Over the past year, a string of high-profile cyberattacks coming from Russia and China has galvanized the United States and its western allies into taking swift action to counter the escalating incidents. Consequently, the SolarWinds spyware infiltration, the Microsoft Exchange hack, and ransomware attacks launched by criminal gangs harbored by the Kremlin dominate headlines and drive nation-state cybersecurity responses.
However, it’s not always Russia or China who are dangerous adversaries in the digital realm. Smaller threat groups from India, Iran, Belarus, Latin America, and Israel can hold their own when it comes to disruptive hacking or espionage operations. In addition, alleged “hacktivist” groups and threat actors of indeterminate origin engage in malign activities for often mysterious purposes.
Indian hackers pose as legitimate firms
Reuters journalists Chris Bing and Raphael Satter recapped at the recent Cyberwarcon event their ongoing investigation of a loose collective of Indian hackers that blur the lines between reputation management firms and outright hacking-for-hire services. Working for outfits such as Appin Security Labs and BellTrox, these hackers target lawyers, activists, executives, investors, pharmaceutical companies, energy firms, asset management companies, offshore banking entities, and high net worth individuals.
One target of Delhi-based BellTrox was Iranian-American aviation tycoon Farhad Azima, whose emails were stolen by the company and used against him during litigation. “When you guys discover a hack and leak operation down the line, I don’t just want you to think it’s Russia or it’s North Korea or even India,” Bing said. “We want you to think maybe it’s that billionaire who’s been in the news, maybe it’s that K Street lobbying firm, maybe it’s even that disgruntled former spouse.”
Belarus and not Russia is behind the Ghostwriter campaign
The biggest news to come out of Cyberwarcon was the revelation that Mandiant’s Threat Intelligence Group linked state-sponsored espionage group UNC1151, previously tied by researchers to Russia, to the Belarusian government. Mandiant also concluded that UNC1151 provides technical support to an information operations campaign known as Ghostwriter, which has fostered narratives consistent with Belarusian government interests, including anti-NATO messaging.
Mandiant’s Ben Read, senior manager for cyber espionage analysis, and Gabby Roncone, technical threat intelligence analyst, said they couldn’t rule out Russia’s involvement entirely. “Ghostwriter is tied to Belarus with moderate confidence,” Read said. “I’ve seen the ties to 1151. The technical support that you’re getting from this group we have tied with high confidence.”
“We don’t see any overlaps between UNC1151 or the Ghostwriter activity and other cyberespionage information operations that have been publicly attributed to Russia. It is its own thing, and we think it should be evaluated as such. There are a number of good reasons to suspect Russian involvement. We just don’t have the hard evidence.”
Israeli firm Candiru linked to watering hole attacks
Another big revelation coming out of Cyberwarcon is that watering hole attacks on high-profile websites in the Middle East have been linked by researchers at ESET to Israeli spyware firm Candiru. Among the sites targeted in the attacks are the websites of the Iranian embassy in Abu Dhabi and Middle East Eye, a London-based digital news site, and other sites critical of Saudi Arabia. The US Department of Commerce recently sanctioned Candiru by placing it on the entities list that prevents US organizations from doing business with the firm without a license.
Matthieu Faou, malware researcher at ESET, said during his Cyberwarcon talk that Mandiant stopped seeing activity from this operation at the end of July 2021, just a few weeks after the release of blogposts by the Citizen Lab, Google and Microsoft detailing the activities of Candiru.
Facebook disrupted hacking groups in Pakistan and Syria
David Agranovich, Facebook’s director for global threat disruption, and Mike Dvilyanski, who leads Facebook’s cyberespionage teams, shared details on actions the company took against four distinct groups of hackers in Pakistan and Syria over the past several months. Facebook disabled the groups’ accounts, blocked their domains from being posted on its platform, shared information with industry peers, security researchers, and law enforcement, and alerted the people it believed the hackers targeted.
The group from Pakistan is known as SideCopy, which has been targeting former members of the Afghan government and others based in Afghanistan following the collapse of the government. In Syria, Facebook removed three groups with links to the Syrian government: The Syrian Electronic Army, APT-C-37, and an organization that targeted minority groups, activists, opposition, Kurdish journalists, activists, members of the People’s Protection Units (YPG), and Syria Civil Defense or White Helmets, a volunteer-based humanitarian organization.
Threat group Machete focuses on Latin America
Blake Djavaherian, an intelligence analyst for CrowdStrike’s Global Threat Analysis Cell (GTAC), detailed his firm’s investigation into Machete, a Latin American-focused threat actor that has been active since at least 2010. Machete operates in a highly targeted fashion, focusing nearly always on Latin American issues or organizations.
The group delivers malware through very good spoofs of government correspondence. Machete has a particular emphasis on Ecuador, Venezuela, Nicaragua, Cuba, and some groups internal to Colombia. Although CrowdStrike hasn’t attributed the threat actor to a particular country, “the target scope is very pertinent to the likely intelligence collection priorities of the Colombian government, including contractors and subcontractors that might work for the Colombian government doing this sort of activity,” Djavaherian said.
Four Iranian groups are moving to crime personas
Alex Orleans, who manages the targeted intrusion mission for CrowdStrike Intelligence’s GTAC, and Katie Blankenship, GTAC director, revealed at the conference details of four Iranian groups they’ve investigated: Tarnished Gauntlet, Pioneer Kitten, Spectral Kitten, and Nemesis Kitten.
The groups are moving from hacktivist personas to crime personas, so “they can organically capitalize on ransomware’s disruptive capabilities while also allowing actors to blend in with a large volume of new crime activity,” Blankenship said.
Microsoft has observed six Iranian threat groups deploying ransomware
James Elliott, Simeon Kakpovi, and Ned Moran of Microsoft’s Threat Intelligence Center (MSTIC) presented their analyses of a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. Since September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives in waves every six to eight weeks on average. One group, in particular, PHOSPHORUS, targeted the Fortinet FortiOS SSL VPN and unpatched on-premises Exchange Servers globally with the intent of deploying ransomware on vulnerable networks.
Signaling may be the goal of hacktivists
Juan Andres Guerrero-Saade, a principal threat researcher at SentinelOne, recapped a series of cybersecurity incidents involving so-called hacktivist groups or actors. Examples include Phineas Fisher, who claimed to have hacked offensive intrusion and surveillance company Hacking Team in 2015, and Indra, which claimed responsibility for attacks in Iran, including a hack of the country’s railway station. Indra is also behind a recent attack on Iranian gas stations.
Guerrero-Saade said that in most of these cases, the hacks weren’t necessarily the goal. Instead, the hackers were engaging in a form of signaling to send a message. “It’s one thing to upset folks because they can’t get gas. It’s different from saying, well, to what end do we want these people to be upset?”