Today increasingly sophisticated cyber attacks are crafted, honed, and improved by shady groups of hackers, often using custom tools that are directed at high value people, businesses, or even countries.
From daring cyber heists that cause cash machines in the street to give out free money, through to targeting activists, defectors and dissidents, these attacks are often carried out by dedicated groups working in the shadows of states where they are tolerated, encouraged, or even part of the intelligence machinery of countries themselves.
Often mysterious, it is only thanks to the dedication of security researchers that we now know a little about how these groups operate, by detecting hints as to who they are, where they're based, how they operate, and why.
These groups tend to operate in the domain of advanced persistent threat (APT), a fairly self explanatory term for sophisticated hacking attempts that are continuously ongoing, usually targeting a person, business, or country.
APT groups vary in motive: they could be conducting cyber espionage for political or corporate information (usually in sensitive industries or public sector bodies), they could be state-sponsored, they could be directly a function of a state, or they could be simply tolerated within a state. An APT group might be financially motivated, engaging in complex cyber heists. Or they could simply want to spread misinformation and chaos.
In any case, they often use customised, proprietary malware tools and have sophisticated means of attack. Often they run their own (sometimes vast) command and control infrastructure, and deliberately make attribution difficult – either by masking the location of the attacks or as a means to plant blame on another potential culprit, in other words, a ‘false flag’ operation.
APT groups are then, by their nature, shady and mysterious – but thanks to the hard work of researchers in the infosec community, we now know details about some of them.
Read on for some of the most notorious known hacker groups, from ‘Fancy Bear’ to ‘Reaper’.
The Shadow Brokers
It was almost impossible to miss the WannaCry ransomware threat in 2017. WannaCry and what was then a variant of the Petya ransomware, NotPetya, absolutely hobbled infrastructure and businesses the world over.
These attacks were based on an exploit developed internally by America’s National Security Agency (NSA), called EternalBlue, which itself exploited Microsoft’s Server Message Block protocol (deciding to horde that exploit rather than inform Microsoft).
A group calling itself The Shadow Brokers obtained NSA files back in 2013, believed to have been extracted from an NSA staging server. This included information on all types of exploits that the spying agency had been holding onto.
The group’s first published leak was in August 2016, a cache of cyber weapons that it attributed to the ‘Equation Group’ – an organisation believed to be based in America, possibly behind the infamous Stuxnet code that wrecked Iran’s nuclear centrifuges, and that has been suggested to also have ties to the NSA.
Four leaks later and it was ‘EternalBlue’ – the SMB-based attack that WannaCry and Petya were built on, causing more than 200,000 infections worldwide within the first two weeks of its release. The group claims to have access to more weapons and exploits, and had previously threatened the release of new material every month.
No one knows for sure where the Shadow Brokers group originates, but theories include an insider within the NSA’s ‘Tailored Access Operations’ group.
NSA whistleblower Edward Snowden said that “conventional wisdom indicates Russian responsibility” – adding that he believed the releases were a warning to America.
“This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast,” he tweeted.
The mysterious Lazarus Group could be behind the $81 million dollar bank heist from the Central Bank of Bangladesh in 2016. Not much is known about this organisation, who is in it, or where it operates from, but security vendor Kaspersky had its researchers attempt to trace the shady group for over a year.
It found from the ‘forensic analysis of artefacts’ the group left in attacks on south-east Asian and European banks a ‘deep understanding’ of the group and how it operates – noting that it attacked financial institutions, casinos, software developers and cryptocurrency businesses around the world.
The typical anatomy of a Lazarus attack, according to Kaspersky, comes in four stages. First is the initial compromise where a single system in a target is breached with remotely accessible code, or through an exploit planted on a website. An employee downloads the malware, allowing the group to place additional malware on the compromised system.
Then, Lazarus hackers would migrate to other bank hosts and place backdoors throughout the organisation. After this, it would undertake a recon mission to learn about and map out the network, flagging valuable internal resources such as backup servers with credentials or authentication information stored in it.
Lastly, the group deploys malware specially designed to bypass the victim’s security, and then issued transactions from there.
No one knows for sure where Lazarus operates from. However, by studying a collection of malware samples Kaspersky found a strange connection to a command and control server – lasting just momentarily – from a “very rare” IP address in North Korea.
But as with a lot of attribution that is educated guesswork, with the vendor conceding that it could mean a number of things – that attackers really did connect from North Korea, it was a “carefully planned” false flag operation, or that someone in North Korea accidentally visited the command and control URL.
The group is still on the move. Read more of Kaspersky’s research here.
Credited by Kaspersky with the dubious honour of ‘crown creator of cyber espionage’, Equation Group refers to the shadowy Tailored Access Operations unit within America’s NSA.
The group was most famously associated with Stuxnet, a highly sophisticated attack (especially for its time) that successfully wrecked Iran’s nuclear centrifuges, although it’s suspected that the unit informed the attack rather than perpetrated it.
Kaspersky has a brief expose of what’s known about the group here. It is, the vendor says, “unique almost in every aspect of their activities” – using tools that are extremely complicated and expensive to develop, as well as exfiltrating data and hiding their work in an “outstandingly professional way”.
As mentioned in the Shadow Brokers entry – some of the most damaging cyber attacks the world has ever seen originated from a single NSA exploit. The group has an extensive library of trojans that are known and probably many more that aren’t.
