Hackers, State Hackers and Cybercriminals: the most popular groups and their organizations. Cyber Attackers have evolved into proper criminal companies; the first way to defend yourself from hackers is gaining awareness of this and knowing who are the actors that threaten our data and what they do.
1. Know your enemy
In the famous manual “The art of war”, written by the Chinese General and philosopher Sun Tzu over 2,500 years ago, we find a fundamental piece of advice in order to defend ourselves from hackers: “Know the enemy and know yourself; in a hundred battles you will never be in peril”.
We should always keep in mind that knowing our enemy becomes essential also in Cybersecurity in order to understand the TTPs (Techniques, Tactics and Procedures) that they will use when trying to hit us.
And these enemies, the so-called threat actors, evolve continuously in their techniques that become more efficient and sophisticated by the day.
The defense tools and measures must keep up the pace and evolve as well: we shall not be misled into thinking that those measures that we had implemented only some years ago will still be sufficient in 2022.
FlashStart has created for this reason an advanced system that protects from a wide range of threats and prevents access to malicious websites, which, as we will see, can represent the origin of attacks.
2. Hackers are not like they used to be
Once upon a time, there were hackers with their lighthearted spirit.
The word “hacker” stems from the verb “to hack”, which means cut, slice, crumble, create an opening.
Starting from its original meaning, the word has subsequently been picked up by the Massachusetts Institute of Technology (MIT) in Boston in the 50s to indicate simply a violation of internal regulations: challenging the bans in order to access the underground tunnels as shortcuts among the campus departments (we talked indeed about “tunnel hacking”).
Here is where the hacker ethics was born, meaning a sort of “manifesto”, which could not but appeal to the libertarian spirit of those years.
Yesterday, like today, hacking means “seeing beyond”, exploring, manipulating, understanding how things are done within a structure in order to find defects (“bugs”) and improve it, through intuition, genius and art.
This is why the concept of hacking should not be intended only with a negative connotation but some distinctions need to be done among the different hacker categories:
» white hat hackers or “ethical hackers”: they are the good ones, those who use their IT competence in a legal way to discover software vulnerabilities (for example with a penetration test) and signal them – also upon payment of a price! – to the production company.
» black hat hackers or “immoral hackers”: they use their knowledge with a criminal intent in order to obtain an illicit profit.
What we aim to highlight here is how the position of the hacker has changed over the years, especially with reference to cyber crime and hence to black hat hackers.
Still today, in collective imagination and in all the movies on the topic, the hacker is pictured as some young guy, wearing a dark hoodie, bent on his keyboard: the classical “nerd”.
We shall forget about this picture, because it doesn’t exist anymore!
The “lone wolf” hackers we met at the dawn of mass IT, the “tech nerds” who hackered for fun or moved by rebellious instincts, those who sent us viruses that were naïf rather than damaging, have today been substituted by proper organizations.
They have the aim of making money and stealing data, and in order to reach their criminal targets they carry out Research and Development activities, just like a normal company.
Such companies include a lot of people, each with precise roles and functions, and have given themselves an organizational structure and a business model like proper companies do.
What they need, more than anything, is the technological skills to build and maintain high-level malware; hence, the hacker wearing his hoodie, if he still exists, is a piece of a more complex production chain.
Attacks then require hackers also to know thoroughly the interface or the application they want to attack and to perfectly master the language of the attacked subject. Moreover, they will have to be able to prepare attacks (usually through emails or messages) that should appear credible and appealing to the receiver: this is why “Cybercrime Ltd” now also includes a psychologist in its team.
For this reason, the attacks we receive through phishing emails are less and less rudimental, and actually they are often difficult to distinguish from real ones!
The legend of the “mean Italian” is not credible anymore.
Furthermore, for every successful attack, a network capable of laundering and cleaning the stolen amounts of money is needed, so as to make it untraceable. And so financial experts are part of the team.
And finally, cybercriminals as well have discovered the importance of communication!
We saw them issuing press releases, for example, during the Colonial Pipeline attack carried out by the group Dark Side in May 2021.
