Everyone reading this blog should be familiar with the most notorious and sophisticated cybercrime gang in history, LockBit, targeting over 2,000 victims, receiving over $120 million in ransom payments with other ransom demands totaling hundreds of millions.  

You may also be aware that on February 20, 2024, the Department of Justice announced that in a joint effort between the U.S., United Kingdom and other international law enforcement agencies disrupted the LockBit ransomware group by seizing numerous public-facing websites.

By February 28, 2024, the leader of the LockBit gang, code-named “LockBitSupp” announced that they were back online with a new data leak site equipped with “countdown clocks” for its current victims.

Ransomware and double extortion have become the modus operandi for a large group of cyber threat actors over the past 7 or so years, although ransomware has been around much longer. These are not the only tactics, techniques, and procedures (TTPs) used to crush some of the largest and smallest organizations in the world.

Let’s look at a set of threat actors and their TTPs that you may not be so familiar with.

Volt Typhoon is arguably the most dangerous threat-actor group in the world today. Its profound impact is largely due to its substantial scale and its backing of the Chinese government, elevating it to the status of a Nation State actor. But that’s not the worst of it. It is alleged that Volt Typhoon actors have been infiltrating our critical infrastructure using tactics such as living off the land.  

Living-off-the-land techniques are the most difficult to detect because they don’t use their own files or install any code or scripts. After gaining access, they simply use trusted system tools, like PowerShell or Windows Management Instrumentation (WMI) to stay persistent and undetected.

Blue Delta, sound familiar? What if I said, APT28, still nothing? How about Fancy Bear? I thought you’d recognize that one. Well, they are one in the same. Blue Delta is a Russian state-sponsored group that is attributed to the Russian Main Intelligence Directorate of the General Staff of the Armed Forces (GRU) Unit 26165, according to the Recorded Future, INSKIT Group.

Blue Delta is known for conducting credential harvesting, spear phishing, network eavesdropping, and other operations directly against its targets. The group also uses a suite of custom tools and open-source tools to infiltrate its targets and extract sensitive information. Targets have included the Microsoft Email System, the Democratic National Committee, and many others.

MarjorNelson, you might be thinking of the charismatic actor Larry Hagman, who portrayed Major Anthony Nelson on ‘I Dream of Jeannie’. However, this individual is a nefarious threat actor associated with the ShinyHunters organization, responsible for posting a 73-million-line database from the recent AT&T breach. The methods most used here are identity theft, phishing, social engineering and SIM card hijacking.

FIN7, otherwise known as Carbon Spider, is a Russian Advanced Persistent Threat (APT) group primarily targeting the United States. Its software was said to be used in the Colonial Pipeline attack in May of 2021 perpetrated by the DarkSide group. Since 2015, FIN7 has stolen more than 16 million payment cards—many of which have been sold on the dark web where the purchaser would use them to purchase goods and services.

FIN7 is a very sophisticated group using an arsenal of constantly evolving, complex malware tools and TTPs, controlling infected computers through a web of compromised servers around the globe. They operate a ‘legitimate’, in appearance, cybersecurity business called Combi Security in an attempt to hide their nefarious activities. 

ALPHV/BlackCat claimed responsibility for the December 2023 breach of Vans, a VF Corp company, affecting 35.5 million customers by exfiltrating personally identifiable information (PII) and posting it for sale on the dark web. 

The group’s modus operandi is ransomware-as-a-service (RaaS), where they sell their software and infrastructure to criminal affiliates who carry out ransomware attacks on victims.  The ALPHV group has been responsible for numerous ransomware attacks targeting industries such as manufacturing, healthcare, retail, energy and IT.

In Conclusion:

There are many dangerous and very active threat actor groups out there, ranging from state-sponsored entities, to sophisticated well-run corporations, as well as script kiddies so this is not considered an exhaustive list.

An important takeaway from this blog is that every organization, regardless of its size, is susceptible to breaches and may face catastrophic consequences as a result. CL0P Ransomware Group, Lazarus Group, Storm-0558 are also opportunistic hunters, so remember to:

• • Conduct a Risk Assessment

• • Prioritize and Patch

• • Segment your Network

• • Implement Endpoint Detection & Response

• • Utilize Complex Pass Phrases 

• • Implement MFA

• • Minimize Internet Exposure

• • Have an Incident Response Plan

• • Perform Tabletop Exercises

• • Train your Users (Security Awareness)

• • Test your Users (Phishing Simulation)

By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA

Contact us for more information about our cybersecurity solutions.