New research from Blackberry has discovered a link between the StrongPity APT, MountLocker and Phobos gangs that has targeted Australian organisations.
Recent research revealed by Blackberry has found a link between the StrongPity APT, MountLocker and Phobos gangs who have targeted Australian businesses with ransomware and advanced persistent threat (APT) tactics, with the gangs previously thought to have been unrelated to one another.
According to the research, the link between the groups was uncovered following a phishing email in September last year that targeted Australian state departments and real estate companies.
The findings raised some eyebrows at the company, as the threat actors typically used different tactics driven by different motivations.
However, Blackberry’s research and intelligence team found that an initial access broker, dubbed "Zebra2104", was common among the groups, illustrating that the actors were wielded the same malicious infrastructure.
“The BlackBerry Research & Intelligence Team has uncovered an unusual connection between the actions of three distinct threat groups, including those behind financially-motivated ransomware such as MountLocker and Phobos, as well as the espionage-related advanced persistent threat (APT) group known as StrongPity,” the research found.
“While it might seem implausible for criminal groups to be sharing resources, we found these groups had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB).”
Blackberry explains that IABs typically penetrate the victim’s network then sell access to the network via the dark web.
“Later, the winning bidder will often deploy ransomware and/or other financially motivated malware within the victim’s organisation, depending on the objectives of their campaign.”
The team at Blackberry explained how they uncovered the link between the cyber gangs.
"As is the case with many cyber investigations in today’s threat landscape, this journey began with the analysis of a Cobalt Strike Beacon and the data contained within its configuration," the team wrote.
The presence of a single domain – trashborting[.]com – along with both its current and historical resolution information, led Blackberry to uncover links to many different campaigns and a new group that the BlackBerry research and intelligence team named, and continues to track, as Zebra2104. This name stems from the use of initial access services that, as a byproduct, allow for threat actors to “hide in the herd”.
[Related: mySA GOV digital licence accounts hacked]