Today increasingly sophisticated cyber attacks are crafted, honed, and improved by shady groups of hackers, often using custom tools that are directed at high value people, businesses, or even countries.
From daring cyber heists that cause cash machines in the street to give out free money, through to targeting activists, defectors and dissidents, these attacks are often carried out by dedicated groups working in the shadows of states where they are tolerated, encouraged, or even part of the intelligence machinery of countries themselves.
Often mysterious, it is only thanks to the dedication of security researchers that we now know a little about how these groups operate, by detecting hints as to who they are, where they're based, how they operate, and why.
These groups tend to operate in the domain of advanced persistent threat (APT), a fairly self explanatory term for sophisticated hacking attempts that are continuously ongoing, usually targeting a person, business, or country.
APT groups vary in motive: they could be conducting cyber espionage for political or corporate information (usually in sensitive industries or public sector bodies), they could be state-sponsored, they could be directly a function of a state, or they could be simply tolerated within a state.
An APT group might be financially motivated, engaging in complex cyber heists. Or they could simply want to spread misinformation and chaos.
In any case, they often use customised, proprietary malware tools and have sophisticated means of attack. Often they run their own (sometimes vast) command and control infrastructure, and deliberately make attribution difficult – either by masking the location of the attacks or as a means to plant blame on another potential culprit, in other words, a ‘false flag’ operation.
APT groups are then, by their nature, shady and mysterious – but thanks to the hard work of researchers in the infosec community, we now know details about some of them.
Read on for some of the most notorious known hacker groups, from ‘Fancy Bear’ to ‘Reaper’.
The Shadow Brokers
It was almost impossible to miss the WannaCry ransomware threat in 2017. WannaCry and what was then a variant of the Petya ransomware, NotPetya, absolutely hobbled infrastructure and businesses the world over.
These attacks were based on an exploit developed internally by America’s National Security Agency (NSA), called EternalBlue, which itself exploited Microsoft’s Server Message Block protocol (deciding to horde that exploit rather than inform Microsoft).
A group calling itself The Shadow Brokers obtained NSA files back in 2013, believed to have been extracted from an NSA staging server. This included information on all types of exploits that the spying agency had been holding onto.
The group’s first published leak was in August 2016, a cache of cyber weapons that it attributed to the ‘Equation Group’ – an organisation believed to be based in America, possibly behind the infamous Stuxnet code that wrecked Iran’s nuclear centrifuges, and that has been suggested to also have ties to the NSA.
Four leaks later and it was ‘EternalBlue’ – the SMB-based attack that WannaCry and Petya were built on, causing more than 200,000 infections worldwide within the first two weeks of its release. The group claims to have access to more weapons and exploits, and had previously threatened the release of new material every month.
No one knows for sure where the Shadow Brokers group originates, but theories include an insider within the NSA’s ‘Tailored Access Operations’ group.
NSA whistleblower Edward Snowden said that “conventional wisdom indicates Russian responsibility” – adding that he believed the releases were a warning to America.
“This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast,” he tweeted.
The mysterious Lazarus Group could be behind the $81 million dollar bank heist from the Central Bank of Bangladesh in 2016. Not much is known about this organisation, who is in it, or where it operates from, but security vendor Kaspersky had its researchers attempt to trace the shady group for over a year.
It found from the ‘forensic analysis of artefacts’ the group left in attacks on south-east Asian and European banks a ‘deep understanding’ of the group and how it operates – noting that it attacked financial institutions, casinos, software developers and cryptocurrency businesses around the world.
The typical anatomy of a Lazarus attack, according to Kaspersky, comes in four stages. First is the initial compromise where a single system in a target is breached with remotely accessible code, or through an exploit planted on a website.
An employee downloads the malware, allowing the group to place additional malware on the compromised system.
Then, Lazarus hackers would migrate to other bank hosts and place backdoors throughout the organisation.
After this, it would undertake a recon mission to learn about and map out the network, flagging valuable internal resources such as backup servers with credentials or authentication information stored in it.
Lastly, the group deploys malware specially designed to bypass the victim’s security, and then issued transactions from there.
No one knows for sure where Lazarus operates from. However, by studying a collection of malware samples Kaspersky found a strange connection to a command and control server – lasting just momentarily – from a “very rare” IP address in North Korea.
But as with a lot of attribution that is educated guesswork, with the vendor conceding that it could mean a number of things – that attackers really did connect from North Korea, it was a “carefully planned” false flag operation, or that someone in North Korea accidentally visited the command and control URL.
The group is still on the move. Read more of Kaspersky’s research here.
Credited by Kaspersky with the dubious honour of ‘crown creator of cyber espionage’, Equation Group refers to the shadowy Tailored Access Operations unit within America’s NSA.
The group was most famously associated with Stuxnet, a highly sophisticated attack (especially for its time) that successfully wrecked Iran’s nuclear centrifuges, although it’s suspected that the unit informed the attack rather than perpetrated it.
Kaspersky has a brief expose of what’s known about the group here. It is, the vendor says, “unique almost in every aspect of their activities” – using tools that are extremely complicated and expensive to develop, as well as exfiltrating data and hiding their work in an “outstandingly professional way”.
As mentioned in the Shadow Brokers entry – some of the most damaging cyber attacks the world has ever seen originated from a single NSA exploit. The group has an extensive library of trojans that are known and probably many more that aren’t.
And it appears to use more traditional spying methods to worm its way onto the systems of victims too, in one instance intercepting a CD-ROM that was being mailed out to the attendees of a science conference in Houston, and replacing it with a copy that was infected with the group’s DoubleFantasy worm.
Read more in the next page...