Business model

‘AIG’ Threat Group Launches With Unique Business Model

A threat group calling itself Atlas Intelligence Group (AIG, aka Atlantis Cyber-Army) recently surfaced with what appears to be a somewhat different – ​​and potentially precursor – cybercrime model.

Cyberint researchers who were first to spot the group described the threat actor as selling a variety of services through its main website, including access to stolen databases, proprietary data leaks, distributed denial of service (DDoS) services and initial access. to corporate networks via RDP clients and web shells. Cyberint said this week that its researchers spotted AIG in May and have watched its rapid growth ever since.

What differentiates the threat actor from the myriad of others offering similar offerings is the fact that the operators themselves appear to entirely outsource the hacking activities to independent cyber mercenaries who have no connection. directly with the operation. For example, when a customer purchases DDoS, data theft, or malicious spam services from AIG, the group advertises and hires independent contractors to perform the actual tasks. This is different from most threat groups. who recruit and maintain the same team of hackers for different campaigns.

A model for OpSec

According to Cyberint, AIG’s model appears designed to provide a high level of operational security for its leaders by separating them from those who engage in criminal hacking activity.

“AIG is the first group I’ve seen that uses this business model,” says Cyberint security researcher Shmuel Gihon. “Every team has its leaders, and every team has key members. But here it’s different: we have a leader who controls everything and everyone.”

AIG’s business model seems designed to take advantage of the growing number of hacker groups that have started to surface all over the world in recent years. The groups, many of which operate from India, Russia or the United Arab Emirates, specialize in intruding into target networks, stealing data and performing various other malicious activities on behalf of clients who hire them. . An example of such a group is “Void Balaur,” a Russian-based cybermercenary group that Trend Micro researchers and others have linked to attacks on thousands of organizations and individuals for several years.

Gihon says Cyberint’s analysis of AIG’s activities shows it is run by a secret individual using the handle “Mr. Eagle”. This person seems responsible for initiating all of AIG’s campaigns and plans. Cyberint has so far been able to identify at least four other people who operate under this leader and are responsible for tasks such as advertising the group’s services, communicating with customers and operating its Telegram channels. .

“What sets them apart is that they are very good [at] by going anonymous and approaching this operation as entrepreneurs and not as technicians,” says Gihon. The behavior of the group suggests that the core members – or at least its leader – were red teams or malicious hackers who decided to lead rather than operate.

“They have been in the darknet and the cybercrime industry for quite some time and have watched how things work,” he added.

Communications by telegram

Cyberint said it observed the group using three different Telegram channels, with thousands of subscribers between them, for its operations.

One channel is a marketplace for leaked databases. The databases appear to belong to organizations from different sectors such as government, finance, manufacturing and technology, from all over the world. The collection of databases for sale through the Telegram channel suggests that AIG is not focusing on a specific region or industry. Instead, the group appears to be targeting organizations it believes might be useful to potential buyers.

Some of the databases are available for just 15 euros and contain information such as email and physical addresses, phone numbers and other information that may be of interest to malicious spammers, spear phishing groups and hacktivists.

“AIG claims these databases are proprietary, so the assumption is that they got it [via] their contractors,” says Gihon. Given the low price, it’s unlikely that AIG obtained them from a third party and resold them, he says.

AIG has a second Telegram channel which it uses to post advertisements for various hacking services it might research and where hackers have the opportunity to bid for contracts. The channel serves as a source for the threat group to find malware developers, social engineers, red teams, and other cyber mercenaries.

AIG’s third Telegram channel, which serves as its communications channel, is where the group posts announcements, hit lists and other information. The threat actor also runs an e-commerce store where people can buy AIG’s services and stolen databases using cryptocurrency.

Gihon says AIG’s business model gives it a level of flexibility other threat groups don’t have.

“The leader is not related to any of the members because they are all entrepreneurs,” he says. “So while other groups go through ups and downs being the same group of people most of the time, Mr. Eagle has the privilege of hiring the best of the best at all times,” says -he. “It could make this team very deadly in the late game.”