I don’t make money, but I’m a money porter. Have you ever seen a hacker specifically for ATMs? Some hackers for money, some hackers are “patriotic”, but other countries are very angry, you patriotic can, don’t extend a black hand to our country’s nuclear industry ah! There are also hackers who have a heavy taste, insurance, consulting, mining, steelmaking, retail, construction companies… None of them let go.
Researchers at Group-IB, a Singapore-based cybersecurity firm, were so shy that they dug up a bunch of hacking groups that had been very untroubled in the second half of 2018 and the first half of 2019.
Their penetration methods have become rich and varied, and cyberattacks have gone straight to the point.
New rival RedCurl
In 2019, a new group of hackers called RedCurl is starting to emerge, both as spies and as a financial theft, and with a wide range of attacks, insurance, consulting, mining, steelmaking, retail and construction companies can’t get out of the way. Group-IB says the hacking techniques behind RedCurl are superior and difficult to track. RedCurl can always hide itself primarily because they communicate with their own Command and Control (C2) servers with legitimate services.
Hackers rely heavily on custom Trojans for the sake of doing something illegal. Their first task is to steal the victim’s important documents and then install XMRIG to mine with your calculations (Monroe Coin).
Of course, RedCurl doesn’t take all documents as a copy, and they prefer information such as agreements, payments, and contracts.
Unlike previous aggressive attacks, RedCurl is a very professional opponent when it comes to fishing attacks. They tailor specific information to different victims in order to have a higher success rate.
For now, RedCurl’s true face isn’t clear enough, and no one knows whether they’re a cybercrime organization or an attack squad of a national organization. Still, Group-IB is trying to look at tools, techniques, and techniques to find clues.
Most of RedCurl’s victims are in Eastern Europe, but there is also a company in North America. At least one of them speaks Russian, judging by the predictions used in the bait files and the email services used by the hacker stoking groups.
It’s all about the money.
Group-IB has produced five active cybercrime organizations targeting financial institutions, three of which (Cobalt, Silence, MoneyTaker) are all in Russian, and these organizations are the most skilled at controlling ATMs using Trojanhorses.
The other two organizations, Lazarus and SilentCard, are from Kenya and specialize in African banks, which, while generally technical, have been quite successful.
Hacker organizations specifically targeting banks
True, there are still a lot of criminal organizations that threaten the financial sector online, but Group-IB believes that these five can cause very serious damage.
These organizations often spend a lot of time on compromised networks to learn the knack of doing so they can manage their financial operations like a victim under surveillance.
The cyberattack map drawn by Group-IB shows that, whether successful or not, these organizations have been active since the second half of 2018, with big moves almost every month.
Group-IB map of cyberattacks
We don’t have detailed information about SilentCard yet, but the researchers believe the organization is operating locally in Kenya and has successfully completed two thefts.
Using the only sample of malware, Group-IB speculated that SilentCard used a self-developed control device to attack the company’s network.
Hackers with state support
In addition to these cyber-cancers, the government-backed hackers (also known as APT organizations) have been busy in recent years. Group-IB lists 38 active organizations in its report, seven of which are new to cyberespionage this year.
Although some new organizations only showed their feet last year, they actually started early, dating back to 2011.
Active hacking group backed by the state
One of the typical examples is Windshift, which DarkMatter specifically analyzed its tools and strategies last August. However, they began spying on government employees and critical infrastructure in the Middle East in 2017.
Blue Mushroom (alias Sapphire Mushroom and APT-C-12) was a hacking group that officially launched in 2011, but their stealth mode was broken in the middle of last year. The group is even more ruthless, specializing in nuclear industry and scientific research institutions.
Gallmaker is also the APT organization that was caught in the pigtails in 2018, and Symantec believes they will be in the army by the end of 2017. Gallmaker is understood to have relied heavily on home-made tools to attack government and military targets.
A report by Qihoo 360 earlier this year showed that the South American hacking group austhetist APT-C-36, also known as Blind Eagle, had been involved in the theft of trade secrets by key companies and government agencies.
The hacking group, called Whitefly, has focused on Singapore’s medical, media, communications and engineering companies, which began their campaign in 2017 and became “famous” last July for attacking The country’s largest public health agency, when 1.5 million patients’ data was stolen.
Hexane and Lyceum are only interested in critical infrastructure in the Middle East, and they were officially released from incognito in August. SecureWorks recently unveiled specific techniques for the group’s hacking efforts.
Taj Mahal, the seventh APT organization, has only just revealed its head, and there is little information about them. Kaspersky found that their attack frame was quite sophisticated, with a single kit containing 80 modules, which Taj Mahal used to break through the defenses of a Central Asian diplomatic service.
For political leaders and military operations, cybersecurity has become the board on the wooden barrel, and no one dares to slow down. As things stand, the hackers have taken off their cloaks, and they’re starting to kill them with their bare arms. To that end, government agencies have also had to step up the upgrading of digital tools in case of unforeseen accidents.
Retaliation against the enemy through cyberattacks has recently become a routine tool, such as this summer’s U.S. attack on Iran’s weapons systems (retaliation against Iran’s shooting down of a U.S. drone).
Group-IB’s CTO Dmitry Volkov points out that 2018 has taught us how vulnerable the cyber world can be in the face of bypass attacks, and 2019 is about secret military operations in cyberspace.