The Origin of Threat Groups: Scaling Out Operations

“A better focus is what common threads do these operations all have, what common vectors do they have, or how is this ecosystem of groups collaborating to get into my network?”

At the same time, many ransomware operators offer as-a-service models where affiliates deploy their malware against the victim in return for a share of the paid ransom. Many times, before working with an affiliate the threat group will be vetted first, being asked to prove their technical skills. While the malware and ransomware “brand names” – such as REvil or Conti – are often highlighted in cyberattacks, affiliates are the ones that may be driving the attacks themselves. In a recent analysis in March, eSentire researchers gave insight into a new set of Indicators of Compromise (IoCs) for a Conti affiliate, as well as the group’s preference for SonicWall exploits and the Cobalt Strike intrusion framework. And in June 2021, Mandiant researchers observed a DarkSide affiliate accessing victims through a trojanized software installer downloaded from a legitimate website.

While these partnerships are mutually beneficial, cybercriminal gangs are also known to compete or launch attacks against one another, as seen after an allegedly disgruntled Conti affiliate pentester in August, unhappy with the pay for work, stole and leaked data about the group’s TTPs, including its training materials, tools for attacks and Cobalt Strike C2 server IP addresses.

In another layer of complexity, threat groups themselves aren’t fluid, and have been known to rebrand – sometimes multiple times – if their attacks garner too much attention or if their operational mechanisms collapse.

“There are logistical and operational concerns for these groups, just like there are for a standard business,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. “You’re running into issues of pricing or customer service, or too many people to manage, and that’s why we see breakdown and reformation.”

GandCrab, for instance, started to wind down in 2019 after facing several drawbacks to its fast-paced development approach, including bugs and loopholes discovered in its distributed versions and breaches occurring on their server-side infrastructure, leading to the leaks of private keys of victims. Since then, researchers believe the group has rebranded itself into the REvil ransomware group. Some security researchers have theorized that the BlackMatter group is a partial reincarnation of the DarkSide ransomware group after the latter launched the infamous 2021 cyberattack on the Colonial Pipeline, leading to the U.S. government offering a $10 million bounty reward for information on its group leaders. And UNC2190 has proactively rebranded repeatedly in order to avoid public scrutiny, while only making minor changes to their strategies and retooling.

“It appears, like in a legitimate enterprise, the stability and agility of the management team to adapt and innovate is a key factor for these cybercriminal groups to survive and grow,” said Boland. “To become well known through notoriously huge and successful cybercriminal attacks, is also to become well known and subject for investigation and takedown by global law enforcement groups. These groups rise and fall, and sometimes they fall and get back up.”

While there is a focus by the security landscape on the TTPs and malware used in various campaigns, these details are often muddled by the complex and intricate threat landscape made up of operators, affiliates and rebranded groups. Kennelly said organizations are better off inspecting the risks in their environment in conjunction with how they can most effectively defend against the top common security threats that attackers are targeting.

“A hyper-focus on the brands and malware is really distracting people from really being able to focus on the common associations within the ecosystem,” said Kennelly. “A better focus is what common threads do these operations all have, what common vectors do they have, or how is this ecosystem of groups collaborating to get into my network?”