Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’

insider threat

Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.

A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber-mercenaries” to carry out specific illicit hacks that are part of larger criminal campaigns.

Dubbed Atlas Intelligence Group (A.I.G.), the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its own campaigns. A.I.G., also known as Atlantis Cyber-Army, functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services, according to a Thursday report by threat intelligence firm Cyberint.

“[A.I.G.] has introduced us to out-of-the-box thinking,” Cyberint’s Shmuel Gihon wrote in the report.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

A.I.G., according to researchers, is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with certain capabilities that they can reuse and incent them with profit sharing. For example, Ransomware-as-a-Service organized crime campaigns can involve multiple threat actors – each getting a cut of any extorted lucre or digital assets stolen. What makes A.I.G. different is it outsources specific aspects of an attack to “mercenaries” who have no further involvement in an attack.

The report’s author, Gihon, said only A.I.G. administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets.

Unique Business Model

This uncommon business model also allows the group, which has been operating since the beginning of May, to offer a range of cybercriminal services instead of a single core competency, he said.

“While many groups are focusing on one, maybe two, services that they offer, Atlas seems to grow rapidly and expand its operations in an efficient way which allows them to offer many services,” Gihon wrote.

A.I.G. tends to target government and state assets in countries all over the world, including the United States, Pakistan, Israel, Colombia and United Arab Emirates, researchers found.

Mr. Eagle not only leads the campaigns but also doubles as a chief marketing officer of sorts, putting a significant effort into advertising A.I.G.’s various cybercriminal services, he said.

Anatomy of a Threat Group

Researchers took a deep dive into how A.I.G. operates, communicates and manages its operations, as well observed the specific cybercriminal services it offers.

DDoS seems to be the group specialty, with Atlas providing solid proof of execution to customers for as little as 20 euros per victim, researchers said. The group also offers a popular data-leak services that focuses on anything that might be valuable to potential buyers, Gihon said.

A.I.G. has published leaked databases from all over the world for sale, with a starting price from 15 euros, researchers said. The group targeted various sectors in the breaches, including education, finance, government entities, manufacturing and technology, they said.

A.I.G. also has premium services that demand more skill and demonstrate the group’s sophistication, researchers said. One of these products is hacked panels and initial access to organizations, with prices for these services starting from about $1,000.

The group also offers “VIP services” that claim ties to people in law-enforcement positions across Europe that can give customers access to sensitive information about specific individuals, researchers said.

Multi-Channel Communication

Telegram is the communication platform of choice for A.I.G., with the group operating three different Telegram channels with thousands of subscribers, researchers said. One is a database marketplace for selling leaked databases, and another is a commercial channel that also includes announcements and updates from the group, they said.

Atlas also operates a unique Telegram channel in which Mr. Eagle and the group’s administrators publish the contracts that the group offers to those hired to perform attacks. This allows subscribers to sign up depending on what they can offer and helps the group recruit various cybercriminals, such as red teamers, social engineers and malware developers, researchers said.

Atlas sells its services primarily on an e-commerce store on the site Sellix.io, a forum that offers payment with cryptocurrency and acts as a broker, providing the privacy-conscious group with an extra layer of anonymity, Gihon said.

“Observing the behavior of the group in general and the leader in particular, it seems that operation security (OpSec) is a top priority,” he wrote.

The (Mr.) Eagle Has Landed

Indeed, the group’s leader is an enigmatic figure who appears to run a tight ship in terms of his overall maturity and professionalism, exhibiting logical and meticulous decision-making and behavior that leaves “no room for errors,” Gihon wrote.

“Mr.Eagle tends to have very strict rules in the management of the group, including banning and throwing [out] scammers and other threat actors that try to advertise their products,” he wrote. “It seems that Mr.Eagle maintains very high reliability among the group.”

This type of leadership apparently comes in handy when delegating tasks to general administrators, of which A.I.G. appears to have at least four—dubbed El Rojo, Mr.Shawji, S41T4M4 and Coffee, researchers said. The administrators carry out day-to-day advertising tasks as well as management of group operations and communication channels, researchers said.\

The hired contractors, or “mercenaries,” who carry out the nefarious activities of the group are the lowest rung of the A.I.G. structural ladder. This part of the group is a revolving door of cybercriminals who are hired to work only on a particular campaign based on their skillset, researchers said.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

Suggested articles