Blackberry’s cyber researchers said a hacker-for-hire group it has tracked over the last six months is at the root of a global espionage campaign hitting victims across multiple continents in at least 13 different countries.
The operation’s orchestration, which Blackberry has dubbed CostaRicto, appears to be the handiwork of a group of advanced persistent threat (APT) hackers-for-hire mercenaries equipped with tailored malware tooling and sophisticated virtual private network (VPN) and secure shell (SSH) tunneling capabilities, Blackberry's research and intelligence team said in a recent blog post.
Ransomware-as-service has brought cyber espionage to a wide swath of customers who can hijack victims’ systems without buying hacking infrastructure that most can ill afford. Now the cyber criminal market has expanded to include phishing and espionage campaigns.
“Outsourcing an espionage campaign, or part of it, to a mercenary group might be very compelling, especially to businesses and individuals who seek intelligence on their competition yet may not have the required tooling, infrastructure and experience to conduct an attack themselves,” Blackberry’s researchers said. “By using a mercenary as their proxy, the real attacker can better protect their identity and thwart attempts at attribution.”
Some of the activity appears to originate with groups in India. Their tactics, techniques, and procedures bear a resemblance to state-backed actor rather than a single bad actor, the researchers said. One hacker-for-hire organization named Dark Basin has been tied to an alleged phishing scheme contracted out by the New Delhi-based BellTroX InfoTech IT services firm. Dark Basin reportedly bombarded tens of thousands of email accounts belonging to government officials, corporate leaders, U.S. non-profits and financial institutions on six continents with phishing lures. Previously identified hacker-for-hire groups include Deathstalker and Bahamut.
Last May, Google’s Threat Analysis Group (TAG) warned of an uptick in new activity from several India-based cyber phishers tied to hack-for-hire crews capitalizing on the COVID-19 pandemic.
Here’s what Blackberry’s researchers found in detailing CostaRicto:
- CostaRicto's targets are scattered across different countries in Europe, Americas, Asia, Australia and Africa.
- Most targets appears to be in South Asia, especially India, Bangladesh and Singapore, suggesting that the threat actor could be based in that region.
- The command-and-control servers are managed via Tor and/or through a layer of proxies; a complex network of SSH tunnels are also established in the victim’s environment.
- The backdoor used as a foothold is a new strain of previously unseen malware, a custom-built tool with a suggestive project name, well-structured code, and detailed versioning system.
- The timestamps of payload stagers goes back to 2017, which could indicate the operation has been going on for a while but used to deliver a different payload.
- Some of the domain names hard-coded in the backdoor binaries seem to spoof legitimate domains.
- One of the IP addresses which the backdoor domains were registered to overlaps with an earlier phishing campaign attributed to APT28 . However, there's no concrete evidence of a direct link between CostaRicto and APT28.
- A large portion of the victims are financial institutions but companies in other vertical markets are also targeted.
“When dealing with threat actors that outsource their campaigns, only the entity that performed the attack can be tracked, while the actual perpetrator becomes more elusive than ever,” Blackberry said.