Several cyber security breaches have made headlines in the past year and you would be right to assume attack frequency, complexity and impact have grown exponentially. In previous posts we have discussed some of the technical, systemic and cultural catalysts which hackers are taking advantage of, however for this week let’s explore the “who”.
The Who’s Who: Hackers, Cyber Criminals, Affiliates and State Sponsored Cyber Warriors
In the beginning hacking was typically conducted by individuals or small groups of people. Their hacks started with curiosity but eventually transitioned into making money and thus the hacker morphed into the cyber criminal. As more of the world came online, cyber criminals started organizing to amplify their exploits and started working with or acting like traditional criminal organizations. The “enterprisation” of cyber crime over the past 10 years has seen the skilled hackers step back from actually conducting cyber crime and refocusing to enable the “average joes” to become cyber criminals through the development and selling of Crimeware-as-a-Service offerings.
Lastly, various countries around the world have intelligence and military arms who have not been sitting idle. These clandestine teams have been leveraged the same attack techniques against the same vulnerabilities within our software and infrastructure to conduct espionage, sabotage and disinformation campaigns, many of which we mere mortals will never know about.
REvil is a group that has developed a Ransomware-as-Service offering that has enabled countless “partner” cyber criminals to launch Ransomware campaigns against individuals and corporations alike. Their platform provides all the tools necessary to target, launch and collect payment, all for a small processing fee. This Ransomware-as-a-Service platform has been responsible for compromising and shutting down most recently: Kaseya, their clients and their client’s clients, a meat packer in the US and 800 grocery stores in Sweden.
The Darkside organization started with a focus of stealing payment card data to resell on criminal marketplaces but most recently have pivoted to Ransomware campaigns as well. Many Ransomware attacks would be considered “spray’n’pray” where the attacker immediately encrypts what every they can in hopes that what they encrypted was important and the victim will pay. Darkside has taken a more strategic approach: compromising a company, exploring and understanding what is valuable and important to the company and then encrypting those assets in an effort to cripple the company and force their hand into payment. Darkside was the behind the recent Colonial Pipeline Ransomware attack which forced the company to shutdown a pipeline causing fuel shortages to millions of Americans.
Yet another cyber criminal organization who leverages ransomware for profit. However, what is interesting about this organization is that not only do they encrypt the victim’s data, but also download the data to further pressure victims into paying the ransom. Egregor publicly hosts a website that tracks each victim, a summary of data that they have stolen and provides a count down timer when the sensitive data will be dumped publicly if the victim does not pay. Egregor is the cyber criminals behind the recent Translink cyber breach in Vancouver.
Now let’s talk about state sponsored cyber criminals. Cozy Bear is widely considered the hacking arm of the Russian Foreign Intelligence Service, though attribution in these matters are never perfect and they may be contractors for hire with a Russian allegiance. They are a highly sophisticated organization who do not operate for profit and are focused on very specific strategic targets. They specialize in highly sophisticated attacks, have a diverse number of attack mechanisms including 0-day exploits and are experts in establishing and persisting long term access to victim's environments. Their primary focus is the theft of sensitive data and have become experts in acquiring sensitive data through attacking the supply chain.
It is suspected that Cozy Bear is behind arguably the world’s largest cyber breach which happened throughout 2020, known as Solargate or the SolarWinds breach.