Come with us as we peel back the digital curtain, uncovering the operations, techniques, and impact of five highly active and clandestine groups causing significant disruptions across the cyber landscape.
Throughout human nature, we often find ourselves intrigued by the proverbial “bad guy.” Whether it’s in cinema, video games or literature, characters like The Joker, Darth Vader, or even Mary Shelley’s Frankenstein have a special place in at least a few of our hearts.
People are generally attracted to excitement and elements of danger, but also the possibility of redemption in others. This applies to cybercriminals too, with many of these traits being found in the various hacker gangs currently causing havoc around the world. Some trigger points that pique our interest while keeping us on the edge of our seats include things like:
How did they pull off this compromise?
Are we vulnerable?
Who did they get now?
Who is going to stop them?
While recent mainstream attention to ransomware groups like Cl0p and their MOVEIT Transfer extortion ring have taken center stage, a more prolific and long-standing group of threat actors still exist. Far from fading into irrelevancy, these groups are continuing to exploit new victims while remaining firmly under the radar.
In this article, we’ll showcase five highly active and impactful threat actors that have made a noticeable impact across the first half of 2023, with some still going strong at the time of writing. Our aim is to provide actionable threat intelligence to the reader, which may allow them to determine if the threat actor has been active in their environment via associated domains, CVEs, or other indicators of compromise.
The article will begin with the most recently known activity based on public intelligence sources like Cisco Talos, Bleeping Computer, MITRE, and several others.
Primarily known for Big Game Hunting (BGH) operations using its namesake Medusa ransomware, this eCrime group leverages coordinated teams of malicious actors to achieve its goals.
Active since at least 2021, this advanced persistent threat (APT) group has not yet racked up a large, known pool of victims, but they remain persistent. The Medusa ransomware outfit publicly names its victims and those who refuse to pay on both a Telegram channel and a leak site. Medusa is known to post victim data well in advance of ransom payment deadlines expiring, reflecting some vindictive characteristics.
The Medusa ransomware group is known to occasionally work with other APT groups in specialized capacities like ‘nixploiter’ and ‘drumrlu’ to carry out its cybercrime operations.
Medusa’s Tactics, Techniques, and Procedures (TTP)
Medusa and its affiliates favor the use of SMS-based phishing attacks, spam related attacks to deploy SimpleHelp binaries for initial access, and has historically leveraged the following vulnerabilities to exploit its victims: CVE-2022-40182 (ProxyNotShell), CVE-2020-0688, CVE-2019-0604.
Medusa will also seek to attack common remote access solutions such as VPN portals or leverage brute forcing attacks to guess valid credentials. Data exfiltration activities may be conducted using ‘Rclone’ or another service.
Fighting Ursa is believed to be a Russian Military operating unit, operating within the Signals Intelligence Unit.
This adversary has been active since at least 2007, with more directly attributable activity being observed by the United States, UK, and other governments as of 2018. This APT group is focused solely on attacking and exploiting NATO member countries or countries like Ukraine seeking NATO membership.
This threat actor also propagandizes successful compromises to potentially sway public support for its activities and shape opinion about the actions of other Western nations it is at odds with.
Fighting Ursa’s Tactics, Techniques, and Procedures (TTP)
Fighting Ursa appears to favor social engineering attacks such as spear-phishing campaigns that leverage fictitious domains to harvest credentials and deliver malware belonging to branches of the Sofacy, X-Agent, and GoDown families of infectious software. Fighting Ursa seeks to infect traditional devices such as workstations but some of its malware infections have been observed on mobile devices as well.
Operatives that are part of Fighting Ursa have been known to travel physically, in near proximity to victims, before executing attacks. This has fueled speculation that the group is a well-financed, nation-state actor.
In early 2023, Fighting Ursa favored the use of a zero-day vulnerability impacting Microsoft Email clients to steal NTLM hashes for cracking. After gaining an initial foothold, the group seeks to maintain and spread its influence throughout compromised networks through ‘Command and Control’ (C2) channels, with repeat infection. Public reports noted Fighting Ursa enjoys continued use and development of the OceanSteal information stealer malware (a.k.a. CredoMap) to harvest credentials.
