The Top 6 Cyberthreat Actors: Today’s Most Active Groups
What happens when you analyze nearly 1.8 million cyberattacks during a 90-day stretch? Cyberthreat trends suddenly surface from a sea of data points — and so do the names of the most prolific threat actors launching these attacks.
According to BlackBerry Vice President of Threat Research & Intelligence Ismael Valenzuela, the attacks analyzed in the BlackBerry Threat Intelligence Report come from a broad range of cyber-suspects.
“We saw state-affiliated APT groups, financially motivated ransomware gangs, and many other threat actors of all sizes, capabilities, and motivations, conducting multiple campaigns,” he explains. "However, a few threat groups were especially notable for their high levels of activity and oversize share of the attacks," says Valenzuela, deserving the attention of security teams and the organizations they protect.
In this post, we will explore the list of the most active cyber threat actors as discussed in the BlackBerry Global Threat Intelligence Report.
Blocked Cyberattacks Reveal Most Active Attack Groups
The report analyzed malware-based attacks between Sept. 1 and Nov. 30, 2022. During that period, BlackBerry® endpoint security solutions powered by Cylance® AI stopped approximately 19,524 malicious malware-based attacks that targeted active customers per day. This totaled 1,757,248 cyberattacks during the reporting period and comprises the data used in this analysis.
Here is the list of the six most active cyber adversaries the BlackBerry Threat Research & Intelligence Team observed.
1. ALPHV: Creator of BlackCat Ransomware
ALPHV is a relatively new and rapidly growing cybercrime group. First observed near the end of 2021, the ALPHV group gained attention for innovative extortion tactics, and unconventional attack methods. ALPHV is widely known as operator of the distinctly unlucky ransomware-as-a-service (RaaS) offering known as BlackCat.
ALPHV has two distinct competitive edges over other RaaS subscription service operators, according to BlackBerry researchers.
First, BlackCat is the first widely distributed ransomware family to be written in Rust, a powerful programming language that allows the threat operator to easily customize malware for use against different operating systems like Windows® and Linux®. A benefit of using Rust is that it adds another level of difficulty when being analyzed due to its obscurity, and thus adds stealth. The sheer number of enterprise environments open to attack is an attractive quality to affiliates.
Secondly, ALPHV uses double- and triple-extortion tactics. This indicates that in addition to encrypting data and systems, and threatening to leak exfiltrated data, ALPHV sometimes additionally threatens to launch distributed-denial-of-service (DDoS) attacks against the websites of victims who refused to pay, thus completing the extortion trifecta.
The ALPHV group does not appear to target a specific sector or country. Because ALPHV allows other threat actors to use its BlackCat ransomware on a subscription basis, the presence of the malware on a system does not necessarily indicate a direct attack by ALPHV. To date, BlackCat ransomware has struck retail, financial, manufacturing, government, technology, education, and transportation, across a range of countries that includes the U.S., Australia, Japan, Italy, Indonesia, India, and Germany.
The threat group APT32 is believed to be based in Vietnam and has conducted malicious cyber activities since at least 2014. Its targets have included various private industries, foreign governments, and individuals such as dissidents and journalists, with a particular focus on entities operating in Southeast Asian nations including Vietnam, the Philippines, Laos, and Cambodia. APT32 frequently employs tactics such as strategic web compromise to gain access to victims’ systems. This cybercrime group has also attacked defense organizations, high-tech companies, healthcare, and manufacturing.
The BlackBerry Threat Research and Intelligence team has analyzed multiple APT32 intrusions, observing the threat group’s use of a suite of remote access Trojans (RATs) dubbed Ratsnif to leverage new network attack capabilities. BlackBerry also identified the group’s use of steganography (the technique of hiding secret data within an ordinary, non-secret file or message) to embed a malicious payload in a PNG image.
Our regular blog readers may recall the threat group known as Mustang Panda making headlines in late 2022. In October, BlackBerry reported a campaign by the China-based APT group that leveraged legitimate apps to target the Southeast Asian state of Myanmar. Two months later, the BlackBerry Threat Research and Intelligence team reported the discovery of Mustang Panda activity that leveraged global interest in the Russian-Ukrainian war to attack targets in Europe and Asia Pacific regions.
The APT group was first detected in 2017 but may have been active since 2014. Mustang Panda has since targeted a wide range of organizations, including government agencies, nonprofits, religious institutions, and non-governmental organizations (NGOs) around the world, in places such as the United States, the European Union, Mongolia, Myanmar, Pakistan, and Vietnam.
The group frequently uses PlugX and China Chopper for its operations. PlugX is a modular RAT that can be configured to use both HTTP and DNS for command-and-control (C2) activities. China Chopper is a malicious Web shell that allows unauthorized access to an organization’s network and does not require an infected device to communicate with a remote C2 server.
APT29, also known as the Dukes, is a well-funded and highly organized cybercrime group, believed to have been actively conducting cyber espionage for the Russian government since at least 2008. Although it has conducted attacks in Asia, Africa, and the Middle East, its main focus appears to be government agencies and NGOs in North America and Europe. Some of the ransomware it utilizes includes Cobalt Strike, Mimikatz, and AdFind. One of the most dangerous aspects of APT29 is that they have been known to develop their own set of custom tools for hacking campaigns.
The cybercriminal group TA542 distributes Emotet malware and researchers believe it played a significant role in creating Emotet in the first place. This malware was first discovered in mid-2014; Emotet has a modular design and shares characteristics with an enhanced version of the Bugat (also known as Feodo) banking Trojan. Known to thwart basic antivirus programs, once Emotet infects a machine it attempts to compromise other computers in the network.
The malware typically spreads via phishing emails. The authentic-looking email contains a malicious link or infected document that, if clicked or downloaded, automatically drops additional malware onto the machine. Today, the operators of Emotet provide a malware-as-a-service (MaaS) offering that allows other threat actors to rent access to Emotet-infected computers, often to further victimize them using additional malware such as TrickBot or QBot.
TA542 generally carries out attacks for a short period of time, after which they take a break for several months before returning with a new version or variant of the malware. Targets of TA542’s campaigns include the education, financial, retail, and healthcare industries.
Active since 2014, TA505 is a prolific financially motivated cybercrime group. TA505 is considered one of the largest, if not the largest, phishing and malspam distributors worldwide, estimated to have compromised more than 3,000 US-based and 8,000 global organizations. TA505 has played many different roles in the cybercrime community, including acting both as a RaaS operator and as an affiliate of other apex RaaS operators, as an initial access broker (IAB), and as a customer of other IABs, selling access to compromised corporate networks. At other times it has also acted as a large botnet operator, specializing in financial fraud and phishing attacks.
TA505 is a significant player in the global cybercrime scene, and has been a driver of global trends in the cybercriminal underworld. The group targets education, finance, healthcare, hospitality, and retail worldwide. It is also known for its long-term cyberattack lifecycle, sometimes persisting in a target's network conducting reconnaissance for weeks — even months — successfully avoiding detection as it patiently identifies the highest-value targets in the victim’s environment. The group uses Locky ransomware as its primary cyberattack tool, but it has also been known to experiment with other types of malware. TA505’s toolset includes Clop ransomware, the FlawedAmmyy RAT, and banking Trojans like Dridex.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.