>> FlashStart promotes the culture of cybersecurity by publishing articles by certified authors like this one. The FlashStart Cloud Software protects you from a wide range of threats and blocks access to malicious websites→ Start your free trial now.
3. The most active hacker groups in recent years
Discussing cyber criminal groups in recent years has meant discussing ransomware, because this has by now become the most widespread threat, the one companies fear the most and the most profitable for the attackers.
As we explained in this article, according to the Clusit 2021 Report, Ransomware in 2020 represented 67% of all malware attacks.
As Cybersecurity Ventures report, in 2021 a ransomware attack took place every 11 seconds in the world, with a total damage for companies summing up to around 20 billion dollars in one year.
Let’s have a look at the groups that have been especially active in spreading ransomware. In some cases they were responsible for sensational attacks, which hit important organizations with requests for ransom that amounted to tens of millions of dollars.
It appeared in 2019, probably as a spin-off of the disappeared GandCrab. It takes its name from the movie “Resident Evil”. It is highly probable that it might be located in Russia and does not seem to be connected to any political or governmental entities.
It has been one of the most active in the “Ransomware as a Service” model (RaaS). According to what statistical data report, REvil victims make up 11% of the total number of attacks. It is the author of the highest ransom request of 2021 (70 million dollars in the Kaseya attack).
It hit also JBS S.A., the biggest meat processing company in the world. In September 2021 the cybersecurity company Bitdefender announced the availability of a universal decryptor for the REvil/Sodinokibi ransomware.
In January 2022 an operation by the FSB, the Russian Secret Services, led to the arrest of 14 members of the REvil group in Russia, definitively dismantling the band. The operation was widely advertised by Russia itself, maybe in order to show – especially towards the United States – its commitment in the fight against cyber crime. The FSB agency declared to have acted after receiving information from the United States about the REvil band.
Since August 2018, in Russian language. Very aggressive, with targeted attacks towards big organizations and with generally very high requests for ransom. One of the first groups to develop the RaaS affiliation programs. It also hit Bonfiglioli SpA in Italy in June 2019.
Since May 2019. It introduced double extortion, counting on the threat of publishing the files. Maze’s attacks went on until September 2020, when the group announced the end of its activities. It could, however, be using a different name.
3.4 Ragnar Locker
It appeared for the first time in 2019 and became well known in the first half of 2020, when it hit some big corporations. This group as well make an aggressive use of double extortion. It was responsible for the attack to Campari (2020) with a ransom request for 15 million dollars. It appears to have joined the Maze ransomware cartel, and this makes us think the two groups are possibly collaborating.
It appeared in 2019 and seems to be the successor of the by-now deceased BitPaymer (also called FriedEx). It hit Italy as well, especially Public Administrations in the country. Its victims include the School Register, the Municipality of Caselle Torinese, the Municipality of Rho, the Local Health Administration Umbria 2 and the Municipality of Brescia.
In America, it hit the national Mexican oil company Mexico’s Pemex Oil (in November 2019) and the city of Torrance in the Los Angeles metropolitan area, asking for a ransom of 100 bitcoin (689,147 dollars) and 200GB of exfiltrated data. It hit also the Delaware County in Pennsylvania (paid ransom: 500,000 dollars).
Of Russian origin, famous for the attack to Colonial Pipeline in the USA (May 2021). We discussed it in this article: https://flashstart.com/it/i-principali-cyber-attacchi-del-primo-semestre-2021-a-danno-delle-aziende-e-organizzazioni/#darkside-e-lattacco-alloleodotto
Since February 2020, of Russian origin. It has a very modern business model with a loyalty program for RaaS. It is deemed to have at least 30 affiliates, each of whom generates an average of 70-80 attacks.
The group appeared in July 2020, probably following a breakup from Ryuk.
It is a highly organized group, with recruiting methods based on technical capabilities and high level of collaboration among its affiliates. Many of the recent attacks targeted Italy, including in 2021 the one to San Carlo (the famous chips company in the food industry) and the one to the municipality of Turin.
