Over the past couple of months, a new group has emerged named the Atlas Intelligence Group (A.I.G), aka Atlantis Cyber-Army.
What makes this group unique compared to all the other groups we’ve seen lately, is its recruitment of cyber-mercenaries to do specific jobs as a part of bigger campaigns known only to the admins. In the early days, the group appeared to be yet another data leakage group. But on closer inspection of the variety of services they offer, we realized we were looking at something much bigger.
Its leader, Mr.Eagle, puts a lot of effort into advertising the group and the services it offers, such as exclusive data leaks, DDoS, RDP, and other methods of access to organizations.
The group has been growing rapidly since the beginning of May, and currently advertises its content on several popular marketplace Telegram channels, along with its own Telegram channels. In all their campaigns, they target countries from all over the world, including the U.S, Pakistan, Israel, Colombia, and the Emirates, as they focus on government and other state assets.
Atlas Intelligence Group is not the regular threat group we’ve become used to seeing. While many groups focus on offering one, or maybe two services, Atlas seems to efficiently grow rapidly and expand its operations, allowing them to offer a variety of services (Figure 1).
One of the most common services these days in general, and in this group particularly, is DDoS. From the group’s early days, this was one of their most popular services, as they provide solid proof of execution for only €20 per victim.
Another fairly popular service Atlas offers is data leaks. It seems that the group doesn’t focusing on just one sector or region, but rather focuses on anything that might be valuable to their potential buyers.
The group has published leaked databases for sale starting from €15. These databases are from all over the world, in different sectors such as education, finance, government entities, manufacturing and tech.
Panels and Initial Access
To date, Atlas, aka Atlantis, seems like another intermediate cybercrime organization given the services it offers, but when observing other services we can paint a much more complex picture about this group.
Other than the more “obvious” services, they have some products for sale that demand more skill to acquire. One of these products is hacked panels and initial access to organizations, which they were able to obtain. These sales start mostly at $1000 (Figure 2).
As the group keeps evolving on a daily basis and shows us little by little what they are capable of, they also prove that they are not an ordinary group that only applies advanced hacking techniques.
When observing several of the group’s advertisements, we came across some very alarming ads claiming that they have connections with people in several law enforcement entities in Europe who can deliver sensitive information about certain individuals exclusively (Figure 3).
This capability is impressive, not just because of the potential information that might be obtained, but also because it shows how deep the group goes as they are committed to their crime organization not only in the cyber realm.
Comparing Atlas’s operation method to other groups also paints a different picture of what we are used to seeing.
When observing most threat groups, the pattern is clear: The groups often recruit individuals with certain capabilities that they will have to reuse, and everyone gets involved in the campaign.
Atlas has introduced us to out-of-the-box thinking. It appears that only the admins and the leader know fully what the campaign will be. In order to do so, they hire “cyber mercenaries” for different tasks during the phases of the campaign through their Telegram channel (Figure 4, 5). For example, we were able to find open contracts for one job only (without joining the team) for spear phishing and social engineering experts. Another example is publishing contracts for web hacking individuals. It seems that for each campaign they recruit a different set of individuals.
This technique creates segregation between the participants and keeps all those doing the “dirty work” in the dark. Applying this technique results in a high level of operations security (OpSec) for the operators and helps them avoid ongoing relationships with other threat actors.
As mentioned, this is not an ordinary threat group, both in the way they behave and the way they manage their campaigns.
When comparing them to other crime syndicates, we see the clear behavior of a cartel as we witness their leaders serve as architects of the campaigns, while the mercenaries follow the masterminds’ orders.
The Atlas Intelligence Group operates several communication channels across multiple platforms.
The group operates three different Telegram channels with thousands of subscribers. The first is a database marketplace, in which they put on display the leaked databases they are currently selling, with contact information.
The second and most interesting channel, is where the leader and the admins publish the contracts, and subscribers have the opportunity to offer their services. This channel serves the group in finding red teamers, social engineers, malware developers and information about certain individuals (Figure 6).