And it appears to use more traditional spying methods to worm its way onto the systems of victims too, in one instance intercepting a CD-ROM that was being mailed out to the attendees of a science conference in Houston, and replacing it with a copy that was infected with the group’s DoubleFantasy worm.
The group maintains a large command and control server infrastructure located in more than 100 servers and 300 domains, including hosts in countries like the US, the UK, Panama, Costa Rica, Colombia, Germany and the Netherlands.
Its victims appear to be highly targeted, including (but not limited to) government and diplomatic institutions, telecoms, aerospace, energy, nuclear research, oil and gas, military, nanotechnology, Islamic activists and scholars, the media, transport, finance, and businesses working on encryption.
A group codenamed Carbanak had been wanted by international policing agencies for at least five years due to its successfully stealing as much as $1 billion from a series of cyber heists and hacked ATM networks.
Europol in March 2018 believed it had fingered the ringleader for the notorious gang, still unnamed, arresting the figure in Alicante, Spain, after a joint international investigation.
Carbanak (also nicknamed Fin7) sent out highly targeted phishing campaigns – in other words, spear phishing – to trick bank employees into downloading malware. Since late 2013, the gang had used its own type of malware, Anunak and Carbanak, then later utilising a modified version of security testing software called Cobalt Strike, reports Fortune.
The first targets were mostly in Russia, but it then moved on to the USA, Germany, China, and Ukraine.
They targeted banks in more than 40 countries, affectively accounting for a one-gang cyber-heist crimewave. The modified Cobalt attack allowed Carbanak to steal as much as €10 million per heist.
Its ingenious ATM hacks allowed the group to instruct cash machines to dispense currency without even interacting with the terminal. This would then be picked up by mules who transferred it to the SWIFT financial network, and then from there into the attackers’ accounts.
FireEye noted that the group pointed its phishing campaign at the US Securities and Exchange Commission.
According to extensive research from American security vendor FireEye, a cyber espionage unit based in North Korea (Advanced Persistent Threat 37 – nicknamed Reaper) upped its operations in early 2018 and continues to engage in recon missions targeting nation states and state-adjacent organisations.
In 2017, the group targeted a Middle Eastern business that was working with North Korea on a joint project to increase telco services in the country. It also honed in on a Vietnamese trading company, and even individuals working in Olympic organisations.
FireEye states that in addition to nation state-based espionage operations, it also targets defectors from the DPRK, suggesting that it is closely affiliated with the country.
‘Reaper’ attackers made use of vulnerabilities in the Hangul Word Processor, which is widely used in the RoK – South Korea. In addition, it had a cache of zero-days and used them in spear phishing and ‘web compromise operations’, according to FireEye.
The command and control infrastructure made use of compromised servers as well as cloud service providers to muddy attribution and avoid detection, and it also placed malware payloads on compromised but legitimate websites. Email accounts used to leverage attacks evolved from domains associated with South Korea to other providers like Gmail, and Russian services such as Yandex.
FireEye – whose report you can read here (PDF) – says it has assessed with “high confidence” that the group acts “in support of the North Korean government and is primarily based in North Korea”. The researchers came to this conclusion for a number of different reasons, from who the group was targeting through to “probably links to a North Korean individual believed to be the developer of several of APT37’s proprietary malware families”.
Iron Tiger APT
Possibly emerging from a series of sophisticated and highly targeted attacks in the Asia Pacific region, focusing on politicians and government agencies in China, Hong Kong, the Philippines, and Tibet, the group nicknamed ‘Iron Tiger’ was said to have pivoted towards targets in America, including US government contractors in aerospace, energy, intelligence, telecoms and nuclear.
A Trend Micro report suggested that the attacks originated from China because VPN servers used to launch the attacks were mostly based in the region, the file names and passwords used were Chinese, text resources and language ID in malware binaries were set to simplified Chinese, and Whois data pointed to domains registered to physical addresses in China. The vendor also pointed the finger at a person called Guo Fei, a Shanghai resident, who it believed was instrumental to the group’s success.
BitDefender in February 2018 discovered variants of the Gh0st RAT trojan used in the Iron Tiger operation for new attacks first flagged in July 2017 – a customised piece of malware called PZChao, suggesting a potential return of the group that had been quiet for several years. A forensic analysis of that new variant is detailed in a whitepaper from the vendor, available for download here.
No list of advanced persistent threat groups would be complete without ‘Fancy Bear’, which was alleged to have played a major part in the hacking of the US Democratic National Committee in the run up to America’s elections (although this was disputed by ‘Guccifer 2.0’, who took credit).
The group, says CrowdStrike, has been on the scene since 2008 and has targeted all the usual sensitive sectors – defence, energy, government, and media – as well as dissidents. It’s widely believed to be at the very least state sponsored, with vendors observing the most likely culprit is Russia.
It is able to run simultaneous operations concurrently and has created its own implant tools, as well as droppers, which are cross-operating systems and can be pointed at mobile devices too.
Fancy Bear was linked with attacks on the German parliament, as well as campaigns to hijack traffic inbound to a Nigerian government website. The group had also developed malware to target Apple devices, which was capable of reading text messages and secretly recording audio – a useful espionage tool in any nation’s arsenal.
For the long list of prominent attacks and campaigns head over to the Wikipedia page here, where you can read about the attack on the Bundestag, and even an attempt to cripple Ukraine’s artillery.