As a suspected Chinese nation-state actor, Aquatic Panda seeks to perform highly specific missions involving both intelligence gathering and industrial espionage. Operating since May 2020, this threat actor is believed to operate under the Chinese the Ministry of State Security (MSS), helping to enhance regional security, promote economic stability, and advance technological development efforts.
Aquatic Panda is noted for its ability to create expansive command and control infrastructure, creating new nodes between campaigns.
Aquatic Panda Tactics, Techniques, and Procedures (TTP)
With a central focus on Asia, Aquatic Panda primarily leverages the Cobalt Strike, Winnti, and Spyder malware families for victim exploitation, but also seeks to identify and exploit Log4j vulnerabilities as part of its reconnaissance efforts.
Aquatic Panda seeks to broaden its Command and Control (C2) Infrastructure through the establishment of new nodes and the compromise of active GlassFish servers and Cloudflare. The group also enjoys using Acunetix for web application vulnerability scanning to focus initial attacks.
Aquatic Panda is often associated with the exploitation of its victims via the following vulnerabilities: CVE-2019-18935, CVE-2021-34473, CVE-2021-21978, CVE-2019-9621, CVE-2021-34523, CVE-2021-22205, including others.
Like Aquatic Panda, Sea Turtle is an assumed nation-state actor with a similar method of performing intelligence-gathering operations for the regional government it originates from.
Sea Turtle has been active since at least 2017 but came to prominence in 2019 via widespread public reports of DNS hijacking campaigns. Sea Turtle operations have gained momentum in the first half of 2023, altering its primary exploitation tactic of DNS hijacking to full-blown organization compromise against targeted victims.
Cybercrime activities conducted by Sea Turtle have shifted to international telecommunications agencies in the recent period, highlighting the widespread use of custom tooling to achieve successful exploitation.
Sea Turtle’s Tactics, Techniques, and Procedures (TTP)
Sea Turtle favors exploitation of victims via a wide range of known exploits ranging in years from 2009 to more modern exploits such as Log4J.
Network recon is often conducted with traditional ethical hacking toolsets like Nmap, Socat, cURL, fscan, and Impacket’s wmiexec module, but the use of custom hacking toolsets is a favored technique for this APT Group with GitHub downloads often occurring as attacks unfold.
Defenders should be aware of the following CVEs that this bad actor enjoys exploiting the most and prioritize remediation: CVE-2021-4034, CVE-2018-0296, CVE-2014-6271, CVE-2009-1151, CVE-2017-6736, CVE-2020-2034, CVE-2021-26084, CVE-2017-3881, CVE-2018-7600, CVE-2017-12617.
Active since 2014, Arid Viper appears to confine its primary operations across parts of the Middle East, North Africa and into targeted regions of Asia.
This threat actor targets all flavors of operating systems, spanning Windows, Mobile and iOS devices. Its primary modus operandi is to perform espionage and compromise its victims through social engineering (namely fake dating web sites or applications), or through use of custom malware kits.
Arid Viper, like its desert namesake, wishes to stay hidden until it needs to strike. Many of the malicious programs attributed to this threat actor are based on variants of ‘Micropsia’ malware family. Arid Viper has recently been attributed to the use of developing custom malware kits developed in the Go programming language and specifically the ‘AridGopher’ malware program.
Arid Viper’s Tactics, Techniques, and Procedures (TTP)
Arid Viper implements a standard reconnaissance and data gathering operation which entails the use of newly registered domains through registrars like NameCheap or VPSMalaysia that typically follow a predictable but random naming convention of firstname.lastname[@]domain[.]com.
It has deviated from this tactic recently, possibly due to being too consistent, and may have switched to more randomized domain registrations. Arid Viper C2 Infrastructure has been known to leverage Apache 2.4.4x or Laravel.
While primarily leveraging the Micropsia malware family, Arid Viper has also been observed delivering VolatileVenom (An Android RAT) and KasperAgent malware payloads.