The third is another commercial channel that also posts announcements from the team, such as doxing (revealing personal information about a user) scammers that they come across, intended next targets, and other updates that might interest their followers.
The group offers an easy and anonymous method for purchasing their services.
The leader of the group opened an e-commerce store on the Sellix.io platform (Figure 7).
This platform offers an e-commerce platform for anyone. As part of their services they offer payment with cryptocurrency and acts as a middle-man in Atlas’ case, providing another layer of anonymity for the group’s members.
When observing the behavior of this group in general and its leader in particular, it seems that operations security (OpSec) is a top priority, which explains their choice of the Sellix.io platform.
Group has a very clear hierarchy, where only one leader publishes the contracts and the rest of the group supports management tasks, advertisements, and the operation of the channels.
Mr.Eagle is the main character in Atlas’ story, and is a fairly unique individual. The leader of the group seems to be very mature and professional as his decisions and behavior are purely logical with no room for errors.
Mr.Eagle tends to have very strict rules for the management of the group, including banning and expelling scammers and other threat actors who try to advertise their products. It seems that Mr.Eagle maintains very high reliability among the group’s followers (Figure 8).
Although Mr.Eagle is the main character in the group, a lot of the day-to-day work is done by the group admins. So far, the Cyberint Research Team has been able to identify at least four individuals named El Rojo, Mr.Shawji, S41T4M4 and Coffee. The admins are responsible for taking care of the group’s advertising, management tasks, and the operation of the channels, and occasionally with communicating with the followers.
This part of the group is interesting as there are no permanent cyber mercenaries in the group’s campaigns.
It seems that most contracts are referred to red teamers, social engineering and OSINT experts. Given the fact that these contracts are recurring, we conclude that the group’s leaders are not “bound” to the same professionals, leading to a situation where each campaign might have different mercenaries.
Part of the communication seen in the Telegram channel, revolve around malicious content and exploits. This includes both ExploitKits, as well as source code of different Malware Families. The tools being shared serves the purpose of focusing the mercenaries to fit professional skills the group is looking for.
Multiple exploit kits targeting F5 infrastructures have been shared from GitHub in the group, along with malware source code taken from VX-Underground, one of the most popular security-based communities these days (Figure 9, 10).
Other Threat Groups Relations
The group’s organization and working methods suggest that they are not new to the industry, even though no hard evidence was found about these personas before Atlas arrived in our lives.
It is possible that these individuals operated in the past in other threat groups or at least know how to operate as a threat group.
Observing communications and recommendations of another group, the Cyberint Research Team has found a link to a group named DDoSArmy, which, as the name suggests, provides DDoS as a service to their customers.
The Atlas Intelligence Group (A.I.G) does not target a specific industry or even a specific region in the world. We have seen the group operate worldwide, pursuing whatever campaign will most benefit them, whether selling secret documents of a particular country, databases, access to organizations, etc.
However, when trying to gain more insight into their regions and sectors, if we observe their e-commerce store, we can see that most of their databases for sale are government related, while access to RDP clients and webshells that are being sold, mostly belong to organizations from the Finance, Education and manufacturing industries.
Giving Back to The Community?
One of the group’s surprising activities is to voluntarily hunt and dox pedophiles worldwide. In the two months that the group has been operating, they have already doxed several pedophiles, including releasing very personal information about these individuals such as home address, phone number, pictures, etc. The group was able to find pedophiles from several nations in Europe (Figure 11).
Over the past months we have seen many new threat groups emerging, some from the ransomware sector, some data leakers, and some from the malware development sector, but all of them use pretty much the same advertising and team assembling techniques.
In Atlas’ case, we are seeing something different, as one mastermind use mercenaries, or “puppets”, to achieve his goals.
As the group grows by the day, we are able to get to know this individual a little more, and so far it seems that the cybercrime industry is being introduced to a sophisticated, highly anonymous, ambitious, purely logical and nonchalant threat actor who is looking to leave his mark and establish a dominant threat group in the future.
Given the nature of this group, we cannot deny the possibly that it is just a matter of time until the group will move into the ransomware sector as well.