‘Privateer’ Threat Actors Emerge from Cybercrime Swamp

‘Privateers’ aren’t necessarily state-sponsored, but they have some form of government protection while promoting their own financially-motivated criminal agenda, according to Cisco Talos.

A new type of cybercriminal is emerging in a cyber-threat landscape that’s historically been dominated by either state-sponsored threat actors or financially-motivated criminals that are hunted and prosecuted by law enforcement.

Dubbed “privateers” by researchers at Cisco Talos Intelligence, these predominantly ransomware groups are not specifically sponsored and directed by a government—such as APT groups like North Korea’s Lazarus and Russia’s Fancy Bear. However, they do have some type of protection from global governments while they themselves remain financially motivated and act upon their own agendas.

“That type of unofficial state protection frequently manifests as a lack of law enforcement action, even when requested through normal channels by other countries,” according to a post on the Cisco Talos Intelligence blog post published Wednesday. “The protecting state doesn’t receive direct benefit from these groups, but it is shielded from their activities, which frequently target the geopolitical adversaries of the protecting state.”

Indeed, while privateer cybercriminal groups are not specifically state-sponsored, they may carry out activities of the protecting state anyway due to pressure to engage in specific actions or target specific entities, according to the post.

Three Tiers of Ransomware

Privateers fall in the third tier of cybercrime groups below those specifically sponsored by governments at the top, commonly known as APTs and which receive explicit direction and financial support by a nation-state.

Below these top-tier actors are those that are believed to be working for nation-states but not actively sponsored by them, such as Ukraine’s Gamaredon as well as Promethium, also known as Strong Pity, researchers said.

In the case of Gamaredon, while they are not part of the traditional Russian intelligence apparatus, it’s believed that “much of the intelligence they gather from their operations are passed to Russian interests,” researchers wrote.

“In this case, we have a state-related threat that isn’t an element of the sponsoring state, but receives active support and direction from that state sponsor,” they wrote.

Who are the Privateers?

At the third tier are the privateers, with one notorious example being the Russia-based DarkSide ransomware group, perhaps best known for its recent attack on the Colonial Pipeline in the United States, which severely disrupted oil and gas supplies in the East and netted the group a $5 million payout. DarkSide isn’t sponsored specifically by Russia, but it does check a potential victim’s keyboard to avoid users that use the Cyrillic language, according to Cisco Talos.

Another privateer is the ransomware group Lockbit, whose operator told Cisco Talos researchers that the group would not target Russia or any countries allied with Russia, affording them some protection from Putin’s government.

“These privateer groups are becoming increasingly prevalent and will likely significantly change the threat landscape in the years to come,” researchers wrote.

What Makes a Privateer?

In addition to the benefit, whether direct or indirect, from state protection of the country with which it is affiliated, Cisco Talos cited several other criteria for identifying a cybercriminal “privateer.”

Another is that the country with which the group is affiliated does not cooperate with foreign law enforcement or intelligence services, nor do they offer extradition for foreign criminals back to their home country.

Privateers also tend to have “big-game hunting victimology,” according to researchers, with targets such as large enterprises or governmental organizations. This is clearly the case with DarkSide, which in addition to the disruptive pipeline attack also has targeted Toshiba.

This new breed of cybercriminal also is a fairly sophisticated bunch, with affiliates and third parties involved in helping it do its dirty work, researchers noted. Lastly, privateer activities have the “potential for social disturbance,” which was clearly evidenced in DarkSide’s Colonial Pipeline attack.

Join Threatpost for “A Walk On The Dark Side: A Pipeline Cyber Crisis Simulation”– a LIVE interactive demo on Wed, June 9 at 2:00 PM EDT. Sponsored by Immersive Labs, find out whether you have the tools and skills to prevent a Colonial Pipeline-style attack on your organization. Questions and LIVE audience participation encouraged. Join the discussion and Register HERE for free.

Suggested articles