BRANDEFENSE BRANDEFENSE
  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
Free Trial

BRANDEFENSE

  • Home
  • Product
    How it works?
    Platform Overview
    Cyber Intelligence
    Brand & Reputation Protection
    Exposure Management
    Solutions
    Threat Intelligence Service
    Brand Protection
    Vulnerability Management
    Attack Surface Management
    Fraud Protection
    VIP Security
    Vulnerability Intelligence
    By Use Case
    Preventing Data Leakage
    Phishing Monitoring
    Account Takeover Detection
    Stolen Credit Cards
    Dark Web Monitoring
    Remediation and Takedown
    brandefense background
    Eliminate risks
    Explore the Brandefense
  • Blog
  • Resources
    Security News
    Threat Intelligence Researches
    Digital Risk Protection – FAQ
    We in the Press
  • Partners
    Channel Partners
    Deal Registration
  • Company
    About Us
    Career
    Privacy Policy
    Terms of Use
    Contact Us
European Focused Threat Actors – Who Actively Continue Their Strategies

European Focused Threat Actors – Who Actively Continue Their Strategies

BRANDEFENSE
APT Groups
03/10/2022

Introduction

Cyber attacks experienced during the COVID-19 pandemic process have increased not only in vectors and numbers but also in terms of their impact. The pandemic process has expanded the surface of attacks and caused an increase in the number of cyber attacks targeting organizations through homes and offices. Also, cyber threat environments are changing with the fact that attackers are coming up with new technologies and processes constantly.

For example, in 2021, when we inspect the SolarWinds attack, which made an enormous impact, it seems that the malware has adopted a way of distributing embedded in a trusted product. After the SolarWinds attack, it has been determined that 1500 small and medium-sized companies were affected, especially the U.S. and Europe.

It has been observed that the main motivation of individual threat actors who carry out European-focused attacks is to earn financial gain. Cybercriminals have made the banking/financial sector the main target. With the crisis of the COVID-19 Pandemic, targeted ransomware attacks have increased swiftly. Many organizations that could not afford service interruptions had to pay the requested ransom. Although, some ransomware groups have demanded more ransomware, threatening organizations to publish stolen data using Double Extortion methods.

Threat actors that are supported by governments usually organize longer-term operations in the interests of the state they are affiliated with. Financial interests are in the background and trying to obtain strategic intelligence about the targeted country. It all comes to this that it is significant for security teams’ operations in today’s environment, where visibility and agility are crucial more than ever to be able to monitor cyber threat actors and their ongoing activities.

Darka

The threat actor, who uses the username DARKA on underground platforms, is actively selling databases belonging to 25 European countries. When the other shares of the threat actor were examined, the shares containing the sale of passports, identity cards, and personal data aimed at Europe were observed.

darka threat actors
Figure 1: Screenshot from a website where Darka sells databases belonging to European countries

Spamhouse

The threat actor called Spamhouse often operates on Russian underground platforms. When the shares were examined, it was seen that the seized databases belonging to institutions in many European countries were sold. The threat actor regularly sells new hacked databases.

spamhouse threat actor
Figure 2: The threat actors called "Spamhouse" selling databases seized from European countries

Juzab

The threat actor named Juzab continues his strategies on Russian underground platforms, exploiting certain vulnerabilities and selling access to institutions.  The group usually sells the access information of the relevant institution to the highest bidder using the auction method.

juzab threat actors
Figure 3: An offer from the threat actors named Juzab

Matanbuchus

The threat actor, who uses the username  Matanbuchus mostly continues his activities by renting the malicious software they have specially prepared to other attackers. When the threat actor’s other shares are examined, it is seen that he sells and rents malicious software that is not caught by antivirus systems.

matanbuchus malicious actors
Figure 4: An announcement from Matanbuchus on the dark web

убитноневами

The threat actor named убитноневами, who is active on Russian underground forums, usually sells user information obtained from devices included in the botnet network. Besides, it also shares large log data publicly in order to achieve popularity. The shared log data belongs to the users who are included in the botnet network. This data includes much information such as desktop screen photos, credit card and password information saved in the browser, system information, a list of processes running in the system, autofill values, and cookie values saved in the browser. The relevant log data is obtained from many countries worldwide by infecting the user’s computers with malicious software called Stealer.

убитноневами log stealer
Figure 5: An announcement from убитноневами on a dark web froum

GhostSec

The threat actor named GhostSec, who is active on underground forums and Telegram channels, announce group’s hacking activities. The group started their activities on 2015 against ISIS but they have unknown origin.

GhostSec is a highly organized hacktivist group that has ties with members of the “Anonymous” hacktivist collective. Similar like Anonymous operations, the actions of GhostSec is shared on Twitter and Telegram to show DDoS attacks, OS intrusions, webpage defacement (indexed websites) and data leaks.

The threat group has a subscription-based premium channel on Telegram, in which they share exclusive content, such as leaks, tutorials, and others with their subscribers.

ghostsec threat actors
Figure 7: A screenshot from GhostSec's Telegram account

AgainstTheWest / BlueHornet

The threat actor named BlueHornet, who is active on underground forums and Telegram channels, announce group’s hacking activities. The group usually targets Russian companies.

Also the BlueHornet claimed about hacking TikTok’s databases. After couple of proof of concept tweets and serious data leakage Twitter has suspended the group’s social media account. Despite of shared proof of concepts by the BlueHornet, allegations were denied from TikTok.

bluehornet-againsttheweat
Figure 6: BlueHornet's Twitter account
Share on Facebook Share on Twitter
Search
Categories
APT GroupsBlogDark WebDRPSFraudRansomwareSector AnalysisSecurity NewsVIP SecurityWe in the PressWeekly Newsletter
Recent Posts
  • What is BEC (Business Email Compromise) Attack?
    What is BEC (Business Email Compromise) Attack?
  • What Is Smishing and How To Protect Yourself?
    What Is Smishing and How To Protect Yourself?
  • Security Newsletter | March 30, 2023
    Security Newsletter | March 30, 2023
  • What is Incident Response and How to Build It?
    What is Incident Response and How to Build It?
2022 Ransomware Trends Report
Report
Download Report
Follow us!

    Continue Reading

    Previous post

    Critical 0-Day Alarm in Microsoft Exchange Server

    microsoft
    the most affected products from vulnerabilities and ransoms
    Next post

    The Most Affected Products by Vulnerabilities

    particle element
    We know what hackers know about you
    Our cyber threat intelligence and security research team is ready to help you.
    Request a demo
    Free Trial
    Contact
    Login

    Follow us on

    brandefense logo brandefense

    Brandefense is solving SOC’s complex challenges. We are here to help Brandefense customers to protect their brands and reputations against cyber threats.

    United States:

    300 Delaware Ave. Ste 210 #328 Wilmington, DE 19801 / USA

    Turkey:

    Üniversiteler Mahallesi, 1605.Cadde, Kapı No:3/1, No: 204, 06800 Çankaya/Ankara 06800

    © 2022 Brandefense. All rights reserved.

    Solutions
    Threat IntelligenceBrand ProtectionVulnerability ManagementFraud ProtectionVIP SecurityAttack Surface ManagementVulnerability Intelligence
    Use Case
    Data LeakagePhishing MonitoringAccount Takeover DetectionStolen Credit CardsDark Web MonitoringRemediation / Takedown
    Partners
    Channel PartnersDeal Registration
    Company
    AboutCareerPrivacy PolicyTerms Of UseContact
    Manage Cookie Consent
    To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage vendors Read more about these purposes
    View preferences
    {title} {title} {title}
    Close
    Search

    Hit enter to search or ESC to close