A new type of cyber-criminal is emerging in a cyber-threat world that has historically been dominated by either state-sponsored threat players or financially motivated criminals that are sought & prosecuted by police.
‘Privateers’ aren’t necessarily state-sponsored, but they have some form of ‘govt. protection’ while promoting their own financially-motivated criminal agenda, states Cisco Talos.
Dubbed “privateers” by researchers at Cisco Talos Intelligence, these mainly ransomware groups are not specifically sponsored & directed by a govt.—such as APT groups like N. Korea’s Lazarus & Russia’s Fancy Bear. However, they do have some type of protection from global govts. while they themselves remain financially motivated & act upon their own agendas.
State-Sponsored
“That type of unofficial state protection frequently manifests as a lack of law enforcement action, even when requested through normal channels by other countries,” according to a post on the Cisco Talos Intelligence blog post published Wed.
“The protecting state doesn’t receive direct benefit from these groups, but it is shielded from their activities, which frequently target the geopolitical adversaries of the protecting state.”
While privateer cyber-criminal groups are not specifically state-sponsored, they may carry out activities of the protecting state anyway due to pressure to engage in specific actions or target specific entities, explains the post.
Three Tiers
Privateers fall in the 3rd tier of cyber-crime groups below those specifically sponsored by govts. at the top, commonly known as APTs & which receive explicit direction & financial support by a nation-state.
Below these top-tier actors are those that are believed to be working for nation-states but not actively sponsored by them, such as Ukraine’s Gamaredon as well as Promethium, also known as Strong Pity, researchers said.
In the case of Gamaredon, while they are not part of the traditional Russian intelligence apparatus, it is believed that “much of the intelligence they gather from their operations are passed to Russian interests,” researchers wrote.
“In this case, we have a state-related threat that isn’t an element of the sponsoring state but receives active support & direction from that state sponsor,” they wrote.
Who are Privateers?
At the 3rd tier are the privateers, with 1 notorious example being the Russia-based Dark Side ransomware group, perhaps best known for its recent attack on the Colonial Pipeline in the US, which severely disrupted oil & gas supplies in the East & gained the group a $5m payout. Dark Side is not sponsored specifically by Russia, but it does check a potential victim’s keyboard to avoid users that use the Cyrillic language, according to Cisco Talos.
Lockbit
Another privateer is the ransomware group Lockbit, whose operator told Cisco Talos researchers that the group would not target Russia or any countries allied with Russia, affording them some protection from Putin’s govt.
“These privateer groups are becoming increasingly prevalent & will likely significantly change the threat landscape in the years to come,” researchers wrote.
What Makes a Privateer?
In addition to the benefit, whether direct or indirect, from state protection of the country with which it is affiliated, Cisco Talos cited several other criteria for identifying a cyber-criminal “privateer.”
Another is that the country with which the group is affiliated does not cooperate with foreign law enforcement or intelligence services, nor do they offer extradition for foreign criminals back to their home country.
Pipeline Attack
Privateers also seem to have “big-game hunting victimology,” according to researchers, with targets such as large enterprises or governmental organisations. This is the case with Dark Side, which in addition to the disruptive pipeline attack also has targeted Toshiba.
This new breed of cyber-criminal also is a fairly sophisticated bunch, with affiliates and 3rd parties involved in helping it do its dirty work, researchers noted. Lastly, privateer activities have the “potential for social disturbance,” which was clearly seen in Dark Side’s Colonial Pipeline attack.
https://www.cybernewsgroup.co.uk/virtual-conference-june-2021/