Group is an APT full of mystery. In 2015, cybersecurity researchers discovered a major cyber threat called the Equation Group which was comprised of over 60 threat actors. Their malware was found to reprogram hard disk firmware, and they were able to hide under the radar and steal private information for more than a decade. 

Further investigation found that there are several malware platforms the Equation Group used exclusively, these platforms have been developed in succession, with each one surpassing the previous in sophistication. They give attackers complete control of infected systems for years, allowing them to take data and monitor activities while using complex encryption schemes and other methods to avoid detection.

EquationLaser is an early implant from the Equation Group that was used from approximately 2001 to 2004. The group used this platform as a basis to upgrade to the EquationDrug platform. EquationDrug is a complex attack platform that supports a module plugin system, which can be dynamically uploaded and unloaded by attackers. The platform was developed between 2003 and 2013 and was eventually replaced by GrayFish.

With EquationDrug, attackers begin by infecting targets with DoubleFantasy, a validator-style plugin that also keeps a backdoor into a potential target’s computer and saves an internal version number in its configuration block. It takes this information along with legitimate hosts used to validate the internet connection, such as Microsoft.com and C&Cs. Then, if the victim is confirmed as the target, the EquationDrug installer is delivered.

By design, it provides a hidden persistence mechanism, hidden storage, and malicious command execution inside the Windows operating system. It contains a highly advanced bootkit. The high level of complexity, which had not been seen before, indicates that the people who created it were not just talented but the best in this field. 

Researchers have recorded 500 infections in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali Equation Group behind. However, due to the self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total. The real number of victims likely extends into the tens of thousands. Numerous infections have been observed on servers, such as domain controllers, data warehouses, website hosting, and other types. Once systems are infected, the group can monitor computers and gain any information held within them.

In August 2016, the hacking group Shadow Brokers announced that they had stolen malware code from the Equation Group. Experts confirmed that the announcement of the Equation Group breach was legitimate. The stolen samples they released dated back to 2013 and contained exploits against Cisco adaptive security appliances, Fortinet’s firewalls, and Juniper’s NetScreen firewalls.

The Equation Group targeted multiple industries and institutions, such as governments and diplomatic institutions, telecommunications, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and scholars, mass media, transportation, financial institutions, and companies developing cryptographic technologies

Many believe that Equation Group is a state-sponsored entity, such as the U.S. National Security Agency or a joint effort between it and its Five Eyes allies, but the actual individuals behind the group have not yet been identified.

FIN7/Carbanak

FIN7 (also under the alias Carbanak) FIN7 is believed to have formed in 2013, this sophisticated group primarily targets banks, financial institutions, and the financial departments of businesses across a wide variety of sectors. The group extended its exploits to third-party suppliers in a likely attempt to exploit supply chains and gain access to better-protected targets in the financial sector. 

Its key operatives are believed to be Russian and Ukrainian, FIN7 is an international outfit, with a large number of command-and-control servers and individual members distributed globally, thus making it harder for law enforcement to coordinate any international effort against the group.

Prior to 2019, FIN7 predominantly employed sophisticated social engineering to gain the trust of its victims and used spear-phishing emails to deliver malware to gain access to networks. Initially, FIN7 would deploy malware via weaponized Microsoft Office macros and by leveraging hidden shortcut files or exploiting the VBScript functionality. This, alongside other TTPs such as heavy use of digital certificates to bypass security measures and payload obfuscation techniques to preserve TTPs for future operations, demonstrate the group’s emphasis on longevity and continually adapting, which continue to be the case in more recent operations.

In previous financially motivated campaigns, FIN7 would then move laterally to conduct reconnaissance, which aided in the group avoiding detection through imitating internal procedures when exfiltrating funds. FIN7 methods include compromising ATM networks to withdraw cash waiting for money mules or exploiting the SWIFT banking system to transfer money to third-party accounts. From 2014 to 2020, FIN7 stole close to USD 1 billion from financial institutions across Russia, Europe, and Asia.

However, more recent campaigns denote a shift in targeting rationale and monetization strategies. The group has shifted from campaigns with a narrow target set, usually hospitality and leisure companies, to a wider spectrum; which is less likely to be solely financially motivated. One such example is a link between recent FIN7 campaigns and ransomware operations, suggesting the group is profiting from providing information to or sharing infrastructure with ransomware operators.

FIN7 operations have maintained defined features throughout the years, such as the use of PowerShell in both commands and loaders, and a significant focus on obfuscation, but more recent operations suggest a shift in the group’s activities. Such as a wider range of initial access techniques to include supply chain compromise and stolen credentials.

FIN7 has also moved away from generic initial access techniques (like using CARBANAK) to direct deployment of backdoors. However, the most significant difference is the association with ransomware campaigns and operators, such as REVIL, ALPHV, and BLACKMATTER. At the moment there is no direct deployment of ransomware attributed to FIN7, but in some instances, FIN7 activity has preceded ransomware infections and encryption. The association between FIN7 and ransomware groups is further supported by the discovery that some of its code signing certificates were used to sign DARKSIDE samples, clearly indicating the former has played a role in some DARKSIDE operations.

In 2018, several individuals associated with FIN7 had been arrested, this was announced by the US Department of Justice and the associates were subsequently sentenced in 2021. However, evidence shows the group’s continued advancement and successful campaigns since the arrests. It appears there was little to no disruptive impact on this group’s nefarious activities, implying that the group is large, well-resourced, and adaptable.

To conclude, it appears that threat actor groups rarely completely ‘fall off the map’, they continue to update and ‘perfect’ their means of infiltration. As a result, organizations, businesses, institutions, and consumers need to take extra precautions.