Offensive Security Migrates to The Underground

Introduction

Recent years have taught us a lot about espionage in the cybersecurity world.

As offensive security companies emerged at almost the same rate as ransomware groups, some got tangled up in diplomatic and political incidents, to a point where the countries that hired them left having to manage their losses.

Over the past months, a new trend has emerged of criminal threat groups claiming to have connections to governments worldwide that hire their services for espionage and targeted data leak campaigns.

The Cyberint Research Team has made multiple connections with notorious threat groups, in an attempt to shed some light on this phenomenon.

Given the fact that offensive security is not going anywhere, the only question that remains is who do these states write the check to?

Offensive Security Incidents

Candiru

One of the most dominant offensive companies today, Candiru specializes in compromising Windows machines.

Over the past year, we have seen accusations that Candiru is involved in espionage campaigns targeting journalists around the world − one recent incident claimed that the software company’s tool exploited a Google Chrome’s vulnerability to target Lebanese journalists.

Cyberespionage systems developer company, Candiru, sells its products to governments all over the world, so when every incident of this type is exposed, it could have a major impact on diplomacy in any region around the world.

Cytrox

Cytrox is a spyware developer that specializes in iOS systems. The software company is well-known in the offensive security sector and was linked to several incidents. One of the most famous cases was the espionage campaign that targeted an Egyptian politician and a host of a news show. Both targets were hacked in June 2021 using Cytrox’s spyware Predator.

When this story was released, it was also revealed that Cytrox had also clients from Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

Obviously, this situation led to accusations of espionage against these countries.

Governments – Threat Group Relationships

As mentioned, it seems that governments prefer turning to notorious threat groups from all over the world to do some “dirty work” that they can benefit from, without being directly linked to the incidents.

Over the past few months, we’ve seen cases where threat groups specializing in data theft and obtaining access to infrastructures claim to have connections to various government agencies. Although we are used to seeing APTs and other major threat groups being sponsored by more “obvious” states such as Russia, China, North Korea and Iran, slowly but surely we are seeing more countries in NATO and American countries joining this list.

BlueHornet – AgainstTheWest

BlueHornet, AKA AgainstTheWest, AKA APT49, is also one of the most influential groups that has emerged following the Russia-Ukraine conflict.

The group first presented itself as a hacktivist group aiding Ukraine in its struggle against Russia, while also targeting China, Iran, North Korea and Belarus. It didn’t take very long to understand that the group is nothing close to resembling a hacktivist group, as they presented a very high level of skill, exposing and leaking highly sensitive data about Russian and Chinese espionage groups’ personnel and breached massive companies such as Alibaba Cloud.

At some point, the cybersecurity community speculated that they are related to some western country that remains unknown.

Finally, BlueHornet came clean in a forum post (Figure 1) claiming they were contracted to undertake this campaign by a certain state. Now they have been officially recruited and are closing down their operations.

Atlas Intelligence Group

Atlas Intelligence Group (A.I.G), is a well-known threat group specializing in several fields – DDoS, botnets, data theft, personal investigations, etc.

The Cyberint Research Team was able to have a quick conversation with the team’s leader, Mr. Eagle, which shed some light on the relationship the group has with several government agencies (Figure 2).

According to Mr. Eagle, the process is pretty simple and straightforward. The group reaches out to government agencies worldwide with a presentation, which details the group’s services and what they can do for these agencies. If an agency finds value in these services, they contact Atlas via the communication channels specified in the presentation.

The remaining question is why agencies such as the CIA, NSA, MI6 and others, even need the services of these groups. Talented and professional as they may be, these agencies do not lack the tools, technology, or professional capabilities to run the same campaigns with even better success rates.

When talking to Mr. Eagle, he revealed the real motives behind these agencies to us. It is in the interest of a government to hire these individuals so if things go south with a campaign, the government has plausible deniability, and is not at risk of any diplomatic incidents that could ensue (Figure 3).

New Technique or Old Habits?

Although in the past year we’ve see an increase in this trend in Western countries, the relationship between criminal threat groups and governments is something we are used to seeing in Eastern Europe countries.

The country that benefits the most from cybercriminals gangs working on its territory is Russia. Leaving aside the APTs such as Cozy Bear and the others, which are more of a military unit than a gang, for years there has been speculation that Russia has been hiring ransomware groups that operate within its borders to share information with the government on any of their campaigns, and any piece of information they find. The “payment“ for this transaction is in the form of the ransomware groups’ freedom to act as they please without being arrested.

One of the clearest examples was the ContiLeaks incident, where conversations of Conti members over the past two years were leaked. One of the conversations was with one of the group’s key members where he admits they pass information to the government (Figure 4).

Conclusions

We live in an era where information security capabilities are just as palpable and lethal as the physical weapons in a state’s arsenal, with the result that the arms race is taking place in this arena as well.

Espionage campaigns are not new. The rules were pretty clear in the past when each government had its own agencies or hired offensive security firms (which was questionable in and of itself), which worked their “magic”, and the borders between enemies and allies were clear.

The idea that a government entity hires the services of a cybercrime syndicate they should seek to arrest is something new. And now, as the rules begin to change, it raises two questions: The first is what other group types will we see getting involved in these campaigns, and the second, what does this say about the blurred line between right and wrong, and, if you are skilled enough, are you above the law?