Cybercrime is an activity that increasingly is being farmed out to third-party players. Such threats as ransomware, phishing, and malware are now available as services that can be bought and sold on the Dark Web. A new type of campaign that involves cyber espionage is the latest example of a cybercrime being perpetrated by people for hire.
SEE: Cybersecurity: Let’s get tactical (free PDF)
In its new report “The CostaRicto Campaign: Cyber-Espionage Outsourced,” BlackBerry describes the actions of a malicious campaign carried out by freelance mercenaries. Dubbed CostaRicto, this form of cyber espionage is being handled by an APT (Advanced Persistent Threat) group with skills in malware tooling, VPN proxy, and SSH tunneling.
APT attacks often come from state-sponsored groups or even nation-states that have the means and motive to launch stealthy and prolonged campaigns.
By hiring a mercenary group to carry out the campaign, the real attackers can better protect their identity and elude any attempts at detection. Such attackers may also use a third party if they lack the tools, technologies, or talents to execute a campaign from start to finish. A skilled mercenary group often chooses to work only with high-profile customers who can afford their services, and that includes major organizations, influential individuals, and even governments.
With the CostaRicto campaign, BlackBerry found that the targets are located in several countries, including the US, China, India, Australia, France, Bangladesh, and Singapore. There’s a slight focus on the South Asian region (India, Bangladesh, and Singapore), a sign that the APT group could based in that area and perhaps handling a range of jobs from different customers. The targeted organizations are spread across several industries, but a large chunk of them are financial institutions.
What are the actual attackers who hired the APT group looking to achieve?
“We are not 100% sure, but everything currently set up appears to be for espionage, but they could shift their techniques with little effort to deploy other mechanisms such as coin miners or ransomware,” Eric Milam, BlackBerry’s VP for research pperations, told TechRepublic. “We are not 100% positive of the end game of the attacker, however, they have set up an elaborate groundwork to ensure long-term access to the victims as well as many covert channels for transferring data out of the victims’ infrastructure.”
The APT group manages its command-and-control (C2) servers using Tor and a layer of proxies. Plus, a network of SSH tunnels is set up in the victim’s environment. As a whole, these tactics point to a better-than-average level of security for this campaign. The operation is using a new strain of malware that hasn’t been seen before, custom built with a suggestive project name, well-structured code, and a detailed versioning system.
The backdoor project for the campaign is named Sombra, a reference to a character in the online game Overwatch. Specifically, Sombra is an agent who specializes in espionage and is known for her stealth, infiltration, and hacking skills. Sombra also has the ability to make herself invisible and destroy the defenses of her enemies through an electromagnetic pulse (EMP).
Some of the domain names hardcoded in the backdoor code appear to spoof legitimate domains such as the one for the State Bank of India Bangladesh (sbibd.com). But the actual victims aren’t related to these instances, so these may be no more than reused references. One of the IP addresses registered with the backdoor domains overlaps with an earlier phishing campaign attributed to APT28. However, Blackberry believes this overlap is either a coincidence or that this earlier campaign was farmed out to the mercenary group.
The players behind these types of outsourced campaigns are hard to find, according to BlackBerry. Typically, investigators will categorize cybercrime groups based on similar tactics, techniques and procedures (TTP). But with mercenary activity, the targets often appear to be random and fail to reveal much about the real people and motives behind the attacks.
Certain organizations targeted in this espionage campaign have been compromised, according to Milam, who couldn’t share more details due to confidentiality. There is no one silver bullet for combatting these types of attacks, Milam said, but companies should at least follow standard cyber hygiene practices. That means they should understand their greatest areas of risk and make sure they patch any critical flaws, run vulnerability scans, and use penetration testing.