This is the ransomware which hit the Italian Lazio Region at the beginning of August 2021.
A relatively recent ransomware gang that appeared in December 2020. I is known especially for the attack to SIAE (October 2021), the Italian Association for Authors and Editors, whose members had their data published online (especially singers).
>> FlashStart protects you from a wide range of threats and prevents access to malicious websites → Start your free trial now
4. State-connected hacker groups
The hacker groups (but it would be more correct to call them “cybercriminals”) that we listed above have all, as their aim, that of stealing money, especially through ransomware-led extortion. We can define them as “private” bands, even though sometimes they are connected to each other.
But they are not the only threat actor. So-called state-sponsored hacker groups exist as well, meaning groups that are – more or less directly – linked to states and governments.
Today, war isn’t fought (almost) anymore in the traditional war spaces (land, sea, sky), but rather in the “cyberspace”. And it is states themselves who are fighting it, through expressly created groups.
This war, defined “cyberwarfare”, is fought with no declarations of war and is usually hidden. Those who conduct it are groups that are deemed to be linked to the governments themselves, even though we do not always have evidence about this connection. An advantage of cyberwarfare is exactly given by how difficult it is to attribute the attack to a perpetrator, since it is easy for the attacker to hide its tracks.
These state-sponsored hacker groups are classified with names that sometimes are given to them by companies that work in cybersecurity. This is why a single group can end up having more than one name. One of the most popular ways of classifying them is to use the APT acronym followed by a number, as we will see.
Another way of naming them is by associating the name of an animal to the groups of a nation. Hence, we have: Bear (Russia), Panda (China), Kitten (Iran), Cobra (North Korea).
A full and very detailed listing of all these groups is provided online by the Mitre website at this link: https://attack.mitre.org/groups/
Let’s check out some of the most popular ones:
4.1 Hacker Groups in RUSSIA
4.1.1 Fancy Bear
(aka: APT28, Pawn Storm, Sofacy, Sednit, Strontium) probably linked to the GRU Russian Secret Services. The most famous action by Fancy Bear was the 2016 attack to the National Democratic Committee of the United States and to Hillary Clinton’s campaign, which appears to have influenced the results of the American presidential elections. Fancy Bear is deemed to be linked to the hacker group Guccifer 2.0.
4.1.2 Cozy Bear
(aka: APT29), probably linked to the foreign Russian secret services (SVR). Connect or affiliated with other groups too: Dark Halo, StellarParticle, Nobelium, UNC2452, Yttrium, The Dukes. In April 2021, the governments of the United States and of the United Kingdom attributed to Cozy Bear the attack that compromised the supply chain of the American company SolarWinds.
4.2 Hacker Groups in CHINA
4.2.1 Deep Panda
(aka: Shell Crew, WebMasters, KungFu Kittens e PinkPanther). Some analysts hold that Deep Panda and APR19 are actually the same group.
4.2.2 Mustang Panda
(aka: RedDelta, Bronze President). It targeted public institutions, non profit organizations, other religious and non-governmental organizations in the United States, Germany, Mongolia, Myanmar, Pakistan and Vietnam, among others.
It is probably a group sponsored by the State that operates from China and has been active at least since January 2021. Hafnium targets mainly entities in the United States through a series of industrial sectors. It is considered responsible for the attack to the Microsoft Exchange servers at the beginning of 2021.
4.3 Hacker Groups in IRAN
(aka: APT33, HOLMIUM). Iranian group that has carried out attacks at least since 2013. The group has targeted different sectors in the United States, Saudi Arabia and South Korea, with a particular interest for the aviation and energy sectors, especially oil refineries.
(aka: APT34, Helix Kitten). Iranian group that has existed at least since 2014 and focuses its operations in the Middle East. According to FireEye, the group operates at the behest of the Iranian government.
(aka: Mercury, Static Kitten, Seedworm). It targeted mainly countries in the Middle East, but also European and North American ones. The group’s victims are mainly in the telecommunication, governmental (IT services) and oil sectors.
