Outsourcing espionage: A new era in cyber crime

Ransomware-as-a-service has become so popular and profitable that bad actors in the dark markets are expanding their range of illicit services to offer dedicated phishing and espionage campaigns too.

Over the past half a year, BlackBerry’s Research and Intelligence team has been keeping a close eye on a cyber-espionage campaign that is targeting individuals around the world. Dubbed ‘CostaRicto’ by BlackBerry, the campaign seems to be run by 'hackers-for-hire', a group of skilled APT actors with bespoke malware tooling and complex VPN proxy and secure shell (SSH) tunnelling capabilities.

According to the company, criminal groups offering APT-style attacks are becoming increasingly popular. Their tactics, techniques, and procedures are close in nature to highly sophisticated state-sponsored campaigns, but the profiles and geography of their targets are too diverse to be aligned with a single threat actor’s interests.

In theory anyone who could afford it could be a potential customer of a mercenary APT. However, BlackBerry speculates that the more sophisticated criminals will choose to work with high profile customers, including large organisations, influential individuals, or even governments.

“Having a lot at stake, the cyber criminals must choose very carefully when selecting their commissions to avoid the risk of being exposed,” the company said.

Obfuscating identity

When it comes to espionage campaigns, outsourcing the whole or even part of the campaign is a compelling proposition, particularly for businesses and individuals who are looking for inside information on their competitors but don’t necessarily have the skills, tools or experience to do this themselves.

However, even notorious adversaries experienced in cyber espionage can benefit from adding a layer of indirection to their attacks, as using a mercenary as a proxy helps the real attacker to obfuscate their identity and make attribution a lot more difficult.

Law enforcement agencies, even those in the wealthiest Western nations, are too underfunded and understaffed to adequately respond to this relatively new phenomenon.

Ilia Kolochenko, ImmuniWeb

CostaRicto targets are spread across diverse geographies in Europe, Americas, Asia, Australia and Africa, with the biggest concentration seeming to be in South Asia, which suggests the malefactors might be based in that region but working on a wide range of commissions from diverse clients.

Once access has been gained to the target’s environment, which researchers assume happens by using stolen credentials, either obtained via phishing, or bought on the dark Web, the criminal sets up remote tunnelling using a SSH tool. The tool is configured to redirect traffic from a malicious domain to a proxy that is listening on a local port. The tunnel is authenticated using the attacker’s private key. In order to pull down the backdoor, a payload stager, either HTTP or reverse-DNS, is executed with the use of a scheduled task.

The backdoor comes either wrapped up in a PowerSploit reflective loader, or in the form of a custom-built dropper that uses a simple virtual machine (VM) mechanism to decode and inject the payload.

Hefty price tags

Ilia Kolochenko, founder & CEO of Web security company ImmuniWeb, says these days, there is a considerably higher number of highly skilled cyber mercenaries.

“The majority of them are simply prudent, never advertise their hacker-for-hire services, and do most of their business via trusted intermediaries with a well-thought vetting process for all new clients.”

According to him, these groups usually only consider projects starting with a six-digit price tag. 

“They have formidable technical skills and virtually unlimited resources, and are capable of invisibly penetrating large corporate or governmental networks without triggering an alarm. Most of these groups have access to skilled lawyers and financial advisors to better shape strategy and hinder eventual investigation.”

Kolochenko says law enforcement agencies, even those in the wealthiest Western nations, are too underfunded and understaffed to adequately respond to this relatively new phenomenon. During the COVID-19 pandemic, cyber criminals enjoyed a wide range of low-hanging fruits given how many companies had poorly protected WFH infrastructure, or unprotected third parties that had uncontrolled access to their sensitive data.

“Stress and burnout among cyber security professionals just exacerbates this spiralling situation.”

See also