santiago silver - Fotolia
A cyber attacker has led researchers to a bigger operation that appears to operate both as nation state attacker and cyber crime group, according to Palo Alto Networks’ Unit 42 threat intelligence team.
The larger operation, dubbed the Gorgon Group, has been linked to a campaign of attacks on governmental agencies from the UK, US, Spain and Russia that operate in Pakistan, dating back to February 2018.
At the same time, the researchers were able to link members of the Gorgon Group to criminal operations against targets around the globe, often using the same infrastructure as the nation state-style attacks.
On 24 April, for example, Unit 42 observed a targeted attack aimed at several worldwide governmental bodies and a malicious spam campaign being delivered from the same domain.
The two attack types also use several of the same attack tools, including remote access and data stealing malware families such as NjRAT and LokiBot.
This finding is consistent with observations by researchers in recent years that the lines between nation state and criminal attacks are blurring, with the same individuals, tools, tactics and techniques often used for both.
The researchers were able to find some open directories and make use of operational security failures to link various actors to the Gorgon Group and identify the different malware types the group is using.
Analysis of various campaigns showed that the same infrastructure was used to switch rapidly between nation state-style attacks and cyber criminal operations, although most activity was criminal in nature.
An interesting characteristic of the Gorgon Group’s activity, the researchers said, is the use of URL-shortener Bitly for distributing and shortening command-and-control domains for both the criminal and targeted attack campaigns.
Although the location of the group has not been confirmed, the researchers said all members purport to be in Pakistan, based on their online personas.
Cyber criminal activities linked to the group include selling domain hosting for criminal operations, remote desktop protocol (RDP) sessions, fake documents and malware.
Although the Gorgon Group lacks overall sophistication, using numerous decoy documents and phishing emails, the researchers said the group’s success proves that simple attacks can still be effective against organisations without proper protection.