From Transparency to Coercion, Emerging Threat Actor Tactics

“The evolving threat landscape” sounds like an overused clichè; however, marked shifts in threat actor tactics in the past year are evidence of widespread and brazen growth in confidence among threat actors. Evident in recent incidents, such as ALPHV, AKA Black Cat’s exploitation of legal avenues, and the emergence of “The Five Families” alliance, cybercriminals are stretching their levels of coordination and reach. “Transparency” is at the heart of new operative behaviors for threat actors. 

Transparent communication on platforms like Telegram and open communication about activities on Twitter, coupled with the manipulation of formal legal and public channels designed for transparency, collectively underscore the increasing capabilities of threat actors. Their ability to operate brazenly poses a substantial challenge to traditional cybersecurity measures. In response to evolving threats and the need for international collaboration, ALPHV’s SEC-compliant approach signifies a major shift in regulatory exploitation for enhanced global security.

ALPHV’s SEC Compliant Shifts the Paradigm with Regulatory Exploitation

The ALPHV/BlackCat ransomware group’s recent filing of a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink, a publicly traded software company, represents a notable shift in their exportation tactics towards legal avenues. 

• The strategic move marks a shift in ALPHV’s tactics towards legal avenues.
• By exploiting regulatory requirements for disclosure, ALPHV effectively turned formal channels meant for transparency into tools for coercion. 
• Targeting a publicly traded company like MeridianLink suggests ALPHV has a sophisticated understanding of the potential widespread financial repercussions of their actions beyond ransom demands. 
• Involving the SEC aims to magnify the impact on stakeholders, potentially influencing stock prices and investor confidence.
• Publicizing the complaint and alleged breach details indicates a strategic deployment of public relations manipulation. 
• The tactic is designed to tarnish the victim’s reputation, exerting additional pressure to meet the ransom demands to avoid further damage to its image and credibility.

Notably, the timing of the attack in relation to the SEC’s new cybersecurity rules, effective from December 15th, 2023, underscores the ransomware group’s keen awareness and adaptability to evolving regulatory landscapes. The attack demonstrated sophistication and agility among threat actors in navigating the dynamic cybersecurity environment, adjusting their tactics in anticipation of and response to legal frameworks.

The incident serves as a unique case where a ransomware group formally notifies a regulatory body, contrasting with their historical methods of contacting victims directly or affecting their customers. ALPHV/BalckCat, blurring the lines between cybercrime and regulatory compliance, emphasizes the vital need for ongoing collaboration among cybersecurity professionals, law enforcement, and regulatory bodies to outpace criminals. 

The Five Families and the Rise of Collaborative Cyber Threats

The emergence of “The Five Families” signals a concerning evolution in the cyber threat landscape, with threat actor groups strategically aligning to form a potent collective force. The alliance, comprising ThreatSec, GhostSec, Stormous, Blackforums, and SiegedSec, marks a departure from isolated attacks to coordinated and potent cybercrime campaigns. The collaboration is not confined to shared objectives but extends to tangible joint operations. This is evidenced by attacks on Alfacomercial-.com.br and Biostar, resulting in unauthorized access to sensitive data. 

New partnerships observed, which include a more exclusive one between GhostSec and Stormous, reveal an intricate web of affiliations within The Five Families, highlighting the interconnected nature of the cyber underworld. This interconnectivity poses a significant challenge to conventional cybersecurity measures, as these unified grips leverage their collective capabilities to enhance the scale and impact of their attacks.

The public declaration of joint efforts on platforms like Telegram signifies a shift towards a more bold approach. The transparency exhibited by The Five Families raises questions about the efficacy of traditional covert strategies employed by threat actors. Platforms like Telegram serve as conduits for public communication of intentions and actions, reflecting a bold departure from traditional undercover methods. 

As collaborative alliances become more prevalent, we can expect to see heightened security risks for targeted countries and organizations globally. Collaboration among threat actors challenges cybersecurity measures, requiring a flexible and strong response to address evolving threats from alliances.

The Increasingly Dual Nature of Cybercrime

The increasing efforts of groups to publicize their activities have been joined by a blurring of the lines between monetary incentives, ideological motivations, and state affiliations. For instance, the Russian-aligned hacktivist group KillNet, a major player in cyber threats amid the Russia-Ukraine conflict, targets Ukraine supporters using simple yet effective tactics like DDoS attacks, misinformation, and political rhetoric. 

KillNet exemplifies a growing trend where hacktivist groups align themselves with specific nation-states, challenging the traditional view of hacktivists as ideologically motivated entities independent of governments. The blurring of lines poses challenges in attributing cyber threats and understanding the true nature of the actors involved. 

KillNet’s initial plans to evolve into “Black Skills,” a Private Military Hacking Company initially intended for corporate activities, signals a shift toward economic incentives and underscores the complex interplay between financial motivations and ideological or political goals, reflecting the adaptability of threat groups. 

The group has also seen alliances with groups like Anonymous Sudan, highlighting the increasing reliance on affiliate networks to amplify the impact of cyber operations. The dynamics of these networks allow groups to pool resources, share expertise, and conduct more widespread and sophisticated attacks. This trend emphasizes the importance of understanding not only individual threat groups but also the broader ecosystem in which they operate.

The increased confidence and coordination of threat actors not only challenges traditional cyber security measures but also law enforcement methods of protecting legitimate organizations, demanding adaptive cybersecurity responses, international collaboration, and a deeper understanding of interconnected threat networks.

Cyberint and the Dark Web

Cyberint excels in accessing high-tier sources that often elude other companies. Our distinct ability to infiltrate concealed realms empowers us to gather and scrutinize available invaluable data. We enhance our automated collection with a human approach through research and analysis of our military-grade expert team.

Discover new sources in deep and dark web marketplaces, forums, and sites, even if those sources are volatile and complex to track. Get deep analysis and reports that allow you to understand a specific threat actor and group profiling, including the places of operation, targeted countries or verticals, TTPs, and more. Get a demo and see what assets you have exposed on the deep & dark web.