4.3.4 Pioneer Kitten
(aka: UNC757, Fox Kitten, Parisite). It is suspected to be linked to the Iranian government. Active at least since 2017 against entities in the Middle East, North Africa, Europe, Australia and North America. It targeted industrial sites, among which oil&gas refineries, technological plants, governments, defense systems, public health systems, general production and engineering.
4.4 Hacker Groups in NORTH KOREA
4.4.1 Lazarus Group
(aka: APT38, Guardians of Peace, BeagleBoyz, Hidden Cobra). Financed and managed by the Northkorean regime, the group does not carry out military attacks towards other countries, but has the main aim of collecting funds (of course, illegally) in order to finance the regime and bypass the sanctions imposed on North Korea. According to the analysts, at least 7,000 North Koreans work in this governmental cyber department.
The first attack whose evidence is available is “Operation Flame” of 2007 with a sabotage of the Internet network of South Korea. In 2013, it carried out a series of coordinated attacks against South Korean financial institutions.
Banks and financial institutions are always the main target. The group is famous especially for the attack to the Central Bank of Bangladesh in 2016 (the biggest cyber theft ever, with 82 million dollars stolen) and for the attack to Sony Pictures Entertainment in November 2014.
5. Hacker: how can you defend yourself from a “dropper” attack?
The cybercriminals whose actions we discussed above have great attack capabilities and targets that can be political or military (in the case of state-sponsored groups) or else economic.
This last type of targets are the ones that companies and organizations must fear, since the aim is their money or else their data (that nevertheless are worth money).
Attack techniques can be numerous and very sophisticated, but they almost always use some TTP notes (Techniques, Tactics and Procedures).
5.1 The “Dropper” attack
One of the most common attacks is based on the following method: the attacker injects in the system it wants to hit a dropper that can be used to start the attack. This dropper (for example an Excel or Word macro or else a VBS file) will launch a connection towards Command&Control (C&C) servers belonging to the attacker, from where the dropper can download the malware needed to finalize the action.
5.2 How can you defend yourself from hackers and the “Geo-Blocking”?
FlashStart concretely helps you reduce the chances of inputting a Dropper by blocking access to compromised and dangerous websites at the DNS level and allowing, thanks to the exclusive Geoblocking feature, the block of DNS resolution towards websites hosted in countries that are deemed dangerous.
It will nevertheless be possible to permit partial DNS resolution only for selected websites located in these countries, with total security and flexibility.
>> FlashStart is a leader in competitiveness →Request an offer
6. The Author
Giorgio Sbaraglia, engineer, is a consultant and trainer on the topics of cyber security and privacy.
He holds training courses on these topics for numerous important Italian companies, including ABIFormazione and the 24Ore Business School (https://www.24orebs.com/docenti/giorgio-sbaraglia).
He is the scientific coordinator of the Master “Cybersecurity and Data Protection” of the 24Ore Business school.
He is a member of the Scientific Committee CLUSIT (Italian Association for Cyber Security) and an Innovation Manager certified by RINA
He has DPO (Data Protection Officer) positions in companies and Professional Associations.
He is the author of the following books:
» “GDPR kit di sopravvivenza” – “GDPR survival kit” (Edited by goWare),
» “Cybersecurity kit di sopravvivenza. Il web è un luogo pericoloso. Dobbiamo difenderci!” – “Cybersecurity survival kit. The web is a dangerous place. We must defend ourselves!” (Edited by goWare),
» “iPhone. Come usarlo al meglio. Scopriamo insieme tutte le funzioni e le app migliori” – “iPhone. How to use it to its full potential. Let’s discover together all the functions and best apps” (Edited by goWare).
He collaborates with CYBERSECURITY360 (https://www.cybersecurity360.it/)about a specialized online magazine of the group Digital360 focusing on Cybersecurity.
You can activate the FlashStart® Cloud protection on any sort of Router and Firewall to secure desktop and mobile devices and IoT devices on local networks.