Everything is sold as a service now, even an APT Campaign

APT As A Service

Insights cyber intelligence analysts identified, for the first time, a tool set aimed to attack nation-states (APT ) sold as a service on the Darknet.

One of the biggest myths of the cyber underground, details an outstandingly skilled hacker, engaged in thrilling auction to sell his services to the highest bidders, be they criminal moguls, rogue dictators or dangerous terrorists. This romantic notion is far from the truth - the “Almighty Hackers” are usually plain software engineers, working at seemingly innocent software companies which develop cybercrime tools. These tools are later available for sale on the underground and end up targeting the most commercial organizations in the world.

Cybercriminals were quick to adapt this service business model and offer “As-a-Service” tools and to the masses. Until recently, this trend was limited to cybercrime and hacktivists tools and capabilities, offering services like DDoS on demand, Ransomware affiliate programs and Banking bots for rent. However, the main reason for cybercrime’s recent “fame” and increased interest, is because this business model allowed many novice “script-kiddies” to step up their game and become full-time cyber criminals.

APT as a service
APT as a service

Recently, Intsights cyber intelligence analysts identified a new group selling international cyber espionage campaigns or APTs as a service. This is the first time that someone has fused the “Romantic” model of a genius hacker for rent with the down to earth, proven business model which is so successful today in the cybercrime world: Cyber-tool/ capabilities as a service.

The difference between a “regular” cybercrime tool or service and APT is vast- APT (advance persistent threat). This campaign is comprised of intelligence gathering, insertion of Malware via social engineering or spear-phising, gaining a foothold in the organization (usually through privileged users credentials exploit) and sensitive data exfiltration. It requires an advanced skills set and technical knowhow, as well as meticulous planning and careful execution.

Nevertheless, IntSights analysts identified a group "Babylon APT” that offers its services on a designated website which appears to be old and badly maintained.

Given the state of the site and services offered, IntSights analysts estimate that this is not a professional group.

APT groups are usually state sponsored or state-affiliated and do not sell their services in the open, which may risk exposure and reduce the chances of success of the APT campaign. Whilst non-state sponsored groups exist, well capable of launching APT-like attacks (such as the infamous Anunak, they charge heavily for their service and not publish their capabilities and intents into the world.

Note that a group with the same name reportedly published vulnerabilities found in the IT systems of American Airlines and Delta airlines on a Chinese run black-market forum. Since the name is identical and the site has many typos and broken English it is quite possible that it is Chinese in origin. The motive identity of the site’s operator is still unknown.

Regardless of the authenticity of the site, the level of services offered and the identity of the people behind it, the main cause for concern is the out-of-the box thinking that results in such a service. It is quite possible that somewhere else in the world a very capable group of hackers is offering their services for nation states, terrorist and people with questionable motives, and it’s even possible that rogue states rely on such firepower to conduct APT campaigns. When such services will truly become a commodity, every organization in the world will be under greater threat of breach and attack.

This Post was written by IntSights intelligence team leader, Ido Wulkan.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.