A risk group calling itself the Atlas Intelligence Group (AIG, aka Atlantis Cyber-Military) has lately surfaced with what seems to be a considerably totally different — and doubtlessly trend-setting — cybercrime mannequin.
Researchers from Cyberint who had been the primary to identify the group described the risk actor as promoting quite a lot of companies through its primary web site, together with entry to stolen databases, unique information leaks, distributed denial-of-service (DDoS) companies, and preliminary entry to enterprise networks through RDP purchasers and Net shells. Cyberint stated this week that its researchers noticed AIG in Could and have noticed it rising quickly since then.
What makes the risk actor totally different from the myriad others with related choices is the truth that the operators themselves seem like totally outsourcing the precise hacking actions to unbiased cyber-mercenaries who haven’t any direct connection to the operation. As an illustration, when a consumer purchases AIG’s DDoS, information theft, or malicious spam companies, the group advertises for and hires unbiased contractors to execute the precise duties. That is in contrast to most risk teams. which recruit and keep the identical staff of hackers for various campaigns.
A Mannequin for OpSec
AIG’s mannequin seems designed to make sure a excessive stage of operations safety for its leaders by holding them segregated from these doing the prison hacking exercise, in keeping with Cyberint.
“AIG is the primary group I’ve seen that’s utilizing this enterprise mannequin,” says Shmuel Gihon, safety researcher with Cyberint. “Each staff has its leaders, and each staff has key members. However right here it is totally different: now we have one chief that controls every part and everybody.”
AIG’s enterprise mannequin seems designed to benefit from the rising variety of hacker-for-hire teams which have begun surfacing everywhere in the world lately. The teams, lots of which function out of India, Russia, or the United Arab Emirates, specialise in breaking into goal networks, stealing information, and finishing up quite a lot of different malicious actions on behalf of the purchasers who rent them. One instance of such a gaggle is Russia-based “Void Balaur,” a cyber-mercenary group that researchers at Pattern Micro and others have linked to assaults on hundreds of organizations and people for a number of years.
Gihon says Cyberint’s evaluation of AIG’s actions exhibits it’s being run by a secretive particular person utilizing the deal with “Mr. Eagle.” This particular person seems answerable for initiating all AIG campaigns and plans. Cyberint has to date been in a position to establish not less than 4 different people which are working underneath this chief, and who’re answerable for duties equivalent to promoting the group’s companies, speaking with clients, and working its Telegram channels.
“What makes them totally different is the truth that they’re excellent [at] making themselves nameless and approaching this operation as entrepreneurs and never as technical folks,” Gihon says. The group’s conduct suggests the core members — or not less than its chief — had been pink teamers or malicious hackers which have determined to steer quite than function.
“They’ve been round within the darknet and within the cybercrime business for some time and noticed how issues are working,” he added.
Telegram Communications
Cyberint stated it has noticed the group use three totally different Telegram channels, with hundreds of subscribers between them, for its operations.
One of many channels is a market for leaked databases. The databases seem to belong to organizations in numerous sectors equivalent to authorities, finance, manufacturing, and expertise, from world wide. The gathering of databases on sale through the Telegram channel means that AIG is not specializing in any particular area or sector. Quite, the group seems to be concentrating on organizations that it thinks may be precious for potential patrons.
A number of the databases can be found for as little as 15 euros and include data equivalent to e-mail and bodily addresses, cellphone numbers, and different data probably of curiosity to distributors of malicious spam, spear-phishing teams, and hacktivists.
“AIG claims that these databases are unique, so the belief is that they obtained it [via] their contractors,” Gihon says. Given the low value, it’s unlikely that AIG obtained them from a third-party and is reselling them, he says.
AIG has a second Telegram channel that it makes use of to publish advertisements for numerous hacking companies that it may be on the lookout for, and the place hackers have a chance to bid for contracts. The channel serves because the risk group’s supply for locating malware builders, social engineers, pink teamers, and different cyber-mercenaries.
AIG’s third Telegram channel, which serves as its communication channel, is the place the group posts bulletins, lists of supposed targets, and different data. The risk actor additionally maintains an e-commerce retailer the place folks can buy AIG’s companies and stolen databases utilizing cryptocurrency.
Gihon says AIG’s enterprise mannequin offers it a stage of flexibility that different risk teams should not have.
“The chief just isn’t sure to any one of many members as a result of they’re all contractors,” he says. “So, whereas different teams have their ups and downs given the truth that they’re the identical group of individuals more often than not, Mr. Eagle has the privilege to rent the very best of the very best anytime,” he says. “This might make this staff very deadly in the long run sport.”
