Security news that informs and inspires

The Origin of Threat Groups: Scaling Out Operations


Editor’s Note: This is the second of a two-part series on how threat groups originate. This second part looks at how cybercrime groups scale out their operations, while the first part, available to read here, focused on the beginnings of threat groups, and how the groups lay the groundwork for their malicious activities.

In September, a ransomware group was observed setting up an affiliate program, followed the next month by a ransomware shaming site and blog. The group, which researchers with Mandiant call UNC2190, has only been around since June, but it has operated under several names and continuously rebranded while targeting critical infrastructure like education, health and natural resources in the U.S.

UNC2190’s track record is an example of how threat groups scale their operations by working externally with other groups and changing up their own brands to evade detection. Top threat groups now have established, organized procedures in place for their internal operations and structure; however, researchers point to a complex and fluid ecosystem of threat actors in the broader landscape both competing with one another but also in some cases working together. As part of this ecosystem, threat groups have also built up their operations to boost their reputation, rebranded themselves or even shut down.

“It’s less about what the understanding of this teaches us and more about how we can use this understanding to think about the threat landscape in a way that’s productive,” said Jeremy Kennelly, senior manager, financial crime analysis with Mandiant Threat Intelligence. “When you look at ransomware brands, intrusions, operators and all that, I think the relationship between a brand and an affiliate is starting to enter public consciousness more. What hasn’t evolved yet is a more nuanced understanding of what that means for how you defend yourself and how you understand these threats.”

Many threat groups are known to work in loose collaboration with one another. The relationship between the groups behind the Emotet, Ryuk and Trickbot malware families is one notable example, with some campaigns adapting Emotet as a dropper for the Trickbot trojan, which then steals sensitive data and downloads the Ryuk ransomware. Other researchers point to the Conti and Trickbot groups converging over the past year, with Conti turning into the sole end-user of Trickbot’s botnet product and multiple developers and managers joining the ransomware group.

“Last year, we saw the formation of interesting cybercriminal group alliances. Conti ransomware-as-a-service gang, REvil and DarkSide alleged collaboration is an example of loose, mutually useful, temporary alliances formed by these groups,” said Micki Boland, cybersecurity architect with Check Point Software. “These groups will sometimes share stolen tools, repurposed malware and ransomware, and techniques, sometimes combining those created by the other cybercriminal groups.”

"A better focus is what common threads do these operations all have, what common vectors do they have, or how is this ecosystem of groups collaborating to get into my network?"

At the same time, many ransomware operators offer as-a-service models where affiliates deploy their malware against the victim in return for a share of the paid ransom. Many times, before working with an affiliate the threat group will be vetted first, being asked to prove their technical skills. While the malware and ransomware “brand names” - such as REvil or Conti - are often highlighted in cyberattacks, affiliates are the ones that may be driving the attacks themselves. In a recent analysis in March, eSentire researchers gave insight into a new set of Indicators of Compromise (IoCs) for a Conti affiliate, as well as the group’s preference for SonicWall exploits and the Cobalt Strike intrusion framework. And in June 2021, Mandiant researchers observed a DarkSide affiliate accessing victims through a trojanized software installer downloaded from a legitimate website.

While these partnerships are mutually beneficial, cybercriminal gangs are also known to compete or launch attacks against one another, as seen after an allegedly disgruntled Conti affiliate pentester in August, unhappy with the pay for work, reportedly stole and leaked data about the group’s TTPs, including its training materials, tools for attacks and Cobalt Strike C2 server IP addresses.

In another layer of complexity, threat groups themselves aren’t fluid, and have been known to rebrand - sometimes multiple times - if their attacks attract too much attention or if their operational mechanisms collapse.

“There are logistical and operational concerns for these groups, just like there are for a standard business,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. “You’re running into issues of pricing or customer service, or too many people to manage, and that’s why we see breakdown and reformation.”

GandCrab, for instance, started to wind down in 2019 on the heels of facing several drawbacks to its fast-paced development approach, including bugs and loopholes discovered in its distributed versions and breaches occurring on their server-side infrastructure, leading to the leaks of private keys of victims. Since then, researchers believe the group has rebranded itself into the REvil ransomware group. Some security researchers have theorized that the BlackMatter group is a partial reincarnation of the DarkSide ransomware group after the latter launched the infamous 2021 cyberattack on the Colonial Pipeline, leading to the U.S. government offering a $10 million bounty reward for information on its group leaders. And UNC2190 has proactively rebranded repeatedly in order to avoid public scrutiny, while only making minor changes to their strategies and retooling.

“It appears, like in a legitimate enterprise, the stability and agility of the management team to adapt and innovate is a key factor for these cybercriminal groups to survive and grow,” said Boland. “To become well known through notoriously huge and successful cybercriminal attacks, is also to become well known and subject for investigation and takedown by global law enforcement groups. These groups rise and fall, and sometimes they fall and get back up.”

While there is a focus by the security landscape on the TTPs and malware used in various campaigns, these details are often muddled by the complex and intricate threat landscape made up of operators, affiliates and rebranded groups. Kennelly said organizations are better off inspecting the risks in their environment in conjunction with how they can most effectively defend against the top common security threats that attackers are targeting.

“A hyper-focus on the brands and malware is really distracting people from really being able to focus on the common associations within the ecosystem,” said Kennelly. “A better focus is what common threads do these operations all have, what common vectors do they have, or how is this ecosystem of groups collaborating to get into my network?”